Interpreting NAMED log

Support for security such as Firewalls and securing linux
Post Reply
Boyd.ako
Posts: 46
Joined: 2016/06/22 08:49:07
Location: Honolulu, HI
Contact:

Interpreting NAMED log

Post by Boyd.ako » 2020/02/15 04:13:43

Anybody know where I can find references on how to read the NAMED logs?

I'm trying to figure out what the field after "client" is. I have my home router pointing to an internal DNS server to blackhole stuff. I'm wondering if there's a way to figure what is asking for the domain name. .242 is a FreeIPA server that's using the DNS server as a forwarder.

Example:
Feb 14 08:09:20 dns00.neverland.ddns.me named[2071]: client @0x7fb6849b6f50 10.0.0.242#38132 (www.googleapis.com): query: www.googleapis.com IN A +E(0)DC (10.0.0.250)
My noob level: LPIC-2, Sec+ CE, Linux+
https://boydhanaleiako.me

sml
Posts: 305
Joined: 2020/01/17 09:01:44

Re: Interpreting NAMED log

Post by sml » 2020/02/15 12:06:04

There's a bit about logging statement in /etc/named.conf documentation, and a list of logging categories (this is the raw .rst document). HTH.
The query log entry first reports a client object identifier in @0x<hexadecimal-number> format. Next, it reports the client’s IP address and port number, and the query name, class and type. Next, it reports whether the Recursion Desired flag was set (+ if set, - if not set), whether the query was signed (S), whether EDNS was in use along with the EDNS version number (E(#)), whether TCP was used (T), whether DO (DNSSEC Ok) was set (D), whether CD (Checking Disabled) was set (C), whether a valid DNS Server COOKIE was received (V), and whether a DNS COOKIE option without a valid Server COOKIE was present (K). After this the destination address the query was sent to is reported. Finally, if any CLIENT-SUBNET option was present in the client query, it is included in square brackets in the format [ECS address/source/scope].

Code: Select all

client 127.0.0.1#62536 (www.example.com): query: www.example.com IN AAAA +SE

client ::1#62537 (www.example.net): query: www.example.net IN AAAA -SE
(The first part of this log message, showing the client address/port number and query name, is repeated in all subsequent log messages related to the same query.)

Post Reply