Possible To Log NXDOMAIN At The Server?

Warren Kumari warren at kumari.net
Tue Jan 30 20:29:55 UTC 2018

On Tue, Jan 30, 2018 at 3:12 PM, Reineman, Rick <Rick.Reineman at idt.com> wrote:
> Hello, I recently migrated our internal DNS service to a newer OS and Bind.  Bind 9.9.4 on CentOS7.
> The previous service had a dataset that was in really bad shape and I did a lot of cleanup for the migration.  Unfortunately there were a few records I dropped that I should not have, but it's hard to figure out which until someone complains.
> I am interested in capturing queries that fail, return a NXDOMAIN to the client in other words.
> I have two logging categories setup "queries" and "query-errors", both going to separate logs.
> The problem is that the logs do not log what I am interested in.  The queries log, logs every query, the query-errors log supposedly only logs a SERVFAIL.
> Does anyone know if it is possible to get what I want from the DNS server?

Er, you *might* be able to, but I'd suggest just using DNSCAP

# ./dnscap -sr -ex -g
[140] 2018-01-30 20:27:34.966108 [#0 br0 4095] \
        [].53 [].56101  \
        dns QUERY,NXDOMAIN,51223,qr|aa|rd \
        1 nonexistant.snozzages.com,IN,A 0 \
        1 snozzages.com,IN,SOA,600,ns01.kumari.net,warren.kumari.net,2011053169,86407,7200,3600000,17280
        1 .,4096,4096,0,edns0[len=0,UDP=4096,ver=0,rcode=0,DO=0,z=0] \

-sr will Select Responses
-ex will log Errors of type nXdomain

-g will write to stderror, -w foo will create files of the form foo.<timestamp>.


> Thanks,
> Rick
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the bind-users mailing list