Web lists-archives.com

Re: [Samba] DNS logging for TLD queries?




On 1/2/2018 2:50 AM, Denis Cardon wrote:
Hi LingPanda101,


    Is it possible to filter DNS queries for specific TLD's using the
internal logging system? My IPS/IDS alerts me when a suspicious TLD is
being queried. However I'm only able to see the DC as the source.  Thanks.

Ubuntu 14.04 Samba 4.7.3.

First you should really upgrade to 4.7.4 (see recent changelog)

Second, if you are not using Bind DLZ, you should set it up, it works much better than the internal DNS engine.

And third it is then just a matter of configuring Bind properly, you can check our wiki at the following address (yeah, it's in French, but it shouldn't be too much of a hassle for your favorite translation tool):

https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9

Actually we had exactly the same question from a client a few month ago...

Cheers, and happy new year 2018!

Denis




Denis,

    I've attempted to setup the logging per your link. I ran into a couple issues.

 * Using your template for log.conf. Bind refuses to start because of
   the following lines.
     o 'local syslog2;' Bind complains it doesn't know how to interpret
       local
         + I'm assuming this line tells the logging system where to
           find syslog? I replaced with 'file "var/log/syslog";'
 * Bind also didn't know how to interpret 'blade-servers {null; };'
     o Seeing as I'm not using one. I commented the line out.

After these changes Bind still wouldn't start, but not because of these errors. Now its a permission issue.

set up managed keys zone for view _default, file 'managed-keys.bind'
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on 127.0.0.1#953
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' failed: permission denied
Jan  3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
Jan  3 09:25:03 ddc2 named[13127]: loading configuration: permission denied
Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)

Before I go changing permissions. Am I correct in the two changes I made previously to get to this point? Thanks.

 --

James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba