[Samba] DNS logging for TLD queries?
lingpanda101
lingpanda101 at gmail.com
Wed Jan 3 14:38:13 UTC 2018
On 1/2/2018 2:50 AM, Denis Cardon wrote:
> Hi LingPanda101,
>
>
>> Is it possible to filter DNS queries for specific TLD's using the
>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>> being queried. However I'm only able to see the DC as the source.
>> Thanks.
>>
>> Ubuntu 14.04 Samba 4.7.3.
>
> First you should really upgrade to 4.7.4 (see recent changelog)
>
> Second, if you are not using Bind DLZ, you should set it up, it works
> much better than the internal DNS engine.
>
> And third it is then just a matter of configuring Bind properly, you
> can check our wiki at the following address (yeah, it's in French, but
> it shouldn't be too much of a hassle for your favorite translation tool):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>
> Actually we had exactly the same question from a client a few month
> ago...
>
> Cheers, and happy new year 2018!
>
> Denis
>
>>
>
>
Denis,
I've attempted to setup the logging per your link. I ran into a
couple issues.
* Using your template for log.conf. Bind refuses to start because of
the following lines.
o 'local syslog2;' Bind complains it doesn't know how to interpret
local
+ I'm assuming this line tells the logging system where to
find syslog? I replaced with 'file "var/log/syslog";'
* Bind also didn't know how to interpret 'blade-servers {null; };'
o Seeing as I'm not using one. I commented the line out.
After these changes Bind still wouldn't start, but not because of these
errors. Now its a permission issue.
set up managed keys zone for view _default, file 'managed-keys.bind'
Jan 3 09:25:03 ddc2 named[13127]: command channel listening on
127.0.0.1#953
Jan 3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
failed: permission denied
Jan 3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
Jan 3 09:25:03 ddc2 named[13127]: loading configuration: permission denied
Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
Before I go changing permissions. Am I correct in the two changes I made
previously to get to this point? Thanks.
--
James
More information about the samba
mailing list