≡ Menu

Turn on or enable BIND DNS server logging to see all queries or for troubleshooting problem

Q. How do I turn on DNS server logging so that I can see all the queries on my CentOS 4.0 server?

A. You can use rndc command which controls the operation of a name server. It supersedes the ndc utility that was provided in old BIND releases. If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.

rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and named named the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server\u2019s response. All commands sent over the channel must be signed by a key_id known to the server.

Task: Turn on logging

Type the following command as root to toggle query logging:
# rndc querylog

Task: View bind sever query log

Once this is done, you can view all logged queries usimg /var/log/messages file. To view those queries, type:
# tail -f /var/log/messages

Task: Turn off logging

Type the following command as root to toggle query logging:
# rndc querylog

Share this tutorial on:

{ 10 comments… add one }
  • Scott December 10, 2010, 8:27 pm

    Perfect! Thanks!

  • Prasad Chandorkar March 1, 2012, 7:55 am

    True

    Thanks a lot.

  • Talk May 30, 2012, 5:51 am

    Thanks a lot for this hint!!!

  • Alparslan August 6, 2012, 1:44 pm

    is there any program or service to monitoring witch domain name is used and querying by any client.

    I want to a linux bind9 dns query log analyser etc.

    • marb7 April 30, 2016, 9:18 am

      Use dig by installing dnsutils… [http://packages.ubuntu.com/trusty/dnsutils]

      example output
      $ dig google.com

      ; <> DiG 9.9.5-3ubuntu0.8-Ubuntu <> google.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41256
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 512
      ;; QUESTION SECTION:
      ;google.com. IN A

      ;; ANSWER SECTION:
      google.com. 299 IN A 216.58.216.46

      ;; Query time: 43 msec
      ;; SERVER: 127.0.1.1#53(127.0.1.1)
      ;; WHEN: Sat Apr 30 02:15:17 PDT 2016
      ;; MSG SIZE rcvd: 55

      and nmap for ports
      $ nmap google.com

      Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-30 02:17 PDT
      Nmap scan report for google.com (216.58.216.46)
      Host is up (0.0043s latency).
      rDNS record for 216.58.216.46: lax02s22-in-f46.1e100.net
      Not shown: 998 filtered ports
      PORT STATE SERVICE
      80/tcp open http
      443/tcp open https

      Nmap done: 1 IP address (1 host up) scanned in 4.04 seconds

  • tonic January 9, 2013, 1:25 pm

    In the case of debian system like mine (wheezy), I had to tail /var/log/syslog instead of /var/log/messages :)

    • Sayantan Khan June 16, 2014, 11:52 am

      Thanks a lot for that debian specific information.

  • Tony June 11, 2014, 3:57 pm

    Excellent, thank you so much!

  • Tony June 26, 2014, 9:43 pm

    Thank you!!!

  • IRE July 9, 2016, 12:17 pm

    Is there a way to redirect the rndc querylog to a separate log file (where just the queries can be reside) inside of system-journal and /var/log/messages?

    This is in CentOS 7.x with chroot’ed bind.

    thanks

Leave a Comment


   Tagged with: , , , , , ,