net-services
/
pub-dns
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add logging

This commit is contained in:
Kameron Kenny - pi501 2024-04-20 21:04:15 -04:00
parent 581a66ce41
commit b206965b08
2 changed files with 430 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
primary/etc/bind/named.conf
View File

@ -41,3 +41,218 @@ zone "0.0.127.in-addr.arpa" in {
type master; type master;
file "db.127"; file "db.127";
}; };
logging {
channel default_log {
file "/var/named/log/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/named/log/auth_servers" versions 100 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "/var/named/log/dnssec" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/named/log/zone_transfers" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "/var/named/log/ddns" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/named/log/client_security" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "/var/named/log/rate_limiting" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "/var/named/log/rpz" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnstap_log {
file "/var/named/log/dnstap" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// If you have the category queries defined, and you dont want query logging
// by default, make sure you add option querylog no; - then you can toggle
// query logging on (and off again) using command rndc querylog
//
channel queries_log {
file "/var/named/log/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries. Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
channel query-errors_log {
file "/var/named/log/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
//
// This is the default syslog channel, defined here for clarity. You dont
// have to use it if you prefer to log to your own channels.
// It sends to syslogs daemon facility, and sends only logged messages
// of priority info and higher.
// (The options to print time, category and severity are non-default.)
//
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity info;
};
//
// This is the default debug output channel, defined here for clarity. You
// might want to redefine the output destination if it doesnt fit with your
// local system administration plans for logging. It is also a special
// channel that only produces output if the debug level is non-zero.
//
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "named.run";
severity dynamic;
};
//
// Log routine stuff to syslog and default log:
//
category default { default_syslog; default_debug; default_log; };
category config { default_syslog; default_debug; default_log; };
category dispatch { default_syslog; default_debug; default_log; };
category network { default_syslog; default_debug; default_log; };
category general { default_syslog; default_debug; default_log; };
//
// From BIND 9.12 and newer, you can direct zone load logging to another
// channel with the new zoneload logging category. If this would be useful
// then firstly, configure the new channel, and then edit the line below
// to direct the category there instead of to syslog and default log:
//
category zoneload { default_syslog; default_debug; default_log; };
//
// Log messages relating to what we got back from authoritative servers during
// recursion (if lame-servers and edns-disabled are obscuring other messages
// they can be sent to their own channel or to null). Sometimes these log
// messages will be useful to research why some domains dont resolve or
// dont resolve reliably
//
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
//
// Log problems with DNSSEC:
//
category dnssec { dnssec_log; default_debug; };
//
// Log together all messages relating to authoritative zone propagation
//
category notify { zone_transfers_log; default_debug; };
category xfer-in { zone_transfers_log; default_debug; };
category xfer-out { zone_transfers_log; default_debug; };
//
// Log together all messages relating to dynamic updates to DNS zone data:
//
category update{ ddns_log; default_debug; };
category update-security { ddns_log; default_debug; };
//
// Log together all messages relating to client access and security.
// (There is an additional category unmatched that is by default sent to
// null but which can be added here if you want more than the one-line
// summary that is logged for failures to match a view).
//
category client{ client_security_log; default_debug; };
category security { client_security_log; default_debug; };
//
// Log together all messages that are likely to be related to rate-limiting.
// This includes RRL (Response Rate Limiting) - usually deployed on authoritative
// servers and fetches-per-server|zone. Note that it does not include
// logging of changes for clients-per-query (which are logged in category
// resolver). Also note that there may on occasions be other log messages
// emitted by the database category that dont relate to rate-limiting
// behaviour by named.
//
category rate-limit { rate_limiting_log; default_debug; };
category spill { rate_limiting_log; default_debug; };
category database { rate_limiting_log; default_debug; };
//
// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ
// then you may want to comment out this category and associated channel)
//
category rpz { rpz_log; default_debug; };
//
// Log messages relating to the "dnstap" DNS traffic capture system (if you
// are not using dnstap, then you may want to comment out this category and
// associated channel).
//
category dnstap { dnstap_log; default_debug; };
//
// If you are running a server (for example one of the Internet root
// nameservers) that is providing RFC 5011 trust anchor updates, then you
// may be interested in logging trust anchor telemetry reports that your
// server receives to analyze anchor propagation rates during a key rollover.
// If this would be useful then firstly, configure the new channel, and then
// un-comment and the line below to direct the category there instead of to
// syslog and default log:
//
//
category trust-anchor-telemetry { default_syslog; default_debug; default_log; };
//
// If you have the category queries defined, and you dont want query logging
// by default, make sure you add option querylog no; - then you can toggle
// query logging on (and off again) using command rndc querylog
//
category queries { queries_log; };
//
// This logging category will only emit messages at debug levels of 1 or
// higher - it can be useful to troubleshoot problems where queries are
// resulting in a SERVFAIL response.
//
category query-errors {query-errors_log; };
};

215
secondary/etc/bind/named.conf
View File

@ -35,3 +35,218 @@ zone "0.0.127.in-addr.arpa" in {
type secondary; type secondary;
primaries { 10.99.153.241; }; primaries { 10.99.153.241; };
}; };
logging {
channel default_log {
file "/var/named/log/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel auth_servers_log {
file "/var/named/log/auth_servers" versions 100 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnssec_log {
file "/var/named/log/dnssec" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel zone_transfers_log {
file "/var/named/log/zone_transfers" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel ddns_log {
file "/var/named/log/ddns" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel client_security_log {
file "/var/named/log/client_security" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rate_limiting_log {
file "/var/named/log/rate_limiting" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel rpz_log {
file "/var/named/log/rpz" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel dnstap_log {
file "/var/named/log/dnstap" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// If you have the category queries defined, and you dont want query logging
// by default, make sure you add option querylog no; - then you can toggle
// query logging on (and off again) using command rndc querylog
//
channel queries_log {
file "/var/named/log/queries" versions 600 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries. Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
channel query-errors_log {
file "/var/named/log/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
//
// This is the default syslog channel, defined here for clarity. You dont
// have to use it if you prefer to log to your own channels.
// It sends to syslogs daemon facility, and sends only logged messages
// of priority info and higher.
// (The options to print time, category and severity are non-default.)
//
channel default_syslog {
print-time yes;
print-category yes;
print-severity yes;
syslog daemon;
severity info;
};
//
// This is the default debug output channel, defined here for clarity. You
// might want to redefine the output destination if it doesnt fit with your
// local system administration plans for logging. It is also a special
// channel that only produces output if the debug level is non-zero.
//
channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "named.run";
severity dynamic;
};
//
// Log routine stuff to syslog and default log:
//
category default { default_syslog; default_debug; default_log; };
category config { default_syslog; default_debug; default_log; };
category dispatch { default_syslog; default_debug; default_log; };
category network { default_syslog; default_debug; default_log; };
category general { default_syslog; default_debug; default_log; };
//
// From BIND 9.12 and newer, you can direct zone load logging to another
// channel with the new zoneload logging category. If this would be useful
// then firstly, configure the new channel, and then edit the line below
// to direct the category there instead of to syslog and default log:
//
category zoneload { default_syslog; default_debug; default_log; };
//
// Log messages relating to what we got back from authoritative servers during
// recursion (if lame-servers and edns-disabled are obscuring other messages
// they can be sent to their own channel or to null). Sometimes these log
// messages will be useful to research why some domains dont resolve or
// dont resolve reliably
//
category resolver { auth_servers_log; default_debug; };
category cname { auth_servers_log; default_debug; };
category delegation-only { auth_servers_log; default_debug; };
category lame-servers { auth_servers_log; default_debug; };
category edns-disabled { auth_servers_log; default_debug; };
//
// Log problems with DNSSEC:
//
category dnssec { dnssec_log; default_debug; };
//
// Log together all messages relating to authoritative zone propagation
//
category notify { zone_transfers_log; default_debug; };
category xfer-in { zone_transfers_log; default_debug; };
category xfer-out { zone_transfers_log; default_debug; };
//
// Log together all messages relating to dynamic updates to DNS zone data:
//
category update{ ddns_log; default_debug; };
category update-security { ddns_log; default_debug; };
//
// Log together all messages relating to client access and security.
// (There is an additional category unmatched that is by default sent to
// null but which can be added here if you want more than the one-line
// summary that is logged for failures to match a view).
//
category client{ client_security_log; default_debug; };
category security { client_security_log; default_debug; };
//
// Log together all messages that are likely to be related to rate-limiting.
// This includes RRL (Response Rate Limiting) - usually deployed on authoritative
// servers and fetches-per-server|zone. Note that it does not include
// logging of changes for clients-per-query (which are logged in category
// resolver). Also note that there may on occasions be other log messages
// emitted by the database category that dont relate to rate-limiting
// behaviour by named.
//
category rate-limit { rate_limiting_log; default_debug; };
category spill { rate_limiting_log; default_debug; };
category database { rate_limiting_log; default_debug; };
//
// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ
// then you may want to comment out this category and associated channel)
//
category rpz { rpz_log; default_debug; };
//
// Log messages relating to the "dnstap" DNS traffic capture system (if you
// are not using dnstap, then you may want to comment out this category and
// associated channel).
//
category dnstap { dnstap_log; default_debug; };
//
// If you are running a server (for example one of the Internet root
// nameservers) that is providing RFC 5011 trust anchor updates, then you
// may be interested in logging trust anchor telemetry reports that your
// server receives to analyze anchor propagation rates during a key rollover.
// If this would be useful then firstly, configure the new channel, and then
// un-comment and the line below to direct the category there instead of to
// syslog and default log:
//
//
category trust-anchor-telemetry { default_syslog; default_debug; default_log; };
//
// If you have the category queries defined, and you dont want query logging
// by default, make sure you add option querylog no; - then you can toggle
// query logging on (and off again) using command rndc querylog
//
category queries { queries_log; };
//
// This logging category will only emit messages at debug levels of 1 or
// higher - it can be useful to troubleshoot problems where queries are
// resulting in a SERVFAIL response.
//
category query-errors {query-errors_log; };
};