In BIND 8.2 running on Solaris 8, how to start logging
Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
-Original Message-
From: Samad Agha samad.agha2...@gmail.com
Date: Friday, June 27, 2014 at 1:07 PM
To: bind-users@lists.isc.org bind-users@lists.isc.org, DNS BIND
bind-us...@isc.org
Subject: In BIND 8.2 running on Solaris 8, how to start logging
Hi All,
I have two Solaris 8 servers running BIND 8.2. I'd like to retire them
both and transfer everything to a couple of RHEL 7 boxes. The City (I
work for a mid-size California city) has outsourced different aspects of
our DNS that I even lost track and have
no idea what these two DNS servers serve. I'd like to start logging all
queries on these two boxes to know who queries them. How do I start a
comprehensive logging to capture all transactions going through these two
servers?
Please advise; please be thorough and don't assume anything. Many thanks
in advance.
I see two options:
Enable query logging. In your named.conf, do something like:
logging {
channel my_querylog {
file /var/adm/query.log versions 5 size 10m;
print-time yes;
};
category queries { my_querylog; };
};
Adjust paths, number of copies (versions) to keep, etc. Note that this
can fill quickly on busy servers.
Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp
and analyze it after 1, 7, 30 or whatever days. Again, if the server is
busy you will get a very large file. You can limit the amount of time you
capture traffic, or rotate capture files with -C size e.g. tcpdump -i
eth0 -s0 -C 100 -w dnscap filter (you'll endup with dnscap1, dnscap2,
etc each 100MB in size).
Good luck, BIND 8.2 is ancient now so good to hear you are working to get
it updated.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: In BIND 8.2 running on Solaris 8, how to start logging
Enable query logging or run tcpdump on port 53. A quick Google search should explain exactly how to do either of these very easily. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Friday, June 27, 2014 5:02 PM To: bind-users@lists.isc.org Subject: Re: In BIND 8.2 running on Solaris 8, how to start logging On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
Mike, Barry, Baird, Thank you so much for your quick replies. I'll try your recommendations first thing Monday morning and see what happens. Again, thank you and have a nice weekend. Regards, Samad On Fri, Jun 27, 2014 at 2:12 PM, Baird, Josh jba...@follett.com wrote: Enable query logging or run tcpdump on port 53. A quick Google search should explain exactly how to do either of these very easily. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto: bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Friday, June 27, 2014 5:02 PM To: bind-users@lists.isc.org Subject: Re: In BIND 8.2 running on Solaris 8, how to start logging On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
