[lug] logging with bind 8
Brad Doctor
bdoctor at ps-ax.com
Sun Dec 30 13:57:58 MST 2001
Very odd. I always use the native BIND distribution from
ISC: ftp://ftp.isc.org/isc/bind/
I've never used the one that Redhat supplies, so I cannot speak for
that. However, this certainly works on RH 6/7.x, Solaris, *BSD, etc.
I'd try installing 8.2.5 from this site and see if that
helps. Installation is very easy and it will use /usr as the prefix, so
you won't have multiple binaries and configs laying around. It will also
look for /etc/named.conf by default, making this a seamless transition.
You may also want to use the 'allow-recursion' option, so that others will
not be able to use your server as their name server. Not a big deal, but a
good idea. Also helps in preventing a possible DOS:
allow-recursion {
net/bit;
};
Same syntax as the rest -- goes in the options section.
-brad
At 03:14 PM 12/29/2001 -0600, charles at lunarmedia.net wrote:
>I am using the initscript, i.e. /etc/rc3.d/S45named restart, to restart
>named. I can't send my named.conf as is, but here is a slightly edited
>version:
>
>options {
>
> // root directory
> directory "/etc/nameserver";
>
> // bind named to only one ip address
> listen-on { 10.1.1.8; };
>
> // nets allowed to pull zone transfers
> allow-transfer { 10.2.2.66; };
>
> // nets allowed for recursive queries
> allow-query {
> 10.10.64/19;
> 10.20.20/22;
> };
>
>logging
>{
>
> channel default_log
> {
>
> file
> "/dev/null";
>
> severity
> info;
>
> };
>
> channel severe_log
> {
>
> file
> "/var/log/named/named.severe";
>
> severity
> critical;
>
> };
>
> channel error_log
> {
>
> file
> "/var/log/named/named.error";
>
> severity
> error;
>
> };
>
> channel debug_log
> {
>
> file
> "/var/log/named/named.debug";
>
> severity
> debug;
>
> };
>
> category default { debug_log;
> };
>
> category config { debug_log;
> };
>
> category parser { debug_log;
> };
>
> category panic { debug_log;
> };
>
> category cname { null;
> };
>
> category lame-servers { null;
> };
>
>
>
>};
>
>the rest of the file is simply my zone files which are all referenced
>using include statements.
>i am running redhat7.1 using redhat's rpms for bind 8.2.3
>
>thanks! -c
>
>
>
>On Sat, 29 Dec 2001, Brad Doctor wrote:
>
> > And you are doing a hard restart? Send your named.conf file if you
> don't mind.
> >
> > -brad
> >
> > At 01:01 PM 12/29/2001 -0600, charles at lunarmedia.net wrote:
> >
> > >I am indeed running bind as "named", however even when i touch the files,
> > >and give them a 666 chmod, nothing seems to be logged to the alternate
> > >files...
> > >
> > >-charles
> > >
> > >On Sat, 29 Dec 2001, Brad Doctor wrote:
> > >
> > > > If you are running named *as* named, there may be some issue with file
> > > > ownership. I make all of my named-related files owned by named, or
> > > > whatever the user is. /var/adm/messages is being written
> indirectly via
> > > > syslog whereas the specific files mentioned below will be written
> > > > directly. I think it wants to "own" the files.
> > > >
> > > > With my setup, I have thus:
> > > >
> > > > 11 @fw:/var/log/named > ls -al
> > > > total 3995
> > > > drwxr-xr-x 2 root wheel 512 Mar 28 2001 ./
> > > > drwxr-xr-x 4 root wheel 1536 Dec 28 12:00 ../
> > > > -rw-r--r-- 1 named named 4076309 Dec 28 23:37 named.debug
> > > >
> > > > The world and group bits can be set to read-only if you like, since
> named
> > > > owns it. Other than that, I have no special considerations for the log
> > > > files. The files within /var/named are also owned by user
> named. Notice
> > > > that the directories are owned by root, with my process running as
> > > > named. This prevents the process from creating new files, but allows
> > > it to
> > > > access existing files that it owns. A bit more security in
> that. Also a
> > > > bit more responsibility on your side. If you specify a file below,
> make
> > > > sure that it exists and is owned by named, or whatever user you are
> > > running
> > > > as, which is hopefully not root :)
> > > >
> > > > -brad
> > > >
> > > > At 09:03 AM 12/29/2001 -0600, charles at lunarmedia.net wrote:
> > > >
> > > > >thanks for the help, however i'm still not seeing anything logging to
> > > > >alternative files other than /var/log/messages. even with lame-servers
> > > > >specifically addressed as you have below, lame-server errors and still
> > > > >showing up in regular syslog output.
> > > > >does named need to be started in a certain manner in order to be
> able to
> > > > >allow this type of logging? i even touched all of the related log
> files
> > > > >and gave them 666 perms to see if it was an error in the daemon
> being able
> > > > >to write, but to no avail.
> > > > >
> > > > >-c
> > > > >
> > > > >
> > > > >
> > > > >On Fri, 28 Dec 2001 bdoctor at ps-ax.com wrote:
> > > > >
> > > > > > This is what I use, should do what you wish:
> > > > > >
> > > > > > logging {
> > > > > > channel default_log {
> > > > > > file "/dev/null";
> > > > > > severity info;
> > > > > > };
> > > > > > channel severe_log {
> > > > > > file "/var/log/named/named.severe";
> > > > > > severity critical;
> > > > > > };
> > > > > > channel error_log {
> > > > > > file "/var/log/named/named.error";
> > > > > > severity error;
> > > > > > };
> > > > > > channel debug_log {
> > > > > > file "/var/log/named/named.debug";
> > > > > > severity debug;
> > > > > > };
> > > > > > category default { debug_log; };
> > > > > > category config { debug_log; };
> > > > > > category parser { debug_log; };
> > > > > > category panic { debug_log; };
> > > > > > category cname { null; };
> > > > > > category lame-servers { null; };
> > > > > >
> > > > > > };
> > > > > >
> > > > > >
> > > > > > > i'd like to have bind log to its own file within /var/log rather
> > > than to
> > > > > > > syslog. i have configured:
> > > > > > >
> > > > > > > // logging
> > > > > > > logging {
> > > > > > >
> > > > > > > // shunt logging to a local file
> > > > > > > channel log_to_file {
> > > > > > > file "/var/log/named/dnslog";
> > > > > > > severity info;
> > > > > > > };
> > > > > > >
> > > > > > > // specify where categories should log
> > > > > > > category default { log_to_file; };
> > > > > > >
> > > > > > > };
> > > > > > >
> > > > > > > however, upon restarting bind, its still logging everything to
> > > > > > > /var/log/messages, which is precisely what i had hoped to
> avoid. i'm
> > > > > > > reading through dns&bind pp147-151. anyone see incorrect syntax
> > > right
> > > > > off
> > > > > > > that sticks out?
> > > > > > >
> > > > > > > thanks -c
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > Web Page: http://lug.boulder.co.us
> > > > > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >_______________________________________________
> > > > >Web Page: http://lug.boulder.co.us
> > > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >
> > > > Brad Doctor, CISSP
> > > >
> > > > _______________________________________________
> > > > Web Page: http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >
> > >
> > >_______________________________________________
> > >Web Page: http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > Brad Doctor, CISSP
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Brad Doctor, CISSP
More information about the LUG
mailing list