Chapter 8. DNS Reports
Prev Part II. Reports Reference Next

Chapter 8. DNS Reports

Table of Contents

Supported Log Format
Bind8 Query Log
Bind9 Query Log
Report Descriptions and Configuration
Top Requesting Hosts Report
Top Requesting Hosts Report
Top Requested Names Report
Distribution of Request Types by Method DNS Report
Distribution of Request Types Report
Requests By Period DNS Report
Requests By Timeslot DNS Report
Requests by Period by Method DNS Report
Requests by Timeslot by Method DNS Report
Filter Descriptions and Configuration
Select Resolver Filter

Supported Log Format

Lire supports query logs of two DNS servers: Bind 8™ and Bind 9™.

Note

You have to enable query logging in bind, something which is not turned on by default.

Example 8.1. Enabling Query Log In Bind

To enable query logging in Bind 8™ or Bind 9™, you should add the following to your named.conf configuration file: 

logging {
    channel query_logging {
         file "/var/log/named_querylog"
         versions 3 size 100M;
         print-time yes;                 // timestamp log entries
      };

      category queries {
          query_logging;
      };
};

Bind8 Query Log

Bind 8™'s query logs contain one entry for each DNS query made to the name server. It logs the time of the query (you have to set print-time to yes for this), the IP of the requesting client, the name queried, the type of the query and the protocol. Recursive queries will have a + after the XX which appears in all query entries.

Example 8.2. Sample Bind 8™ Query Log

10-Apr-2000 00:01:20.307 XX /10.2.3.4/1.2.3.in-addr.arpa/SOA/IN
10-Apr-2000 00:01:20.308 XX+/10.4.3.2/host.foo.com/A/IN

Bind9 Query Log

Bind 9™ logs the same information as Bind 8™ (except whether the request was recursive or not) but in a different format.

Note

We also support the new date format introduced in Bind9 9.3 which also contains the year (15-Jul-2002).

Example 8.3. Sample Bind 9™ Query Log

print-severity and print-category were set to yes to obtain that log. Lire also accepts logs where those are turned off. 

Feb 25 11:09:43.651 queries: info: client 10.0.0.3#1035: \
    query: 3.example.com.nl IN A
Feb 25 11:09:48.739 queries: info: client 10.0.0.3#1035: \
    query: 3.example.com.nl IN A
Feb 25 12:50:32.476 queries: info: client 10.0.0.3#1035: \
    query: 21.example.com.co.uk IN A
Feb 25 12:50:34.110 queries: info: client 10.0.0.3#1035: \
    query: 22.example.com IN A

Tip

If you miss the recursive flag from Bind 8™, it is possible to add back that feature by patching Bind 9™. The following patch by by Wytze van der Raay will add a + or - after the query type to indicate whether the query was recursive or not. Lire will detect that the log file was made by a patched Bind 9™. 

# patch bin/named/query.c to log recursive/non-recursive query indication
SRC=bin/named/query.c
if [ -f ${SRC}.org ]
then
    echo "Patched ${SRC} already in place"
else
    echo "Patch ${SRC} for recursive/non-recursive query indication"
    cp -p ${SRC} ${SRC}.org
    patch -p0 ${SRC} <<\!
--- bin/named/query.c.org       Mon Sep 24 22:57:48 2001
+++ bin/named/query.c   Tue Sep 25 09:55:21 2001
@@ -3272,7 +3272,8 @@
        dns_rdatatype_format(rdataset->type, typename, sizeof(typename));

        ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-                     level, "query: %s %s %s", namebuf, classname, typename);
+                     level, "query: %s %s %s%s", namebuf, classname, typename,
+                     WANTRECURSION(client) ? "+" : "-");
 }

 void
!
fi
Prev Up Next
Chapter 7. Dialup Reports Home Report Descriptions and Configuration