Introduction

By default, logs from named are sent to /var/log/syslog via syslog.

Goals

Make BIND log more useful information

Notes

Commands preceded with "$" imply that you should execute the command as a general user - not as root.
Commands preceded with "#" imply that you should be working as root.
Commands with more specific command lines (e.g. "rtrX>" or "mysql>") imply that you are executing commands on remote equipment, or within another program.

Create a log directory

On SOA (soa.grpX):

Create the log directory:

$ sudo mkdir -p /etc/bind/log
$ sudo chown bind /etc/bind/log

Edit /etc/bind/named.conf.options

$ sudo editor /etc/bind/named.conf.options

Now move to the bottom (end) of the file, and add the following logging section:


logging {
        channel transfers {
            file "/etc/bind/log/transfers" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel notify {
            file "/etc/bind/log/notify" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel dnssec {
            file "/etc/bind/log/dnssec" versions 3 size 10M;
            print-time yes;
            severity info;
        };
        channel query {
            file "/etc/bind/log/query" versions 5 size 10M;
            print-time yes;
            severity info;
        };
        channel general {
            file "/etc/bind/log/general" versions 3 size 10M;
        print-time yes;
        severity info;
        };
    channel slog {
        syslog security;
        severity info;
    };
        category xfer-out { transfers; slog; };
        category xfer-in { transfers; slog; };
        category notify { notify; };

        category lame-servers { general; };
        category config { general; };
        category default { general; };
        category security { general; slog; };
        category dnssec { dnssec; };

        // category queries { query; };
};

Save and exit the file, and TEST that it works:

$ sudo named-checkconf /etc/bind/named.conf

Note that the "queries" category is commented out. This is on purpose as this log file on many servers could become very large quickly.

Now reconfig or restart bind:

$ sudo rndc reconfig

Look into /etc/bind/log/, and see if the files get created. (e.g., ls -lt /etc/bind/log/)

If it doesn't work, try:

check permissions for /etc/bind/log
restarting named (service bind9 restart)

Do a zone transfer of your own domain:

$ dig @10.X.1.1 AXFR MYTLD

Verify that the transfer shows up in /etc/bind/log/transfers:

17-Feb-2016 11:18:15.331 client 10.X.1.1#61235: transfer of 'MYTLD/IN': AXFR started
17-Feb-2016 11:18:15.331 client 10.X.1.1#61235: transfer of 'MYTLD/IN': AXFR ended

Try and do an AXFR for a non-existent zone:

$ dig @10.X.1.1 AXFR xyzxyz

... check /etc/bind/log/transfers again - what do you see ?

Update the serial number on your master zone file:

$ sudo editor /etc/bind/zones/mytld/mytld

Increment Serial by 1 then save the zone file.

$ sudo rndc reload MYTLD

Look in the notify log file.

$ tail -100 /etc/bind/log/notify

There should be a line that `ooks something like this:

22-Feb-2016 23:43:48.647 zone MYTLD/IN: sending notifies (serial 2018022306)

Optional - view queries

Remove the `//` from the front of `category queries { query; };`
in `named.conf` and restart the nameserver

$ sudo  service bind9 restart

Then start monitoring the query file

$ sudo tail -F /etc/bind/log/query

While that is running, in another terminal window or on someone else's machine, execute a dig.

# dig @10.X.1.1 www.MYTLD.

You should see the query in the logfile.

Your should re-enable the // in front of "category queries { query; };" and restart bind to keep the logs from filling up.

Enabling logging in BIND