0

Is there any way to log failed DNS update queries with Bind 9 (9.16.22 on Debian) in a more verbose format?

I tried all logging categories and found update messages in an update-security one. But messages are quite brief, like update forwarding 'domain.tld/IN' denied.

I would like to get verbose message, like update forwarding 'domain.tld/IN', add foo.domain.tld 600 IN A 10.10.10.10 denied.

Sai Chandra Gadde
  • 140
  • 7
Milo
  • 1
  • 3

1 Answers1

0

BIND's logging differentiates categories, and for each category you can set a set of channels to send messages to. For each channel you set a logging verbosity and other behaviour.

For example, you can have a dedicated channel verbose_updates, where you'll log a category update:

logging {
...
  channel verbose_updates {
    file "/var/log/bind/update.log";
    severity debug 3;
    print-time yes;
  };
  category update {
    verbose_updates; # other channels can go here, if you want to also have updates logged elsewhere in more typical form
  };
...
};

This way you can have a quite verbose debug log just for updates.

Read ISC BIND documentation for reference.

Nikita Kipriyanov
  • 10,947
  • 2
  • 24
  • 45
  • I already tried that and there is no additional information in log. Additionaly I tried ```rndc trace 3``` and higher without any log verbosity change.Such configuration works for you? – Milo May 06 '22 at 12:31
  • This only could mean it is unable to log such information in the form you want it. Which reminds me, *why* do you need that? It seems nobody else needs that. Probably you've chosen a wrong way to solve some other problem (do we have "XY problem" here)? – Nikita Kipriyanov May 07 '22 at 12:04
  • No side reason. Only want to know which records are tried to be updated. Do I understand correctly, that log by configuration which you proposed does not contain such information and you only cited the documentation without verification? I want to be sure that I've done it right. – Milo May 09 '22 at 07:26
  • I've actually built the configuration I suggested and tried how it works. Technically, my answer satisfies your question as it is presented now. The question is formulated in a quite generic way, and the only place from which one can deduce that you may need to log a record name is an example, without clarifications this is not obvious. So I suggest you to at least change a title to be concrete: "How to log a name of a record that is being updated in bind", something like that. And describe what configurations you've already tried and that none of them helped. – Nikita Kipriyanov May 09 '22 at 11:32