BIND provides extensive logging capabilities that are essential for monitoring, troubleshooting, and security auditing. Proper logging configuration helps administrators track DNS queries, detect anomalies, and diagnose issues.
journalctl -u bind9 or journalctl -u named)/var/log/named/ or /var/log/bind/ (depending on distribution)BIND uses a flexible logging system with categories and channels:
logging {
// Channel definitions
channel default_log {
file "/var/log/named/named.log" versions 3 size 5m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
channel query_log {
file "/var/log/named/query.log" versions 2 size 10m;
severity info;
print-time yes;
};
channel security_log {
file "/var/log/named/security.log" versions 5 size 5m;
severity info;
print-time yes;
print-category yes;
};
channel default_syslog {
syslog daemon;
severity info;
print-time yes;
};
// Category assignments
category default { default_log; };
category queries { query_log; };
category security { security_log; default_log; };
category config { default_log; };
category network { default_log; };
category cname { default_log; };
};
For production environments, use a balanced logging configuration:
logging {
channel general_log {
file "/var/log/named/general.log" versions 10 size 10m;
severity info;
print-time yes;
print-category yes;
};
channel security_log {
file "/var/log/named/security.log" versions 10 size 5m;
severity info;
print-time yes;
print-category yes;
};
channel query_log {
file "/var/log/named/query.log" versions 5 size 20m;
severity info;
print-time yes;
};
category default { general_log; };
category security { security_log; };
category queries { query_log; };
category unmatched { security_log; };
category network { general_log; };
category cname { general_log; };
};
For troubleshooting, temporarily increase verbosity:
# Enable detailed query logging
rndc querylog
# Or add to configuration for persistent logging
category queries { default_debug; };
Enable query logging to monitor live traffic:
# Enable query logging
sudo rndc querylog
# Follow the query log
sudo tail -f /var/log/named/query.log
# Disable query logging when done
sudo rndc querylog
Set up log rotation to prevent disk space issues:
Create /etc/logrotate.d/bind:
/var/log/named/*.log {
daily
missingok
rotate 10
compress
delaycompress
notifempty
create 640 bind bind
postrotate
/bin/kill -USR1 `cat /var/run/named/named.pid 2>/dev/null` 2>/dev/null || true
endscript
}
Check directory permissions:
sudo mkdir -p /var/log/named
sudo chown named:named /var/log/named # RHEL
sudo chown bind:bind /var/log/named # Debian
sudo chmod 755 /var/log/named
Verify named has write permissions to log directory
If logs grow too quickly:
info to warning or criticalqueries category in productionMonitor BIND logs:
# View recent logs
sudo journalctl -u bind9 -f # Debian/Ubuntu
sudo journalctl -u named -f # RHEL
# Check specific log files
sudo tail -f /var/log/named/named.log
For security monitoring, ensure these categories are logged:
Extensive logging can impact performance: