-----Original Message-----
From: Samad Agha <samad.agha2...@gmail.com>
Date: Friday, June 27, 2014 at 1:07 PM
To: "bind-users@lists.isc.org" <bind-users@lists.isc.org>, DNS BIND
<bind-us...@isc.org>
Subject: In BIND 8.2 running on Solaris 8, how to start logging
>Hi All,
>I have two Solaris 8 servers running BIND 8.2. I'd like to retire them
>both and transfer everything to a couple of RHEL 7 boxes. The City (I
>work for a mid-size California city) has outsourced different aspects of
>our DNS that I even lost track and have
> no idea what these two DNS servers serve. I'd like to start logging all
>queries on these two boxes to know who queries them. How do I start a
>comprehensive logging to capture all transactions going through these two
>servers?
>
>Please advise; please be thorough and don't assume anything. Many thanks
>in advance.
I see two options:
Enable query logging. In your named.conf, do something like:
logging {
channel my_querylog {
file "/var/adm/query.log" versions 5 size 10m;
print-time yes;
};
category queries { my_querylog; };
};
Adjust paths, number of copies (versions) to keep, etc. Note that this
can fill quickly on busy servers.
Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp
and analyze it after 1, 7, 30 or whatever days. Again, if the server is
busy you will get a very large file. You can limit the amount of time you
capture traffic, or rotate capture files with -C <size> e.g. tcpdump -i
eth0 -s0 -C 100 -w dnscap <filter> (you'll endup with dnscap1, dnscap2,
etc each 100MB in size).
Good luck, BIND 8.2 is ancient now so good to hear you are working to get
it updated.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
