Logging Bind DNS Queries

By | March 24, 2015

Option 1 – Quick and Dirty

You can quickly turn on logging by typing in the following into the server shell:

[code]rndc querylog[/code]

Then you can follow the information in the standard syslog.

[code]tail -f /var/log/syslog[/code]

You should see output like the following letting you know that queries are now logged:

[code]Sep 14 22:23:20 ns01.companya.local named[7896]: query logging is now on[code]

<h3>Option 2 – Full and Stored Logs</h3>
If you want to store full logs that you can go back to at a later date you’ll need to make some changes to the BIND configuration.

Logon to your shell as usual, and type the following:
[code]nano /etc/bind/named.conf[/code]

Put in the following code at the bottom:

[code]logging {
channel query.log {
file “/var/log/query.log”;
severity debug 3;
};
category queries { query.log; };
};[/code]

Now we need to create the log:

[code]touch /var/log/query.log[/code]

Make it writable by the BIND process:

[code]chown named.named /var/log/query.log[/code]

Give BIND a reboot:

[code]service bind9 restart[/code]

And now you should be able to follow the queries as any other log:

[code]tail -f /var/log/query.log[/code]

References:

How to Log BIND Queries on Ubuntu 12.10


http://linuxmantra.com/2011/04/logging-bind-queries.html

Loading