[Samba] DNS logging for TLD queries?

L.P.H. van Belle belle at bazuin.nl
Wed Jan 3 15:05:51 UTC 2018


The last error you get is because bind was not stopped, there is still something running. 
ps -faux | egrep "rndc|bind|named"

Kill it and run the stopcommand again ( systemctl stop bind9 ) 
The start it again, should work. 


Gr, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lingpanda101 via samba
> Verzonden: woensdag 3 januari 2018 16:00
> Aan: samba at lists.samba.org
> CC: Denis Cardon
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> 
> On 1/3/2018 9:38 AM, lingpanda101 wrote:
> > On 1/2/2018 2:50 AM, Denis Cardon wrote:
> >> Hi LingPanda101,
> >>
> >>
> >>>     Is it possible to filter DNS queries for specific 
> TLD's using the
> >>> internal logging system? My IPS/IDS alerts me when a 
> suspicious TLD is
> >>> being queried. However I'm only able to see the DC as the 
> source.  
> >>> Thanks.
> >>>
> >>> Ubuntu 14.04 Samba 4.7.3.
> >>
> >> First you should really upgrade to 4.7.4 (see recent changelog)
> >>
> >> Second, if you are not using Bind DLZ, you should set it 
> up, it works 
> >> much better than the internal DNS engine.
> >>
> >> And third it is then just a matter of configuring Bind 
> properly, you 
> >> can check our wiki at the following address (yeah, it's in French, 
> >> but it shouldn't be too much of a hassle for your favorite 
> >> translation tool):
> >>
> >> 
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >>
> >> Actually we had exactly the same question from a client a 
> few month 
> >> ago...
> >>
> >> Cheers, and happy new year 2018!
> >>
> >> Denis
> >>
> >>>
> >>
> >>
> > Denis,
> >
> >     I've attempted to setup the logging per your link. I ran into a 
> > couple issues.
> >
> >   * Using your template for log.conf. Bind refuses to start 
> because of
> >     the following lines.
> >       o 'local syslog2;' Bind complains it doesn't know how to
> >         interpret local
> >           + I'm assuming this line tells the logging system where to
> >             find syslog? I replaced with 'file "var/log/syslog";'
> >   * Bind also didn't know how to interpret 'blade-servers 
> {null;  };'
> >       o Seeing as I'm not using one. I commented the line out.
> >
> > After these changes Bind still wouldn't start, but not because of 
> > these errors. Now its a permission issue.
> >
> > set up managed keys zone for view _default, file 'managed-keys.bind'
> > Jan  3 09:25:03 ddc2 named[13127]: command channel listening on 
> > 127.0.0.1#953
> > Jan  3 09:25:03 ddc2 named[13127]: command channel 
> listening on ::1#953
> > Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' 
> > failed: permission denied
> > Jan  3 09:25:03 ddc2 named[13127]: configuring logging: 
> permission denied
> > Jan  3 09:25:03 ddc2 named[13127]: loading configuration: 
> permission 
> > denied
> > Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
> >
> > Before I go changing permissions. Am I correct in the two changes I 
> > made previously to get to this point? Thanks.
> >
> >  --
> >
> > James
> >
> Denis,
> 
>      One issue was a typo. I omitted the 2 from the syslog file. Bind 
> now starts but I do get
> 
> rndc: connect failed: 127.0.0.1#953: connection refused
> 
> 
> -- 
> --
> James
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list