[Samba] DNS logging for TLD queries?

lingpanda101 lingpanda101 at gmail.com
Wed Jan 3 15:11:36 UTC 2018


On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:
> The last error you get is because bind was not stopped, there is still something running.
> ps -faux | egrep "rndc|bind|named"
>
> Kill it and run the stopcommand again ( systemctl stop bind9 )
> The start it again, should work.
>
>
> Gr,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> lingpanda101 via samba
>> Verzonden: woensdag 3 januari 2018 16:00
>> Aan: samba at lists.samba.org
>> CC: Denis Cardon
>> Onderwerp: Re: [Samba] DNS logging for TLD queries?
>>
>> On 1/3/2018 9:38 AM, lingpanda101 wrote:
>>> On 1/2/2018 2:50 AM, Denis Cardon wrote:
>>>> Hi LingPanda101,
>>>>
>>>>
>>>>>      Is it possible to filter DNS queries for specific
>> TLD's using the
>>>>> internal logging system? My IPS/IDS alerts me when a
>> suspicious TLD is
>>>>> being queried. However I'm only able to see the DC as the
>> source.
>>>>> Thanks.
>>>>>
>>>>> Ubuntu 14.04 Samba 4.7.3.
>>>> First you should really upgrade to 4.7.4 (see recent changelog)
>>>>
>>>> Second, if you are not using Bind DLZ, you should set it
>> up, it works
>>>> much better than the internal DNS engine.
>>>>
>>>> And third it is then just a matter of configuring Bind
>> properly, you
>>>> can check our wiki at the following address (yeah, it's in French,
>>>> but it shouldn't be too much of a hassle for your favorite
>>>> translation tool):
>>>>
>>>>
>> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>>>> Actually we had exactly the same question from a client a
>> few month
>>>> ago...
>>>>
>>>> Cheers, and happy new year 2018!
>>>>
>>>> Denis
>>>>
>>>>
>>> Denis,
>>>
>>>      I've attempted to setup the logging per your link. I ran into a
>>> couple issues.
>>>
>>>    * Using your template for log.conf. Bind refuses to start
>> because of
>>>      the following lines.
>>>        o 'local syslog2;' Bind complains it doesn't know how to
>>>          interpret local
>>>            + I'm assuming this line tells the logging system where to
>>>              find syslog? I replaced with 'file "var/log/syslog";'
>>>    * Bind also didn't know how to interpret 'blade-servers
>> {null;  };'
>>>        o Seeing as I'm not using one. I commented the line out.
>>>
>>> After these changes Bind still wouldn't start, but not because of
>>> these errors. Now its a permission issue.
>>>
>>> set up managed keys zone for view _default, file 'managed-keys.bind'
>>> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
>>> 127.0.0.1#953
>>> Jan  3 09:25:03 ddc2 named[13127]: command channel
>> listening on ::1#953
>>> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
>>> failed: permission denied
>>> Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
>> permission denied
>>> Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
>> permission
>>> denied
>>> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
>>>
>>> Before I go changing permissions. Am I correct in the two changes I
>>> made previously to get to this point? Thanks.
>>>
>>>   --
>>>
>>> James
>>>
>> Denis,
>>
>>       One issue was a typo. I omitted the 2 from the syslog file. Bind
>> now starts but I do get
>>
>> rndc: connect failed: 127.0.0.1#953: connection refused
>>
>>
>> -- 
>> --
>> James
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Louis,

     You were correct. Thanks.

Logging appears to be working per Denis instructions. However the client 
is identified by it's A record. Any way to have it resolve to it's 
Netbios or DNS name in the logs?

-- 
--
James




More information about the samba mailing list