UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Page 'Rough guide to BIND logging – keeping an eye on DNS'

Rough guide to BIND logging – keeping an eye on DNS

At lots of sites I see people configuring BIND, setting up their zones, but then missing out a critical part of the configuration – logging. BIND logging is easy enough to configure, and it gives you a useful insight into potential issues with your DNS and zone files.

BIND logging is managed in /etc/named.conf and is split into two parts.

First of all, configure BIND to store PIDs, statistics files etc. in a dedicated directory. In this case, I’m using /var/named/log:

options {
        directory "/var/named/log";
        pid-file "/var/named/log/named.pid";
        dump-file "/var/named/log/named_dump.db";
        memstatistics-file "/var/named/log/named.memstats";
        statistics-file "/var/named/log/named.stats";
};

That’s all pretty straightforward. Armed with this we can write some scripts to plug BIND statistics into RRDTool or similar, and get some nice graphs of performance.

Next, we can use the logging directive to configure log files and the streams of events we want to log:

logging {
        channel default_log {
                file "/var/named/log/named.log" versions 3 size 10m;
                print-time yes;
                print-category yes;
                severity info;
                };
        channel security_log {
                file "/var/named/log/named.security.log" versions 3 size 5m;
                print-time yes;
                print-category yes;
                severity notice;
                };
        category default { default_log; };
        category security { security_log; };
        category lame-servers { null; };
};

You can see I’ve configured a default log of INFO events, which will by cycled when it reaches 10mb, with 3 copies being kept. I’m also logging security events with a priority of NOTICE and higher – 3 versions of this are kept, and the security log gets cycled when it reaches 5mb.

For all the log events I want to print the time stamp and the category – without these it can be difficult to work out what happened and when, which makes the logs pretty much worthless.

The syntax to configure logging in BIND is pretty straightforward and is very similar to how you’d configure your zones in named.conf.

If you want to be slack you can just cut and paste this into /etc/named.conf and restart BIND – instant logging. I run BIND under a non-root user, and the BIND logging directory is owned by that user and group and locked down – I’d suggest doing the same at a minimum.

Like this post? Spread the word!
delicious digg google
stumbleupon technorati Yahoo!

Comments are closed.

Top of page / Subscribe to new Entries (RSS)