Web lists-archives.com

Re: [Samba] DNS logging for TLD queries?




A quick google did not tell me that thats possible. 
So no clear answere from me here, but... 

Have a look here. 
http://www.zytrax.com/books/dns/ch7/logging.html 

Check the category category_name's 
What i normaly do in such cases. 
Create /var/log/bind folder, set the correct rights on it. 
Create all categories you see and log everyone to a file. ! Separated files, imo better. 
If one logs the hostname, you wil find it. 

Best i can quickly think off.. 


Greetz, 

Louis







> -----Oorspronkelijk bericht-----
> Van: lingpanda101 [mailto:lingpanda101@xxxxxxxxx] 
> Verzonden: woensdag 3 januari 2018 16:12
> Aan: samba@xxxxxxxxxxxxxxx
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> 
> On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:
> > The last error you get is because bind was not stopped, 
> there is still something running.
> > ps -faux | egrep "rndc|bind|named"
> >
> > Kill it and run the stopcommand again ( systemctl stop bind9 )
> > The start it again, should work.
> >
> >
> > Gr,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
> >> lingpanda101 via samba
> >> Verzonden: woensdag 3 januari 2018 16:00
> >> Aan: samba@xxxxxxxxxxxxxxx
> >> CC: Denis Cardon
> >> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> >>
> >> On 1/3/2018 9:38 AM, lingpanda101 wrote:
> >>> On 1/2/2018 2:50 AM, Denis Cardon wrote:
> >>>> Hi LingPanda101,
> >>>>
> >>>>
> >>>>>      Is it possible to filter DNS queries for specific
> >> TLD's using the
> >>>>> internal logging system? My IPS/IDS alerts me when a
> >> suspicious TLD is
> >>>>> being queried. However I'm only able to see the DC as the
> >> source.
> >>>>> Thanks.
> >>>>>
> >>>>> Ubuntu 14.04 Samba 4.7.3.
> >>>> First you should really upgrade to 4.7.4 (see recent changelog)
> >>>>
> >>>> Second, if you are not using Bind DLZ, you should set it
> >> up, it works
> >>>> much better than the internal DNS engine.
> >>>>
> >>>> And third it is then just a matter of configuring Bind
> >> properly, you
> >>>> can check our wiki at the following address (yeah, it's 
> in French,
> >>>> but it shouldn't be too much of a hassle for your favorite
> >>>> translation tool):
> >>>>
> >>>>
> >> 
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >>>> Actually we had exactly the same question from a client a
> >> few month
> >>>> ago...
> >>>>
> >>>> Cheers, and happy new year 2018!
> >>>>
> >>>> Denis
> >>>>
> >>>>
> >>> Denis,
> >>>
> >>>      I've attempted to setup the logging per your link. I 
> ran into a
> >>> couple issues.
> >>>
> >>>    * Using your template for log.conf. Bind refuses to start
> >> because of
> >>>      the following lines.
> >>>        o 'local syslog2;' Bind complains it doesn't know how to
> >>>          interpret local
> >>>            + I'm assuming this line tells the logging 
> system where to
> >>>              find syslog? I replaced with 'file "var/log/syslog";'
> >>>    * Bind also didn't know how to interpret 'blade-servers
> >> {null;  };'
> >>>        o Seeing as I'm not using one. I commented the line out.
> >>>
> >>> After these changes Bind still wouldn't start, but not because of
> >>> these errors. Now its a permission issue.
> >>>
> >>> set up managed keys zone for view _default, file 
> 'managed-keys.bind'
> >>> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
> >>> 127.0.0.1#953
> >>> Jan  3 09:25:03 ddc2 named[13127]: command channel
> >> listening on ::1#953
> >>> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open 
> '/var/log/syslog'
> >>> failed: permission denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
> >> permission denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
> >> permission
> >>> denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
> >>>
> >>> Before I go changing permissions. Am I correct in the two 
> changes I
> >>> made previously to get to this point? Thanks.
> >>>
> >>>   --
> >>>
> >>> James
> >>>
> >> Denis,
> >>
> >>       One issue was a typo. I omitted the 2 from the 
> syslog file. Bind
> >> now starts but I do get
> >>
> >> rndc: connect failed: 127.0.0.1#953: connection refused
> >>
> >>
> >> -- 
> >> --
> >> James
> >>
> >> -- 
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> Louis,
> 
>      You were correct. Thanks.
> 
> Logging appears to be working per Denis instructions. However 
> the client 
> is identified by it's A record. Any way to have it resolve to it's 
> Netbios or DNS name in the logs?
> 
> -- 
> --
> James
> 
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba