어드민플레이 - Linux DNS Q&A - bind 세부로그 남기기- named.conf logging설정 예제

예제로 보는 named.conf

logging 설정시 Bind버전에 따라 제공되는 옵셥값들이 다릅니다.

일부버전(BIND 9.2.4 등)은 없는 옵션이 있을떄 오류가 생겨 데몬이 안뜨니 주의하세요!!

logging때문에 데몬이 안뜰시 logging관련 옵션에러 나오는것을 삭제하고 데몬을 띠워주시면됩니다.

BIND 9.3.4-P1 은 데몬은 잘뜸. 특정로그는 버전에 따라 틀려 로그가 남지 않습니다. ignore됨

1. named.conf 설정예제 - logging부분은 필요시만 설정하세요

[@ns2 etc]$ more named.conf

// Set up our ACLs

acl "xfer" {

none; // Allow no transfers. If we have other

// name servers, place them here.

};

acl "trusted" {

200.1.1.0/24;

192.168.0.0/24;

127.0.0.1;

};

options {

directory "/var/named";

// pid-file "/var/named/named.pid";

// statistics-file "/var/named/named.stats";

// memstatistics-file "/var/named/named.memstats";

//dump-file "/var/named/named.dump";

version "No!!";

// query-source address * port 53;

// Prevent DoS attacks by generating bogus zone transfer

// requests. This will result in slower updates to the

// slave servers (e.g. they will await the poll interval

// before checking for updates).

notify no;

// Generate more efficient zone transfers. This will place

// multiple DNS records in a DNS message, instead of one per

// DNS message.

transfer-format many-answers;

// Set the maximum zone transfer time to something more

// reasonable. In this case, we state that any zone transfer

// that takes longer than 60 minutes is unlikely to ever

// complete. WARNING: If you have very large zone files,

// adjust this to fit your requirements.

max-transfer-time-in 60;

// We have no dynamic interfaces, so BIND shouldn't need to

// poll for interface state {UP|DOWN}.

interface-interval 0;

allow-transfer {

// Zone tranfers limited to members of the

// "xfer" ACL.

xfer;

};

allow-query {

// Accept queries from our "trusted" ACL. We will

// allow anyone to query our master zones below.

// This prevents us from becoming a free DNS server

// to the masses.

//trusted; // trusted 설정시 반드시 모든 도메인에 allow-query { any; }; 설정필요

any;

};

blackhole {

// Deny anything from the bogon networks as detailed in the "bogon" ACL.

// bogon;

203.237.102.12;

};

logging {

channel "__default_syslog" {

// Send most of the named messages to syslog.

// authpriv | ftp | local0 | local1 |

// local2 | local3 | local4 | local5 |

// local6 | local7 )

severity debug; // ( critical | error | warning | notice |

// info | debug [ level ] | dynamic )

};

// log channel list

channel ch_default_log {

file "/var/named/log/ch_default.log";

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_config_log {

file "/var/named/log/ch_config.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_parser_log {

file "/var/named/log/ch_parser.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_queries_log {

file "/var/named/log/ch_queries.log" versions 5 size 30m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_lame-servers_log {

file "/var/named/log/ch_lame-servers.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_statistics_log {

file "/var/named/log/ch_statistics.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_panic_log {

file "/var/named/log/ch_panic.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_update_log {

file "/var/named/log/ch_update.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_ncache_log {

file "/var/named/log/ch_ncache.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_xfer-in_log {

file "/var/named/log/ch_xfer-in.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_xfer-out_log {

file "/var/named/log/ch_xfer-out.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_db_log {

file "/var/named/log/ch_db.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_eventlib_log {

file "/var/named/log/ch_eventlib.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_packet_log {

file "/var/named/log/ch_packet.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_notify_log {

file "/var/named/log/ch_notify.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_cname_log {

file "/var/named/log/ch_cname.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_security_log {

file "/var/named/log/ch_security.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_os_log {

file "/var/named/log/ch_os.log" versions 3 size 20m;

severity debug;
print-category yes;

print-severity yes;

print-time yes;

};

channel ch_insist_log {
file "/var/named/log/ch_insist.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_maintenance_log {
file "/var/named/log/ch_maintenance.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_load_log {
file "/var/named/log/ch_load.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_response-checks_log {
file "/var/named/log/ch_response-checks.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

category default { ch_default_log; };

category config { ch_config_log; };

category parser { ch_parser_log; };

category queries { ch_queries_log; };

category lame-servers { ch_lame-servers_log; };

category statistics { ch_statistics_log; };

category panic { ch_panic_log; };

category update { ch_update_log; };

category ncache { ch_ncache_log; };

category xfer-in { ch_xfer-in_log; };

category xfer-out { ch_xfer-out_log; };

category db { ch_db_log; };

category eventlib { ch_eventlib_log; };

category packet { ch_packet_log; };

category notify { ch_notify_log; };

category cname { ch_cname_log; };

category security { ch_security_log; };

category os { ch_os_log; };

category insist { ch_insist_log; };

category maintenance { ch_maintenance_log; };

category response-checks { ch_response-checks_log; };

category load { ch_load_log; };

};

// a caching only nameserver config

zone "." {

type hint;

file "master/db.cache";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "master/db.127.0.0";

};

zone "175.103.210.in-addr.arpa" {

type slave;

file "slave/db.210.103.175";

// isp에서 transfer 할 수 있도록 해야 함.

// 이 클래스에 대한 위임은 isp까지만 되어 있다.

allow-transfer { 203.255.112.34; 203.255.112.4; 200.1.1.1; };

notify yes;

};

2. dns로그 남기는 디렉토리 추가하기

# cd /var/named/chroot/var/named
# mkdir log
# chown named.named log

# service named restart

로컬 호스트

[root@ps2 root# chkconfig --list | grep nscd

nscd 0:해제 1:해제 2:해제 3:해제 4:해제 5:해제 6:해제

3. Centos 5.3 에 BIND 9.6.1-P1에서의 가능한 logging 설정예

logging {

channel "__default_syslog" {

// Send most of the named messages to syslog.

// authpriv | ftp | local0 | local1 |

// local2 | local3 | local4 | local5 |

// local6 | local7 )

severity debug; // ( critical | error | warning | notice |

// info | debug [ level ] | dynamic )

};

// log channel list

channel ch_default_log {

file "/var/named/log/ch_default.log";

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_config_log {

file "/var/named/log/ch_config.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_queries_log {

file "/var/named/log/ch_queries.log" versions 5 size 30m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_lame-servers_log {

file "/var/named/log/ch_lame-servers.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_statistics_log {

file "/var/named/log/ch_statistics.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_update_log {

file "/var/named/log/ch_update.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_xfer-in_log {

file "/var/named/log/ch_xfer-in.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_xfer-out_log {

file "/var/named/log/ch_xfer-out.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_notify_log {

file "/var/named/log/ch_notify.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

channel ch_security_log {

file "/var/named/log/ch_security.log" versions 3 size 20m;

severity debug;

print-category yes;

print-severity yes;

print-time yes;

};

category default { ch_default_log; };

category config { ch_config_log; };

category queries { ch_queries_log; };

category lame-servers { ch_lame-servers_log; };

category update { ch_update_log; };

category xfer-in { ch_xfer-in_log; };

category xfer-out { ch_xfer-out_log; };

category notify { ch_notify_log; };

category security { ch_security_log; };

};

[출처] 23장. bind 세부로그 남기기- named.conf logging설정 예제 (DNS전문가) |작성자 topasvga

로그인

bind 세부로그 남기기- named.conf logging설정 예제

단축키

단축키

Who's ADMINPLAY

Web서버 / FTP서버 무료관리 프로그램 [ 웹깨비 ]

무료DNS [ DNS 에버 ]

Anti DNS Cache Poisioning

bind zone파일 세부설명

대표 ISP 업체별 네임서버

자체 네임서버 - 초간단

BIND 9.3.x 외부에서 질의 안될때

DNS 서버 구성하기 - 세부설명포함

네임서버 업데이트 주기는?

인버스 도메인 신청,위임 및 서브도메인 위임

DNS TCP53, UDP53 용도

네임서버 named.conf 파일과 zone파일 체크 방법

'could not set file modification time' 와 같은 오류 메...

CentOS5,Fedora7 네임서버 설정법

bind 세부로그 남기기- named.conf logging설정 예제

DNS 개념을 위한 상식용어

서브도메인 유출 방지방법

lame server resoving

DNS 의 Cache Poisoning 취약점

DNS 싱크홀 (악성 봇 감염)