BIND DNS Enable audit logs - Authoritative

Kevin Darcy kevin.darcy at fcagroup.com
Fri Jan 11 18:55:04 UTC 2019 

I don't believe there is any logging category for this, even when zones are
enabled for Dynamic Update, in which case the versioning is done
automatically. There used to be a "journalprint" utility that one could run
against the .jnl files to show the update history. But, even if the
journaling mechanism and the "journalprint" utility still exist as I
remember it, it would most likely only work for Dynamic-Update-enabled
zones. I don't believe .jnl files are created for
non-Dynamic-Update-enabled zones, although I could be wrong on that --
maybe named synthesizes .jnl files for purposes of IXFR (???).

If you're doing manual editing, I assume you have some mechanism to reload
the zone after each edit, presumably a script of some sort. The best
suggestion I have, short of evolving your solution significantly, is to add
a "diff against previous version" + "make a copy of the current version of
the file" sequence into that script, to capture the deltas, along with a
decision on how much history you want to keep, and perhaps a cron script to
purge the stale versions so the repository doesn't grow without bound. (The
maintenance/garbage-collection function could theoretically be integrated
into the main diff logic).

The next evolution might be to use a version-control system. The next
evolution beyond that might be a web interface with a dynamic-update
backend (which still serves some of our use cases) or a "panel" package
(assuming it has sufficient logging/auditing for your needs) or an
enterprise-strength DNS management solution (e.g. Infoblox, which we also
use).


                    - Kevin

On Fri, Jan 11, 2019 at 9:50 AM Daniel Dawalibi <daniel.dawalibi at idm.net.lb>
wrote:

> Hello
>
> We edit our zones manually (not through panel interface), is it possible to
> log DNS updates in this case?
> Logging is already enabled but we are unable to track the updated zones in
> the logs
> The enabled category on the authoritative Master DNS server  are "xfer-in",
> "security", "network", "default", "config", "queries" and "update".
>
> How can we enable the journal files in our case? Is there any impact on the
> DNS performance?
>
>
> Regards
> Daniel
>
> -----Original Message-----
> From: Tony Finch [mailto:dot at dotat.at]
> Sent: Tuesday, January 8, 2019 2:05 PM
> To: Daniel Dawalibi
> Cc: bind-users at lists.isc.org
> Subject: Re: BIND DNS Enable audit logs - Authoritative
> Importance: High
>
> Daniel Dawalibi <daniel.dawalibi at idm.net.lb> wrote:
> >
> > Is it possible to enable the audit logs on BIND DNS so we can track
> > changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,.
> records)?
>
> You can get that by default, depending on how the changes were performed.
>
> If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will
> log changes like this ...
>
> 08-Jan-2019 11:55:09.826 update: info:
>         client @0x55b747f47ec0 ::1#5685/key local-ddns:
>         updating zone 'private.cam.ac.uk/IN':
>         adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk.
> hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
> 08-Jan-2019 11:55:09.826 update: info:
>         client @0x55b747f47ec0 ::1#5685/key local-ddns:
>         updating zone 'private.cam.ac.uk/IN':
>         adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ
>
> The changes are also recorded in the zone's journal, which you can extract
> like:
>
> $ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
> [...]
> del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
> hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
> add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
> hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
> add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ
>
> You might want to use the `ixfr-from-differences` and `max-journal-size`
> options if you care about preserving journal contents.
>
> Alternatively, keep your zone contents in `git` or a database that keeps an
> audit log :-)
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ Mull of Galloway to
> Mull
> of Kintyre including the Firth of Clyde and North
> Channel: Northwesterly 4 or 5, occasionally 6 at first in the North
> Channel,
> becoming variable 3 or less. Moderate, becoming smooth or slight.
> Occasional
> rain later. Good, occasionally moderate later.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190111/5b5a727f/attachment.html>

More information about the bind-users mailing list