Introduction

By default, logs from named are sent to /var/log/syslog via syslog.

Goals

Notes

Create a log directory

On SOA (soa.grpX):

  1. Create the log directory:
$ sudo mkdir -p /var/log/bind
$ sudo chown bind /var/log/bind

Edit /etc/bind/named.conf.options

$ sudo editor /etc/bind/named.conf.options

Now move to the bottom (end) of the file, and add the following logging section:


logging {
        channel transfers {
            file "/var/log/bind/transfers" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel notify {
            file "/var/log/bind/notify" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel dnssec {
            file "/var/log/bind/dnssec" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel query {
            file "/var/log/bind/query" versions 5 size 10M;
            print-time yes;
            severity info;
        };
        channel general {
            file "/var/log/bind/general" versions 3 size 10M;
        print-time yes;
        severity info;
        };
    channel slog {
        syslog security;
        severity info;
    };
        category xfer-out { transfers; slog; };
        category xfer-in { transfers; slog; };
        category notify { notify; };

        category lame-servers { general; };
        category config { general; };
        category default { general; };
        category security { general; slog; };
        category dnssec { dnssec; };

        // category queries { query; };
};

Save and exit the file, and TEST that it works:

$ sudo named-checkconf /etc/bind/named.conf

Note that the "queries" category is commented out. This is on purpose as this log file on many servers could become very large quickly.

Update AppArmor rules (skip this step if AppArmor isn't installed on your system)

By default, writing fies to /var/log/bind won't be allowed by the AppArmor security system. To work around this, we'll update the Ubuntu AppArmor profile for named (bind9):

$ sudo editor /etc/apparmor.d/usr.sbin.named

Find this section:

  # /etc/bind should be read-only for bind
  # /var/lib/bind is for dynamically updated zone (and journal) files.
  # /var/cache/bind is for slave/stub data, since we're not the origin of it.
  # See /usr/share/doc/bind9/README.Debian.gz
  /etc/bind/** r,
  /var/lib/bind/** rw,
  /var/lib/bind/ rw,
  /var/cache/bind/** lrw,
  /var/cache/bind/ rw,

And, immediately after the last line in that block (/var/cache/bind/ rw,), add:

  /var/log/bind/** rw,
  /var/log/bind/ rw,

Save the file and exit, then reload AppArmor:

$ sudo systemctl restart apparmor

Now reconfig or restart bind:

$ sudo rndc reconfig

If it doesn't work, try:

Do a zone transfer of your own domain:

$ dig @10.X.1.1 AXFR MYTLD
17-Feb-2016 11:18:15.331 client 10.X.1.1#61235: transfer of 'MYTLD/IN': AXFR started
17-Feb-2016 11:18:15.331 client 10.X.1.1#61235: transfer of 'MYTLD/IN': AXFR ended

Try and do an AXFR for a non-existent zone:

$ dig @10.X.1.1 AXFR xyzxyz

... check /var/log/bind/transfers again - what do you see ?

Update the serial number on your master zone file:

$ sudo editor /etc/bind/zones/mytld/mytld

Increment Serial by 1 then save the zone file.

$ sudo rndc reload MYTLD

Look in the notify log file.

$ tail -100 /var/log/bind/notify

There should be a line that `ooks something like this:

22-Feb-2016 23:43:48.647 zone MYTLD/IN: sending notifies (serial 2018022306)

Optional - view queries

Remove the `//` from the front of `category queries { query; };`
in `named.conf` and restart the nameserver 
$ sudo  service bind9 restart

Then start monitoring the query file

$ sudo tail -F /var/log/bind/query

While that is running, in another terminal window or on someone else's machine, execute a dig.

# dig @10.X.1.1 www.MYTLD.

You should see the query in the logfile.

Your should re-enable the // in front of "category queries { query; };" and restart bind to keep the logs from filling up.