errr-online.com

Yesterday I was adding a new domain to our servers to slave. While looking though syslog to make sure this was all working I noticed a whole flood of requests for a site that was busted.

unexpected RCODE (REFUSED) resolving ‘www.examplesite.com/A/IN’: x.x.x.x#53

This was just filling my logs like crazy. I wanted to know who on my network was making so many requests for this site.. I was really hoping I didnt have some infected PC on my LAN. To find out I turned on the query log. This is not on by default on Debian, or on Ubuntu, or CentOS which is what I use for all of my DNS. To turn on query log is pretty simple. I added the following to my named.conf.options file

logging {
channel “querylog” {
file “/var/log/bind9-query.log”;
print-time yes;
};
category queries {
querylog;
};
};

Once added you need to make sure this directory is present. If you are in a chroot environment like a good sysadmin remember this path is relevant to your chroot so /var/log/bind9-query.log might really be /chroot/bind9/var/log/bind9-query.log Next make sure your bind user had read/write access to the file.

chown bind:bind /chroot/bind9/var/log/bind9-query.log

Next simply

rndc reload

and go watch that puppy fill up in a hurry. I do not like to keep this turned on because it fills up so fast and I only seem to need it when there is a problem. If you do decide to keep it turned on make sure you set up a logrotate for it. In my environment this log will get to be several megs in under an hour. Sure hope this will help you figure out who is querying what on your network.

Sample output from the log file

05-Feb-2010 09:08:25.524 client 192.168.1.142#51521: query: claimlj2.my.domain.com IN AAAA +