Discussion:
How to log recursive queries?
s***@gmail.com
2005-05-04 10:56:06 UTC
Permalink
Hello,
Before I disable recursive queries on my name server, I'd like to find
out who is using it for that.

I've seen the "queries" logging category, but can't see how to restrict
it to just recursive queries. Is it possible?

Thanks
David Botham
2005-05-04 16:20:39 UTC
Permalink
Post by s***@gmail.com
Hello,
Before I disable recursive queries on my name server, I'd like to find
out who is using it for that.
I've seen the "queries" logging category, but can't see how to restrict
it to just recursive queries. Is it possible?
I think the answer to your question is no. However, you should be able to
write a perl script that could determine if someone is making a query in a
zone that that your name servers do not host. I would approach it like
this:

1. Set up a logging statement to send query logging to a seperate file.
2. grep out your zone statements from your named.conf file. Use these as
a basis for determining if someone sent you a query for a RR that you do
not hosts.
3. Write a perl script that parse through the query log, looking for
queries outside of the list from step 2.
4. Record the IP address of anyone caught in step 3.


The logic here is that if someone sends you a query for a zone that you do
not host, then they are probably asking you to do the work and it was
[probably] a recursive query.

The output of this script could be used to track down local people (those
that you can control) that are using your name servers for recursion.


hth,


Dave...
Post by s***@gmail.com
Thanks
Tim Peiffer
2005-05-04 16:58:11 UTC
Permalink
Included inline is a perl script that I am using - I wrote it a while
back; it was inspired by a co-worker that
has long since left the University. You are free to use it however you
like. It will run on Bind8 or Bind9.
Note that I am not paying attention to the recursion desired bit... I
make decisions on what is in the scope
of the domains and networks I support. Anything outside of those bounds
is treated as external recursion.


Regards,
Tim Peiffer
Networking and Telecommunications Services
Univerisity of Minnesota


Configure your server into the arrays @OKNET and @OKDOM.

Add suitable logging lines in named.conf:
logging {
channel query_file {
file "/var/log/named/querylog" versions 15 size 200m; #
send to file
print-time yes;
severity info;
};

};

Add regular reporting using cron
30 06 * * * /usr/local/libexec/querystats -MailTo <my_report_destination>
40 06 * * * /usr/local/libexec/querystats -ExternalRecursive 1 -MailTo
<my_report_destination>

Example Report.

Report on MyServer named dated Wed Apr 27 06:45:01 2005
David Botham
2005-05-04 16:25:14 UTC
Permalink
Post by David Botham
Post by s***@gmail.com
Hello,
Before I disable recursive queries on my name server, I'd like to find
out who is using it for that.
I've seen the "queries" logging category, but can't see how to
restrict
Post by David Botham
Post by s***@gmail.com
it to just recursive queries. Is it possible?
I think the answer to your question is no. However, you should be able
to
Post by David Botham
write a perl script that could determine if someone is making a query in
a
Post by David Botham
zone that that your name servers do not host. I would approach it like
1. Set up a logging statement to send query logging to a seperate file.
2. grep out your zone statements from your named.conf file. Use these
as
Post by David Botham
a basis for determining if someone sent you a query for a RR that you do
not hosts.
3. Write a perl script that parse through the query log, looking for
queries outside of the list from step 2.
4. Record the IP address of anyone caught in step 3.
Or, even better yet, write a perl script that parses throught the query
log looking for an indication that the Recursion Desired bit was set. From
the BIND ARM:

"""""""""""""
Specify where queries should be logged to.

At startup, specifing the category queries will also enable query logging
unless querylog option has been specified.

The query log entry reports the client's IP address and port number. The
query name, class and type. It also reports whether the Recursion Desired
flag was set (+ if set, - if not set), EDNS was in use (E) or if the query
was signed (S).

client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
client ::1#62537: query: www.example.net IN AAAA -SE
"""""""""""""""

Notice the "+" or "-" sign.


Wow, I guess I should have done a little more RTFM before my last post...


hth,

dave...




[clip...]
David Botham
2005-05-04 16:44:45 UTC
Permalink
bind-users-***@isc.org wrote on 05/04/2005 12:25:14 PM:
[clip...]
Post by David Botham
Or, even better yet, write a perl script that parses throught the query
log looking for an indication that the Recursion Desired bit was set.
From
Post by David Botham
"""""""""""""
Specify where queries should be logged to.
At startup, specifing the category queries will also enable query
logging
Post by David Botham
unless querylog option has been specified.
The query log entry reports the client's IP address and port number. The
query name, class and type. It also reports whether the Recursion
Desired
Post by David Botham
flag was set (+ if set, - if not set), EDNS was in use (E) or if the
query
Post by David Botham
was signed (S).
client 127.0.0.1#62536: query: www.example.com IN AAAA +SE
client ::1#62537: query: www.example.net IN AAAA -SE
"""""""""""""""
Notice the "+" or "-" sign.
And if you are interested, here is a perl snippet with a regex that will
catch a recursive query for an IPV4 address. The IP address of the
offending host will be available in the read-only variable $4 after a
successful match.

open QLOG, "query.log";
while (<QLOG>) {
# skip blanks and comments (should not be any though)
next if /^\s*#/;
# clean up trailing new lines
chomp;
# check to see if we have a recursive query
if (/(^\s*)(client)(\s+)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(.*)(\+)(.*)/)
{
print "$4 performed a recursive query. Contact the admin and
notify them of the new servers to be used.\n";
}
}


hth,


Dave...





[clip...]
s***@gmail.com
2005-05-06 08:27:38 UTC
Permalink
Thanks this (and the other posts too) is useful. I'm logging queries,
but see nothing after the record type. Is this a bind 9.3 feature? I'm
running 9.2.4-1.

Continue reading on narkive:
Loading...