發佈於 作者: t850008

在 Debian 建置有 logging 功能的 DNS Server

在網路中,DNS Server 服務是非常重要的,由 DNS Server 的 log 中,可以查詢到一些非常重要的資料。

# tail dns-security.log
24-Dec-2014 00:49:26.723 security: info: client 192.3.96.146#48302: query (cache) ‘openresolver.com/A/IN’ denied
24-Dec-2014 02:11:25.169 security: info: client 89.248.172.169#46003: query (cache) ‘globe.gov/ANY/IN’ denied
24-Dec-2014 05:09:04.502 security: info: client 202.153.191.99#60017: query (cache) ‘./NS/IN’ denied
24-Dec-2014 08:31:24.675 security: info: client 204.42.253.2#58601: query (cache) ‘c526034a.openresolvertest.net/A/IN’ denied
24-Dec-2014 08:59:36.327 security: info: client 124.232.142.220#54455: query (cache) ‘www.google.com/A/IN’ denied
24-Dec-2014 12:44:44.954 security: info: client 74.82.47.8#54631: query (cache) ‘dnsscan.shadowserver.org/A/IN’ denied
24-Dec-2014 15:33:08.420 security: info: client 207.244.82.115#48706: query (cache) ‘./ANY/IN’ denied[@more@]設定方式:DNS Server 已經設定 chroot
參考網頁:Bind9 – Debian Wiki
1. 建立 /var/chroot/bind9/var/log 目錄
# mkdir /var/chroot/bind9/var/log

2. 更改目錄權限
# chown bind:bind /var/chroot/bind9/var/log

3. 修改 /etc/bind/named.conf
# vim /etc/bind/named.conf
加入下面一行
include “/etc/bind/named.conf.log”;

4. 建立 /etc/bind/named.conf.log
# vim /etc/bind/named.conf.log
logging {
        channel update_debug {
                file “/var/log/update_debug.log” versions 3 size 100k;
                severity debug;
                print-severity  yes;
                print-time      yes;
        };
        channel security_info {
                file “/var/log/security_info.log” versions 1 size 100k;
                severity info;
                print-severity  yes;
                print-time      yes;
        };
        channel bind_log {
                file “/var/log/bind.log” versions 3 size 1m;
                severity info;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };

        category default { bind_log; };
        category lame-servers { null; };
        category update { update_debug; };
        category update-security { update_debug; };
        category security { security_info; };
};

5. 重新啟動 DNS Server 及 Log Server
# /etc/init.d/rsyslog restart; /etc/init.d/bind9 start

6. 驗收成果及收工
# ls -l /var/chroot/bind9/var/log/
total 4
-rw-r–r– 1 bind bind 1417 Dec 24 15:45 bind.log
-rw-r–r– 1 bind bind    0 Dec 24 15:45 security_info.log
-rw-r–r– 1 bind bind    0 Dec 24 15:45 update_debug.log