[Samba] DNS logging for TLD queries?

lingpanda101 lingpanda101 at gmail.com
Wed Jan 3 15:00:13 UTC 2018 

On 1/3/2018 9:38 AM, lingpanda101 wrote:
> On 1/2/2018 2:50 AM, Denis Cardon wrote:
>> Hi LingPanda101,
>>
>>
>>>     Is it possible to filter DNS queries for specific TLD's using the
>>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>>> being queried. However I'm only able to see the DC as the source.  
>>> Thanks.
>>>
>>> Ubuntu 14.04 Samba 4.7.3.
>>
>> First you should really upgrade to 4.7.4 (see recent changelog)
>>
>> Second, if you are not using Bind DLZ, you should set it up, it works 
>> much better than the internal DNS engine.
>>
>> And third it is then just a matter of configuring Bind properly, you 
>> can check our wiki at the following address (yeah, it's in French, 
>> but it shouldn't be too much of a hassle for your favorite 
>> translation tool):
>>
>> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>>
>> Actually we had exactly the same question from a client a few month 
>> ago...
>>
>> Cheers, and happy new year 2018!
>>
>> Denis
>>
>>>
>>
>>
> Denis,
>
>     I've attempted to setup the logging per your link. I ran into a 
> couple issues.
>
>   * Using your template for log.conf. Bind refuses to start because of
>     the following lines.
>       o 'local syslog2;' Bind complains it doesn't know how to
>         interpret local
>           + I'm assuming this line tells the logging system where to
>             find syslog? I replaced with 'file "var/log/syslog";'
>   * Bind also didn't know how to interpret 'blade-servers {null;  };'
>       o Seeing as I'm not using one. I commented the line out.
>
> After these changes Bind still wouldn't start, but not because of 
> these errors. Now its a permission issue.
>
> set up managed keys zone for view _default, file 'managed-keys.bind'
> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on 
> 127.0.0.1#953
> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' 
> failed: permission denied
> Jan  3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
> Jan  3 09:25:03 ddc2 named[13127]: loading configuration: permission 
> denied
> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
>
> Before I go changing permissions. Am I correct in the two changes I 
> made previously to get to this point? Thanks.
>
>  --
>
> James
>
Denis,

     One issue was a typo. I omitted the 2 from the syslog file. Bind 
now starts but I do get

rndc: connect failed: 127.0.0.1#953: connection refused


-- 
--
James

More information about the samba mailing list