绑定中每个视图单独设置日志?

绑定中每个视图单独设置日志?

我在 bind 中设置了一个视图,以便为 VPN 用户提供不同的结果,但我不提供其他查询,因此非 VPN 查询将失败并路由回其内部网络 DNS 服务器。它工作正常,但我厌倦了填满系统日志的所有查询“拒绝”消息。

我尝试在视图中放置一个日志记录 { }; 部分,但 bind 发出了抱怨。关于如何分离此特定视图的安全消息,您有什么想法吗?

答案1

无法为每个视图指定日志记录语句。但是,如果您使用 syslog-ng 进行 syslog 日志记录,则可以使用过滤器过滤掉消息。

filter f_no_named_denied {
   not match (regex for the message here);
};

然后将此过滤器应用于您用于 DNS 日志的任何规则。

答案2

这是我的设置(在named.options.conf中并加载了一个包含文件):

logging {
        channel default_syslog {
                // Send most of the named messages to syslog.
                syslog local2;
                severity debug; 
        };

        channel audit_log {
                // Send the security related messages to a separate file.
                file "/var/named/system/named.log";
                severity debug;
                print-time yes; 
        };

        channel null {
                null;
        };

        category default { default_syslog; };
        category general { default_syslog; };
        category security { audit_log; default_syslog; };
        category config { default_syslog; };
        category resolver { audit_log; };
        category xfer-in { audit_log; };
        category xfer-out { audit_log; };
        category notify { audit_log; };
        category client { audit_log; };
        category network { audit_log; };
        category update { audit_log; };
        category queries { audit_log; };
        category lame-servers { null; }; 

};

如果您使用此方法,请确保旋转此文件,否则它将变得非常庞大。

答案3

您可以在 Bind 本身内完成所有操作,而不是 syslog。我在我的所有 Bind 9 DNS 服务器上都使用此配置。只需将以下几行插入到您的 named.conf 中,运行 named-checkconf 以确保语法正确,然后重新启动 Bind。一旦您确定它正常工作,您就可以开始调整严重性设置和其他部分。我认为重新加载 Bind 应该会发现这些变化。

logging {
  channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
  channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes;
};

相关内容