Bind DNS - Find machine requesting lots of failing lookups

**humbletech99** · 11-29-2007

I am seeing lots of the failed lookups in fast succession in my logs and want a way of finding out which client ip is requesting those records from my Bind DNS servers. Any ideas how I can do this?

**RobinVossen** · 11-29-2007

You can use a Sniffer.
and then run a script over the Capture File to determin were it came from.

Hope that helps.

Cheers,
Robin

edit:
IDSes use this Method

**humbletech99** · 11-29-2007

yes but I think this is much more effort than it's worth.

plus this behaviour is sporadic so I can't just run this forever until I notice it again.

I've increased logging one Bind server to see if I get any more info.

**Lazydog** · 11-30-2007

Turn on "query_log" in your named.conf.
This should show you who is quering what. Then you should be able to grep it for the information you are looking for.

**humbletech99** · 11-30-2007

yes I did effectively this but using rndc while bind was running instead.

I didn't see it happen again, but will investigate the next time this happens.

Thanks.

**Lazydog** · 12-01-2007

I would still enable the logging and restart bind. At least you'll have some sort of history file to look back on.

**humbletech99** · 12-02-2007

Originally Posted by Lazydog

I would still enable the logging and restart bind. At least you'll have some sort of history file to look back on.

what I did increases syslog logging, which should be enough. Anyway, I'll look at this again when I'm in the office.

Thanks

Thread Tools

Display

Bind DNS - Find machine requesting lots of failing lookups

Posting Permissions