Web lists-archives.com

Re: [Samba] DNS logging for TLD queries?




On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:
The last error you get is because bind was not stopped, there is still something running.
ps -faux | egrep "rndc|bind|named"

Kill it and run the stopcommand again ( systemctl stop bind9 )
The start it again, should work.


Gr,

Louis


-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
lingpanda101 via samba
Verzonden: woensdag 3 januari 2018 16:00
Aan: samba@xxxxxxxxxxxxxxx
CC: Denis Cardon
Onderwerp: Re: [Samba] DNS logging for TLD queries?

On 1/3/2018 9:38 AM, lingpanda101 wrote:
On 1/2/2018 2:50 AM, Denis Cardon wrote:
Hi LingPanda101,


     Is it possible to filter DNS queries for specific
TLD's using the
internal logging system? My IPS/IDS alerts me when a
suspicious TLD is
being queried. However I'm only able to see the DC as the
source.
Thanks.

Ubuntu 14.04 Samba 4.7.3.
First you should really upgrade to 4.7.4 (see recent changelog)

Second, if you are not using Bind DLZ, you should set it
up, it works
much better than the internal DNS engine.

And third it is then just a matter of configuring Bind
properly, you
can check our wiki at the following address (yeah, it's in French,
but it shouldn't be too much of a hassle for your favorite
translation tool):


https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
Actually we had exactly the same question from a client a
few month
ago...

Cheers, and happy new year 2018!

Denis


Denis,

     I've attempted to setup the logging per your link. I ran into a
couple issues.

   * Using your template for log.conf. Bind refuses to start
because of
     the following lines.
       o 'local syslog2;' Bind complains it doesn't know how to
         interpret local
           + I'm assuming this line tells the logging system where to
             find syslog? I replaced with 'file "var/log/syslog";'
   * Bind also didn't know how to interpret 'blade-servers
{null;  };'
       o Seeing as I'm not using one. I commented the line out.

After these changes Bind still wouldn't start, but not because of
these errors. Now its a permission issue.

set up managed keys zone for view _default, file 'managed-keys.bind'
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
127.0.0.1#953
Jan  3 09:25:03 ddc2 named[13127]: command channel
listening on ::1#953
Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
failed: permission denied
Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
permission denied
Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
permission
denied
Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)

Before I go changing permissions. Am I correct in the two changes I
made previously to get to this point? Thanks.

  --

James

Denis,

      One issue was a typo. I omitted the 2 from the syslog file. Bind
now starts but I do get

rndc: connect failed: 127.0.0.1#953: connection refused


--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Louis,

    You were correct. Thanks.

Logging appears to be working per Denis instructions. However the client is identified by it's A record. Any way to have it resolve to it's Netbios or DNS name in the logs?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba