[SOLVED] bind9 log full of localhost queries

meridius · 02-24-2011, 09:44 AM

Hi all,

I have my bind9 DNS server running on Ubuntu with logging on. What's bothering me is that I have log full of localhost queries instead of from IP of the computer which actually asked.

DNS queries log:
/var/log/named.queries.log

Code:

24-Feb-2011 16:01:19.413 client 127.0.0.1#38022: query: clients4.google.com IN A + (127.0.0.1)
24-Feb-2011 16:01:19.474 client 127.0.0.1#46527: query: clients4.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:05.116 client 127.0.0.1#40820: query: safebrowsing.clients.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:05.248 client 127.0.0.1#44006: query: safebrowsing.clients.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:09.565 client 127.0.0.1#38636: query: safebrowsing-cache.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:09.697 client 127.0.0.1#38596: query: safebrowsing-cache.google.com IN A + (127.0.0.1)
24-Feb-2011 16:07:23.798 client 83.208.230.54#20788: query: um16.eset.com IN A + (83.167.232.18)
24-Feb-2011 16:09:44.960 client 83.208.230.54#20790: query: tsm05.eset.com IN A + (83.167.232.18)
24-Feb-2011 16:19:41.928 client 83.208.230.54#20793: query: wpad IN A + (83.167.232.18)
24-Feb-2011 16:19:44.462 client 83.208.230.54#20794: query: www.update.microsoft.com IN A + (83.167.232.18)

And yes, all of them are originally from different computer than the server is running on.

My configuration files are:
/etc/resolv.conf

Code:

nameserver 127.0.0.1

/etc/bind/named.conf

Code:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

/etc/bind/named.conf

Code:

options {
        directory "/var/cache/bind";

        forwarders {
                8.8.8.8;
                4.4.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on { any; };

        allow-recursion { any; };
        allow-recursion-on { any; };

        querylog yes;

//      max-cache-size 1M;
};

/etc/bind/named.conf.local

Code:

logging {
        channel my_queries_only {
                file "/var/log/named.queries.log" versions 3 size 5m;
                print-time yes;
        };
        channel my_queries_severity {
                file "/var/log/named.queries.severity.log" versions 3 size 5m;
                severity critical;
                print-time yes;
                print-severity yes;
        };
        category queries { my_queries_only; my_queries_severity; };

        channel default_syslog {
                syslog daemon;          // send to syslog's daemon facility
                severity info;          // only send priority info and higher
        };
        category default { default_syslog; };

        channel my_all {
                file "/var/log/named.all.log";
                print-time yes;
        };
        category general { my_all; };
};

/etc/bind/named.conf.default-zones

Code:

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

I really don't know what to do, please help.

Thank you in advance.

bathory · 02-24-2011, 11:32 AM

Hi and welcome to LQ,

This is normal as you use localhost as the nameserver in /etc/resolv.cof. What you can do, is to stop logging queries. Besides querylog is disabled by default because it produces much logging

Regards

meridius · 02-24-2011, 01:30 PM

Hi bathory and thank you for your reply.

Unfortunately logging is essential for my application, hence I'd like to know from which IP the query come.

meridius · 02-24-2011, 02:58 PM

I just thought, is there a way to bypass /etc/resolv.conf file?

This way bind server would always get dns requests on port 53, thus there will be no localhost queries.

bathory · 02-24-2011, 04:39 PM

Quote:

I just thought, is there a way to bypass /etc/resolv.conf file?

This way bind server would always get dns requests on port 53, thus there will be no localhost queries.

I don't understand what you mean. A name server always gets queries on port 53.
You can use a different nameserver in /etc/resolv.conf for the dns server itself and let only your clients use your dns as a resolver.

meridius · 02-25-2011, 04:18 AM

I tried that already before. It will cause about 80% of queries to disappear (well, they won't be in bind log, but user gets reply anyway) because resolv.conf catches them before bind does.

meridius · 04-05-2011, 01:54 PM

It seems, that removing ANY IP from /etc/resolv.conf did the trick!

Closing