BIND server: how to log queries only for specific DNS record?
Situation: decommisioning old DNS records.
There are several DNS records that resolve to the same IP.
Is it possible to log queries only for a specific DNS record?
Responses
Red Hat
Pro
735 points
Hello,
I think bind does not have such filtering available (see below).
logging {
[ channel channel_name {
( file path name
[ versions ( number | unlimited ) ]
[ size size_spec ]
| syslog syslog_facility
| stderr
| null );
[ severity (critical | error | warning | notice |
info | debug [ level ] | dynamic ); ]
[ print-category yes | no; ]
[ print-severity yes | no; ]
[ print-time yes | no; ]
}; ]
[ category category_name {
channel_name ; [ channel_name ; ... ]
}; ]
...
};
However, you can achive this by following.
1, You can redirect dns logs to syslog and on syslog you can apply such filtering to log only A records.
2, You can run tcpdump continue to print only A records and redirect output to file (this would be good if you are running this for sort time)
Thanks,
Rupesh Patel
You can filter for inidividual queries but: a) it's not a built-in functionality of BIND (this is a BIND issue, better to look at ISC's support pages than RedHat's), which means you've gotta kludge your way to the functionality; and, b) most of the kludges to achieving this functionality can lead you to filling up your logging partitions VERY quickly (basically, you up the verbosity on BIND's logging and set up a logprocessor to find the desired info).
If this is absolutely a "must have", make sure that you put your BIND logs onto a dedicated logging device so that when it (inevitably fills up), you don't drop your system (e.g., if you have crash-on-full turned on in the audit service configs) and you don't make BIND or other applications choke when their parition fills up.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.