Find the answer to your Linux question:
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 11 to 20 of 27
You're right, but if this operation is simpler with php I can use it. You gave me three different cases, and the first seems to be the simplest. I absolutely ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38

    You're right, but if this operation is simpler with php I can use it. You gave me three different cases, and the first seems to be the simplest. I absolutely don't know how php works, so I was asking to you if it logs DNS traffic by deafult...

  2. #12
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    I think we need some definitions.

    php was used as an example for the different ways daemons/apps do logging.
    It was not meant as a solution to your problem.

    Also, after re-reading, I am not entirely sure what you mean by DNS queries.
    I *assumed*, you want to have and analyze the logs of a DNS server. Is that correct?

    If yes:
    - what is the name of the DNS daemon you are using?
    - what is the name of that log analyzer?
    - which numbers do you want from that analyzer?

    If no:
    - what is the name of the daemon/app, that you need logging of?
    - how do DNS queries fit into that? Do you mean to resolve IPs in logfiles to hostnames?
    You must always face the curtain with a bow.

  3. #13
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    I'll give you an example:

    if in the terminal I write
    $ nslookup www.amazon.com

    I'd like this event is logged somewhere.

    I'd like the DNS query is saved even if it is not explicit, as when I write a new address in my browser...

  4. #14
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    Well.. This can be tricky.
    Depends on how much control you have over the network in question.

    *Most* applications will use the resolver library and the configuration in /etc/host.conf and /etc/resolv.conf
    If /etc/hosts.conf contains a order line that begins with hosts
    Code:
    order hosts,bind
    then first the textfile /etc hosts is queried for the IP or hostname.
    From the top of my head, I dont know a method to log queries to /etc/hosts.

    If /etc/hosts doesnt have the answer, a real nameserver is queried.
    These nameservers are defined in /etc/resolv.conf

    Now, if
    - these nameservers are under your controll
    - and you are sure, that all hosts in your network use them
    then
    - you can configure these nameserver to log the DNS queries.

    If the DNServer you use is bind, then this is the appropiate documentation to do so:
    http://www.bind9.net/manual/bind/9.3...html#id2553006


    So why is it tricky?
    Because nothing is stopping the hosts to use a different nameserver.
    Hence circumventing the logging.
    If that is or is not a problem in your environment only you can tell.
    You must always face the curtain with a bow.

  5. #15
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    Actually I'm not interested in other hosts on the network, I only would like to logging my DNS queries.

    Reading at the /etc/hosts, it only contains two rows:

    Code:
    127.0.0.1	localhost.localdomain	localhost
    ::1	localhost6.localdomain6	localhost6
    Hence I don't think it can resolve my DNS queries, in fact, looking at /etc/resolv.conf, I have the IP address of my nameserver.

    So, if I understood, I have to work on the DNS server to do what I want, and no other ways you know to do that on my host, right?

    However, really thank you for your helpfulness and patience!

    P.s. In the file /etc/host.conf I have
    Code:
    multi on
    order hosts,bind
    How does the first row affect?
    And what is 'bind' for?

  6. #16
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,392
    "multi on" means, that the resolver library will return all found IPs for a host from /etc/hosts. Not just the first one.
    As your hosts file is empty (save local hosts for ipv4 and v6), multi does nothing here.

    bind is the name of the "bind" name server.

    If you are only interested in the dns queries of your box,
    then setup a bind nameserver locally,
    point /etc/resolv.conf to it exclusively,
    and setup logging for your bind.
    You must always face the curtain with a bow.

  7. #17
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    Yes, I took this way while you was replying, I will let you know if it's working. Thank you again!

  8. #18
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    I set up my bind server locally modifying the configuration file /etc/named.conf in order to have
    Code:
    logging {
    
    	channel default_syslog {
    	    syslog daemon;                      
    	    severity info; 
    	};
    
    	channel bindlog {
    		file "/var/log/named.log" versions 3 size 20m;
    		print-time yes;
    		print-category yes;
    		print-severity yes;
    	};
    	category xfer-out { bindlog;};
    	category xfer-in { bindlog;};
    	category security { bindlog;};
    };
    The problem is that each name is solved correctly, a typical response to nslookup is

    Code:
    $ nslookup www.unisa.it
    
    Server:		127.0.0.1
    Address:	127.0.0.1#53
    
    Non-authoritative answer:
    www.unisa.it	canonical name = srv-002.unisa.it.
    Name:	srv-002.unisa.it
    Address: 193.205.160.14
    but I can't see anything in /var/log/named.log or in /var/log/messages.

    I started the server with the command

    $ named -4 -g

    Where am I wrong?

  9. #19
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    If in my /etc/named.conf I add a channel into the logging clause, like the following

    Code:
    channel debug {
    	stderr;
    	print-time yes;
    	print-category yes;
    	print-severity yes;
    };
    I should see each query in the terminal, right?

    Well... it isn't so... any suggestions?

  10. #20
    Just Joined!
    Join Date
    Apr 2011
    Posts
    38
    New updates: I deleted all previous categories, and wrote

    Code:
    category default { debug; bindlog;};
    Running the server with
    $ named -4 -f

    I got some informations and errors both in the terminal and in /var/log/named.log, but nothing about the queries...

Page 2 of 3 FirstFirst 1 2 3 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •