How to log recursive queries?
David Botham
DBotham at OptimusSolutions.com
Wed May 4 16:20:39 UTC 2005
bind-users-bounce at isc.org wrote on 05/04/2005 06:56:06 AM:
> Hello,
> Before I disable recursive queries on my name server, I'd like to find
> out who is using it for that.
>
> I've seen the "queries" logging category, but can't see how to restrict
> it to just recursive queries. Is it possible?
I think the answer to your question is no. However, you should be able to
write a perl script that could determine if someone is making a query in a
zone that that your name servers do not host. I would approach it like
this:
1. Set up a logging statement to send query logging to a seperate file.
2. grep out your zone statements from your named.conf file. Use these as
a basis for determining if someone sent you a query for a RR that you do
not hosts.
3. Write a perl script that parse through the query log, looking for
queries outside of the list from step 2.
4. Record the IP address of anyone caught in step 3.
The logic here is that if someone sends you a query for a zone that you do
not host, then they are probably asking you to do the work and it was
[probably] a recursive query.
The output of this script could be used to track down local people (those
that you can control) that are using your name servers for recursion.
hth,
Dave...
>
> Thanks
>
>
More information about the bind-users
mailing list