Table of Contents

Ubuntu - Bind - Logging

The two main logging options are channel and category, which configure where logs go, and what information gets logged, respectively.

If no logging options are configured the default configuration is:

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };
};

NOTE: BIND 9 Channels:

A channel may be defined to go to:

  • file The file pathname must be specified. Optionally, you can specify how many versions of the file can exist at one time and how big the file may grow.
  • syslog places logging into syslog.
  • null For messages you want to throw away.

NOTE: categories are:

  • default BIND 9's default category matches all categories not specifically assigned to channels.
    • BIND 9's default category doesn't match BIND's messages that aren't categorized. Those are part of the category listed next.
  • general The general category contains all of the BIND messages that aren't explicitly classified.
  • client Processing client requests.
  • config Configuration file parsing and processing.
  • database Messages relating to BIND's internal database; used to store zone data and cache records.
  • dnssec Processing DNSSEC-signed responses.
  • lame-servers Detection of bad delegation (re-added in BIND 9.1.0; before that, lame server messages were logged to resolver).
  • network Network operations.
  • notify Asynchronous zone change notifications.
  • queries Query logging (added in BIND 9.1.0).
  • resolver Name resolution, including the processing of recursive queries from resolvers.
  • security Approved/unapproved requests.
  • update Dynamic update events.
  • xfer-in Zone transfers from remote name servers to the local name server.
  • xfer-out Zone transfers from the local name server to remote name servers.

File Channel

logging{
  channel my_file {
    file "log.msgs" versions 3 size 10k;
    severity dynamic;
  }; 
};

Syslog Channel

logging {
  channel my_syslog {
    syslog local0; // send to syslog's local0 facility.
    severity info; // only send severity info and higher
  }; 
};

NOTE: The facility can be specified to be any of the following: kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6, or local7.

The default is daemon, and this is the recommended option to be used.

NOTE: Channels allow you to filter by message severity. Here is the list of severities:

  • critical
  • error
  • warning
  • notice
  • info
  • debug [level]. The debug option can be set from 1 to 3. If a level isn’t specified, level 1 is the default.
  • dynamic

We need to configure a channel to specify which file to send the messages to, and a category.

In this example, the category will log all queries.

Edit /etc/bind/named.conf.local and add the following:

/etc/bind/named.conf.local
logging {
    channel query.log {
        file "/var/log/named/query.log";
        severity debug 3;
    };
    category queries { query.log; };
};

Since the named daemon runs as the bind user the /var/log/named directory must be created and the ownership changed:

sudo mkdir /var/log/named
sudo chown bind:bind /var/log/named

Restart BIND9 for the changes to take effect:

sudo systemctl restart bind9.service

You should see the file /var/log/named/query.log fill with query information.

NOTE: This is a simple example of the BIND9 logging options.

For coverage of advanced options see More Information.