Configure Bind to log all queried domains from specific client IPs

Question

I would like to know how I can configure a bind dns server to log all queried domains from specific client IPs.

Possible duplicate of http://serverfault.com/questions/701810/logging-wildcard-query-in-bind — Andy, Jun 30 '15 at 21:26

score 0 · Answer 1 · answered Jun 30 '15 at 20:12

0

tcpdump -nni any host <host IP> and port 53 -w <write out file>

answered Jun 30 '15 at 20:12

Arlion

608
1
5
17

That would solve it for a single ip and it would record all the tcp traffic, that has to be manually examined. I would like to have a more comfortable means to specify whole ip ranges for logging queried domains, that were successfully resolved by bind. When bind could do this logging somehow, it could use dns specific information to log successful queries. With a tcp dump I would have to follow the conversation between client and server to determine which queries are successful and I would need to find out, how the dns protocoll is implemented to extract information. – user1861174 Jun 30 '15 at 20:52

score 0 · Answer 2 · answered Jul 01 '15 at 10:59

If one of your requirements is that it only be successfully resolved names, you can use the dns.flags.response filter. Useful writeup here. Bind can also log queries to a file (reference) which you could then parse with a wide variety of log/text analysis tools.

Configure Bind to log all queried domains from specific client IPs

2 Answers2