BIND DNS Enable audit logs - Authoritative

Daniel Dawalibi daniel.dawalibi at idm.net.lb
Fri Jan 11 14:51:15 UTC 2019


Hello 

We edit our zones manually (not through panel interface), is it possible to
log DNS updates in this case?
Logging is already enabled but we are unable to track the updated zones in
the logs
The enabled category on the authoritative Master DNS server  are "xfer-in",
"security", "network", "default", "config", "queries" and "update".

How can we enable the journal files in our case? Is there any impact on the
DNS performance?


Regards
Daniel 

-----Original Message-----
From: Tony Finch [mailto:dot at dotat.at] 
Sent: Tuesday, January 8, 2019 2:05 PM
To: Daniel Dawalibi
Cc: bind-users at lists.isc.org
Subject: Re: BIND DNS Enable audit logs - Authoritative
Importance: High

Daniel Dawalibi <daniel.dawalibi at idm.net.lb> wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track 
> changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,.
records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will
log changes like this ...

08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
	client @0x55b747f47ec0 ::1#5685/key local-ddns:
	updating zone 'private.cam.ac.uk/IN':
	adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract
like:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ

You might want to use the `ixfr-from-differences` and `max-journal-size`
options if you care about preserving journal contents.

Alternatively, keep your zone contents in `git` or a database that keeps an
audit log :-)

Tony.
--
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ Mull of Galloway to Mull
of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel,
becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional
rain later. Good, occasionally moderate later.



More information about the bind-users mailing list