Anybody know where I can find references on how to read the NAMED logs?
I'm trying to figure out what the field after "client" is. I have my home router pointing to an internal DNS server to blackhole stuff. I'm wondering if there's a way to figure what is asking for the domain name. .242 is a FreeIPA server that's using the DNS server as a forwarder.
Example:
Feb 14 08:09:20 dns00.neverland.ddns.me named[2071]: client @0x7fb6849b6f50 10.0.0.242#38132 (www.googleapis.com): query: www.googleapis.com IN A +E(0)DC (10.0.0.250)
Interpreting NAMED log
Interpreting NAMED log
My noob level: LPIC-2, Sec+ CE, Linux+
https://boydhanaleiako.me
https://boydhanaleiako.me
Re: Interpreting NAMED log
There's a bit about logging statement in /etc/named.conf documentation, and a list of logging categories (this is the raw .rst document). HTH.
The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client’s IP address and port number, and the query name, class and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), whether the query was signed (S), whether EDNS was in use along with the EDNS version number (E(#)), whether TCP was used (T), whether DO (DNSSEC Ok) was set (D), whether CD (Checking Disabled) was set (C), whether a valid DNS Server COOKIE was received (V), and whether a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported. Finally, if any CLIENT-SUBNET option was present in the client query, it is included in square brackets in the format [ECS address/source/scope].(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)Code: Select all
client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE