Logging on a Bind server

Chuck Aurora ca at nodns4.us
Tue Oct 20 16:02:21 UTC 2020

On 2020-10-20 10:34, Borja Marcos wrote:
>> On 20 Oct 2020, at 17:28, Rick Dicaire <kritek at gmail.com> wrote:
>> On Tue, Oct 20, 2020 at 10:17 AM <Senthan.Sivasundaram at szkb.ch> wrote:
>> Dear BIND-Users,
>> Does someone has an idea, which log I have to activate.

While everything Borja says below, and what Kevin said in the other
subthread, is absolutely true, in this case I am not sure these are
the best answers. :)

I would suggest to the OP that you go to your software vendor and ask
exactly why you should be concerned about queries going to that
particular server.  Demand detailed information, which should be a
reasonable thing, given what your company is paying them.

In some cases, such vendors are frauds.  Note, I have no inside
information about Cybereason nor ns2.honeybot.us, so the warning could
very well be a valid concern.  But I wouldn't recommend going to all
this trouble without knowing details of why to worry.

And then rather than dnstap/logging, I'd probably follow Kevin's
advice about RPZ, if it turned out to be a valid concern.  I think if
your vendor is as good as you hope they are (and as they surely claim
to be) they would have information about setting up RPZ.

>> Do you have querylog enabled?
> Querylog is not enough. It will tell you which clients are sending
> which queries, but not which queries go to the Server Of Interest.
> It won’t log the queries the recursive server sends itself.
> That’s a good use case for dnstap.
> As a sort of desperate measure you can capture packets sent to the
> suspicious IP addresses (no need to put the interface in promisc
> mode) and check which queries were sent to them.

More information about the bind-users mailing list