How to Configure Bind-Chroot Logging on CentOS 6.2

In this post, i will show on how to turn on Bind DNS server logging in order to log all the dns queries on CentOS 6.2 linux server. Assumed that the bind9 chroot has been properly configured.

1. Create Soft link, symlink or symbolic link to /var/log :

[root@ns1 ~]# ln -sf /var/named/chroot/var/log/dns.log /var/log/dns.log
[root@ns1 ~]# ln -sf /var/named/chroot/var/log/dns_queries.log /var/log/dns_queries.log

2. Open named.conf :

[root@ns1 ~]# vim /var/named/chroot/etc/named.conf

3. Add the following bind logging script into named.conf :

..
..
logging {
        channel log_dns {
                file "/var/log/dns.log" versions 3 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel log_queries {
                file "/var/log/dns_queries.log" versions 3 size 20m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default {log_dns;};
        category queries {log_queries;};
        category lame-servers { null;};
        category edns-disabled { null; };
};
..
..

Full named.conf configuration :

options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 8.8.8.8; };
};
include "/etc/rndc.key";


logging {
        channel log_dns {
                file "/var/log/dns.log" versions 3 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel log_queries {
                file "/var/log/dns_queries.log" versions 3 size 20m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default {log_dns;};
        category queries {log_queries;};
        category lame-servers { null;};
        category edns-disabled { null; };
};


// We are the master server for ehowstuff.local
 zone "ehowstuff.local" {
        type master;
        file "/var/named/ehowstuff.local";
        allow-transfer {192.168.1.54;};
        allow-update {none;};
};

4. To display last lines on dns_queries.log, simply execute the following command :

[root@ns1 ~]# tail -f /var/log/dns_queries.log

Examples logged dns queries :

02-Jun-2012 23:45:09.958 queries: info: client 192.168.1.52#64527: query: www.facebook.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.023 queries: info: client 192.168.1.52#55959: query: www.lqconsulting.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.047 queries: info: client 192.168.1.52#60625: query: digg.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.098 queries: info: client 192.168.1.52#51729: query: reddit.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.137 queries: info: client 192.168.1.52#58908: query: www.adroll.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.966 queries: info: client 192.168.1.52#49432: query: mail.google.com IN A + (192.168.1.44)
02-Jun-2012 23:45:11.077 queries: info: client 192.168.1.52#58493: query: alerts.conduit-services.com IN A + (192.168.1.44)
02-Jun-2012 23:45:13.781 queries: info: client 192.168.1.52#55403: query: plus.google.com IN A + (192.168.1.44)
02-Jun-2012 23:46:20.203 queries: info: client 192.168.1.52#54825: query: realtime.services.disqus.com IN A + (192.168.1.44)
02-Jun-2012 23:46:30.113 queries: info: client 192.168.1.52#52337: query: qq.disqus.com IN A + (192.168.1.44)