I am in the process of rolling out external DNS servers to resolve all end user queries
Before we can move the solution into production I would like get as much useful logging in place as possible
here is the named.conf file (called gi-named.conf file for namespace)
options {
listen-on port 53 { Public IP; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-query-on { PublicIP; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
allow-query-cache { Internal Range; };
allow-query-cache-on { PublicIP; };
query-source address Public IP ;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
/*channel default_debug {
print-time yes;
print-category yes;
print-severity yes;
file "data/named.run";
severity dynamic;
};*/
channel queries_log {
file "/var/log/queries" versions 1 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
channel default_log {
file "/var/named/log/default" versions 3 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
channel query-errors_log {
file "/var/named/log/query-errors" versions 5 size 20m;
print-time yes;
print-category yes;
print-severity yes;
severity dynamic;
};
category queries { queries_log; };
category client { queries_log; };
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
The issue I have is that while I see logs populating the /var/named/log/queries file i do not see any logs in either the /var/named/log/query-error log file or the /var/named/log/default log file and I am not sure where exectly I am going wrong or if maybe i have left out some configuration
Anyopne ever experienced this before?
So it seems the issue was that the log files and logging channels I was trying to create were not available in the bind version I was using.
I ran yum update bind-utils and it put me on the 9.11 release.
Since the update all logging channels are working correctly