我在 bind 中设置了一个视图,以便为 VPN 用户提供不同的结果,但我不提供其他查询,因此非 VPN 查询将失败并路由回其内部网络 DNS 服务器。它工作正常,但我厌倦了填满系统日志的所有查询“拒绝”消息。
我尝试在视图中放置一个日志记录 { }; 部分,但 bind 发出了抱怨。关于如何分离此特定视图的安全消息,您有什么想法吗?
答案1
无法为每个视图指定日志记录语句。但是,如果您使用 syslog-ng 进行 syslog 日志记录,则可以使用过滤器过滤掉消息。
filter f_no_named_denied {
not match (regex for the message here);
};
然后将此过滤器应用于您用于 DNS 日志的任何规则。
答案2
这是我的设置(在named.options.conf中并加载了一个包含文件):
logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/named/system/named.log";
severity debug;
print-time yes;
};
channel null {
null;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { null; };
};
如果您使用此方法,请确保旋转此文件,否则它将变得非常庞大。
答案3
您可以在 Bind 本身内完成所有操作,而不是 syslog。我在我的所有 Bind 9 DNS 服务器上都使用此配置。只需将以下几行插入到您的 named.conf 中,运行 named-checkconf 以确保语法正确,然后重新启动 Bind。一旦您确定它正常工作,您就可以开始调整严重性设置和其他部分。我认为重新加载 Bind 应该会发现这些变化。
logging {
channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes;
};