[Samba] DNS logging for TLD queries?

L.P.H. van Belle belle at bazuin.nl
Tue Jan 2 15:53:25 UTC 2018 

Yes,, this is very welkom! Thanks Dennis!! 

I've "Debianized" this a bit also. 
It now matched the "adm" administrative group that is allowed to read the logs. 

if [ ! -d /var/log/bind ]; then
  install -d /var/log/bind -m 0750 -o bind -g adm
fi

if [ ! -e /etc/logrotate.d/bind ]; then
cat << EOF >> /etc/logrotate.d/bind
/var/log/bind/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 0640 bind adm
  postrotate
    systemctl reload bind9 > /dev/null
  endscript
}
EOF
fi


And configure it as shown on the site. 


Greetz and Happy New Year Everybody. 


Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lingpanda101 via samba
> Verzonden: dinsdag 2 januari 2018 16:25
> Aan: Denis Cardon; samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> 
> On 1/2/2018 2:50 AM, Denis Cardon wrote:
> > Hi LingPanda101,
> >
> >
> >>     Is it possible to filter DNS queries for specific 
> TLD's using the
> >> internal logging system? My IPS/IDS alerts me when a 
> suspicious TLD is
> >> being queried. However I'm only able to see the DC as the source.  
> >> Thanks.
> >>
> >> Ubuntu 14.04 Samba 4.7.3.
> >
> > First you should really upgrade to 4.7.4 (see recent changelog)
> >
> > Second, if you are not using Bind DLZ, you should set it 
> up, it works 
> > much better than the internal DNS engine.
> >
> > And third it is then just a matter of configuring Bind 
> properly, you 
> > can check our wiki at the following address (yeah, it's in 
> French, but 
> > it shouldn't be too much of a hassle for your favorite 
> translation tool):
> >
> > 
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >
> > Actually we had exactly the same question from a client a few month 
> > ago...
> >
> > Cheers, and happy new year 2018!
> >
> > Denis
> >
> >>
> >
> >
> Thanks Denis.
> 
>      I was trying to avoid Bind but will give it a go as I do require 
> more insight into DNS.
> 
> -- 
> --
> James
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list