LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-24-2011, 09:44 AM   #1
meridius
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Rep: Reputation: 0
bind9 log full of localhost queries


Hi all,

I have my bind9 DNS server running on Ubuntu with logging on. What's bothering me is that I have log full of localhost queries instead of from IP of the computer which actually asked.

DNS queries log:
/var/log/named.queries.log
Code:
24-Feb-2011 16:01:19.413 client 127.0.0.1#38022: query: clients4.google.com IN A + (127.0.0.1)
24-Feb-2011 16:01:19.474 client 127.0.0.1#46527: query: clients4.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:05.116 client 127.0.0.1#40820: query: safebrowsing.clients.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:05.248 client 127.0.0.1#44006: query: safebrowsing.clients.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:09.565 client 127.0.0.1#38636: query: safebrowsing-cache.google.com IN A + (127.0.0.1)
24-Feb-2011 16:03:09.697 client 127.0.0.1#38596: query: safebrowsing-cache.google.com IN A + (127.0.0.1)
24-Feb-2011 16:07:23.798 client 83.208.230.54#20788: query: um16.eset.com IN A + (83.167.232.18)
24-Feb-2011 16:09:44.960 client 83.208.230.54#20790: query: tsm05.eset.com IN A + (83.167.232.18)
24-Feb-2011 16:19:41.928 client 83.208.230.54#20793: query: wpad IN A + (83.167.232.18)
24-Feb-2011 16:19:44.462 client 83.208.230.54#20794: query: www.update.microsoft.com IN A + (83.167.232.18)
And yes, all of them are originally from different computer than the server is running on.

My configuration files are:
/etc/resolv.conf
Code:
nameserver 127.0.0.1
/etc/bind/named.conf
Code:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
/etc/bind/named.conf
Code:
options {
        directory "/var/cache/bind";

        forwarders {
                8.8.8.8;
                4.4.4.4;
        };

        auth-nxdomain no;    # conform to RFC1035
//      listen-on-v6 { any; };
        listen-on { any; };

        allow-recursion { any; };
        allow-recursion-on { any; };

        querylog yes;

//      max-cache-size 1M;
};
/etc/bind/named.conf.local
Code:
logging {
        channel my_queries_only {
                file "/var/log/named.queries.log" versions 3 size 5m;
                print-time yes;
        };
        channel my_queries_severity {
                file "/var/log/named.queries.severity.log" versions 3 size 5m;
                severity critical;
                print-time yes;
                print-severity yes;
        };
        category queries { my_queries_only; my_queries_severity; };

        channel default_syslog {
                syslog daemon;          // send to syslog's daemon facility
                severity info;          // only send priority info and higher
        };
        category default { default_syslog; };

        channel my_all {
                file "/var/log/named.all.log";
                print-time yes;
        };
        category general { my_all; };
};
/etc/bind/named.conf.default-zones
Code:
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

I really don't know what to do, please help.

Thank you in advance.
 
Old 02-24-2011, 11:32 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,909

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi and welcome to LQ,

This is normal as you use localhost as the nameserver in /etc/resolv.cof. What you can do, is to stop logging queries. Besides querylog is disabled by default because it produces much logging

Regards
 
Old 02-24-2011, 01:30 PM   #3
meridius
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Original Poster
Rep: Reputation: 0
Hi bathory and thank you for your reply.

Unfortunately logging is essential for my application, hence I'd like to know from which IP the query come.
 
Old 02-24-2011, 02:58 PM   #4
meridius
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Original Poster
Rep: Reputation: 0
I just thought, is there a way to bypass /etc/resolv.conf file?

This way bind server would always get dns requests on port 53, thus there will be no localhost queries.
 
Old 02-24-2011, 04:39 PM   #5
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,909

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
I just thought, is there a way to bypass /etc/resolv.conf file?

This way bind server would always get dns requests on port 53, thus there will be no localhost queries.
I don't understand what you mean. A name server always gets queries on port 53.
You can use a different nameserver in /etc/resolv.conf for the dns server itself and let only your clients use your dns as a resolver.
 
Old 02-25-2011, 04:18 AM   #6
meridius
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Original Poster
Rep: Reputation: 0
I tried that already before. It will cause about 80% of queries to disappear (well, they won't be in bind log, but user gets reply anyway) because resolv.conf catches them before bind does.

Last edited by meridius; 02-25-2011 at 09:06 AM.
 
Old 04-05-2011, 01:54 PM   #7
meridius
LQ Newbie
 
Registered: Feb 2011
Posts: 5

Original Poster
Rep: Reputation: 0
It seems, that removing ANY IP from /etc/resolv.conf did the trick!

Closing
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND9 as forwarder, IPv6 queries from IPv6 forwarders Nonoo Linux - Server 1 11-23-2009 01:57 PM
Log slow queries mysql a4kata Linux - Newbie 1 09-10-2009 07:14 AM
How to log some kind of queries with BIND 9 sjfdj Linux - Server 1 09-17-2008 04:33 AM
Can't log in to 'localhost' matrim Linux - Networking 2 06-07-2007 11:29 PM
PHP Script to retrieve queries from log file saravanan1979 Programming 1 03-17-2002 08:13 AM


All times are GMT -5. The time now is 03:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration