Linux – DNS query response logging

binddnslinuxlogs

I have configured a CC TLD with bind9.
I have successfully configured query logging also.
But I can not do logging of query responses.

Please have a look of what I have configured for query logging: 

logging {
    channel queries_file {
        file "/var/named/chroot/var/log/named/queries.log" versions 10 size 10G;
        severity dynamic;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category queries { queries_file; };
};

This script logs only queries coming from the outside.

How can I log server responses for those requests.

Best Answer

There are no provisions in BIND to log answers for queries at all with the logging directive.

Furthermore, aside privacy considerations, it can be more efficient for the DNS service to log them remotely instead of in a file.

Often people are running dnscap to capture/sniff DNS queries for security analysis.

dnscap is a network capture utility designed specifically for DNS traffic. It produces binary data in pcap(3) format. This utility is similar to tcpdump(1), but has a number of features tailored to DNS transactions and protocol options.

There is also a capture/logging functionality called dnstap, but it is only present in certain versions of BIND, and appears to be officially always included after the last version of BIND (at this time 9.11) which might not yet be adopted in several distributions, and thus involves compiling BIND.

It is more interesting, as it integrates with BIND, and less taxing on resources than dnscap.

dnstap is a solution which introduces a flexible, binary log-format for DNS servers together with Protocol Buffers, a mechanism for serializing structured data. Robert Edmonds had the idea for dnstap and created the first implementation with two specific use cases in mind:

  • make query-logging faster by eliminating synchronous I/O bottlenecks and message formatting
  • avoid complicated state reconstruction by capturing full messages instead of packets for passive DNS

From DNS query/response logging with dnstap

options {
   dnstap { all; };
   // dnstap { auth; resolver query; resolver response; };

   /* where to capture to: file or unix (socket) */
   // dnstap-output file "/tmp/named.tap";
   dnstap-output unix "/var/run/dnstap.sock";

   dnstap-identity "tiggr";
   dnstap-version "bind-9.11.2";
};
Related Question