Logging on a Bind server

Tony Finch dot at dotat.at
Thu Oct 22 21:49:46 UTC 2020


Senthan.Sivasundaram at szkb.ch <Senthan.Sivasundaram at szkb.ch> wrote:

> One Day it came an alert from Cybereason (Antivirus-Software), that our
> Bind server tried to Connect to a suspicious domain "ns2.honeybot.us".

> But I couldn't find the log, which domain the BIND server was searching
> for, so that the BIND server has to connect to "ns2.honeybot.us". I can
> see the Queries log, which domain the Clients were querying but I
> couldn't find out why our Bind Server tried to connect the name server
> "ns2.honeybot.us".

There are a few ways to get answers to questions like this:

1. passive DNS, which captures cache-miss query traffic from a resolver to
the big bad internet. There are two flavours:

1a. a tcpdump tap between the resolver and the internet - the classic
passive DNS setup

1b. use dnstap, which is built-in to BIND

In both cases you will be logging a LOT so it requires sysadmin work: log
rotation, matching log volume to disk space, etc. usw. If you have good
passive DNS collection and analysis tools you can learn a lot about the
weirdness happening on your network. I don't, so I am blissfully unaware,
until I...

2. run `rndc dumpdb` and inspect the contents of named_dump.db

You might (if you are lucky) be able to run this after something happened
that caused questions, without any prior setup work, and maybe get an
answer if the TTLs are long enough.

In this particular case you'll be looking for records like ".... NS
ns2.honeybot.us". BIND prints named_dump.db in classic zone file format,
without repeating the owner name for every record, so once you have found
an NS record of interest you will need to scroll back to find a sibling
record that has the relevant owner name. So `less` is a better tool than
`grep` for this job.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Sole: Variable 4 at first in east, otherwise westerly or southwesterly 4 to 6,
occasionally 7 later in west. Moderate or rough, occasionally very rough later
in west. Rain or showers. Good, occasionally moderate.


More information about the bind-users mailing list