samba - Jan 2018 - DNS logging for TLD queries?

Hello,

     Is it possible to filter DNS queries for specific TLD's using the 
internal logging system? My IPS/IDS alerts me when a suspicious TLD is 
being queried. However I'm only able to see the DC as the source.  Thanks.

Ubuntu 14.04 Samba 4.7.3.

-- 
--
James

Hi LingPanda101,

>     Is it possible to filter DNS queries for specific TLD's using the
> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
> being queried. However I'm only able to see the DC as the source. 
Thanks.
>
> Ubuntu 14.04 Samba 4.7.3.
First you should really upgrade to 4.7.4 (see recent changelog)

Second, if you are not using Bind DLZ, you should set it up, it works 
much better than the internal DNS engine.

And third it is then just a matter of configuring Bind properly, you can 
check our wiki at the following address (yeah, it's in French, but it 
shouldn't be too much of a hassle for your favorite translation tool):

https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9

Actually we had exactly the same question from a client a few month ago...

Cheers, and happy new year 2018!

Denis
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

On 1/2/2018 2:50 AM, Denis Cardon wrote:
> Hi LingPanda101,
>
>
>>     Is it possible to filter DNS queries for specific TLD's using
the
>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>> being queried. However I'm only able to see the DC as the source.  
>> Thanks.
>>
>> Ubuntu 14.04 Samba 4.7.3.
>
> First you should really upgrade to 4.7.4 (see recent changelog)
>
> Second, if you are not using Bind DLZ, you should set it up, it works 
> much better than the internal DNS engine.
>
> And third it is then just a matter of configuring Bind properly, you 
> can check our wiki at the following address (yeah, it's in French, but 
> it shouldn't be too much of a hassle for your favorite translation
tool):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>
> Actually we had exactly the same question from a client a few month 
> ago...
>
> Cheers, and happy new year 2018!
>
> Denis
>
>>
>
>
Thanks Denis.

     I was trying to avoid Bind but will give it a go as I do require 
more insight into DNS.

-- 
--
James

Yes,, this is very welkom! Thanks Dennis!! 

I've "Debianized" this a bit also. 
It now matched the "adm" administrative group that is allowed to read
the logs.

if [ ! -d /var/log/bind ]; then
  install -d /var/log/bind -m 0750 -o bind -g adm
fi

if [ ! -e /etc/logrotate.d/bind ]; then
cat << EOF >> /etc/logrotate.d/bind
/var/log/bind/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 0640 bind adm
  postrotate
    systemctl reload bind9 > /dev/null
  endscript
}
EOF
fi


And configure it as shown on the site. 


Greetz and Happy New Year Everybody. 


Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lingpanda101 via samba
> Verzonden: dinsdag 2 januari 2018 16:25
> Aan: Denis Cardon; samba at lists.samba.org
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> 
> On 1/2/2018 2:50 AM, Denis Cardon wrote:
> > Hi LingPanda101,
> >
> >
> >>     Is it possible to filter DNS queries for specific 
> TLD's using the
> >> internal logging system? My IPS/IDS alerts me when a 
> suspicious TLD is
> >> being queried. However I'm only able to see the DC as the
source. 
> >> Thanks.
> >>
> >> Ubuntu 14.04 Samba 4.7.3.
> >
> > First you should really upgrade to 4.7.4 (see recent changelog)
> >
> > Second, if you are not using Bind DLZ, you should set it 
> up, it works 
> > much better than the internal DNS engine.
> >
> > And third it is then just a matter of configuring Bind 
> properly, you 
> > can check our wiki at the following address (yeah, it's in 
> French, but 
> > it shouldn't be too much of a hassle for your favorite 
> translation tool):
> >
> > 
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >
> > Actually we had exactly the same question from a client a few month 
> > ago...
> >
> > Cheers, and happy new year 2018!
> >
> > Denis
> >
> >>
> >
> >
> Thanks Denis.
> 
>      I was trying to avoid Bind but will give it a go as I do require 
> more insight into DNS.
> 
> -- 
> --
> James
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 1/2/2018 2:50 AM, Denis Cardon wrote:
> Hi LingPanda101,
>
>
>>     Is it possible to filter DNS queries for specific TLD's using
the
>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>> being queried. However I'm only able to see the DC as the source.  
>> Thanks.
>>
>> Ubuntu 14.04 Samba 4.7.3.
>
> First you should really upgrade to 4.7.4 (see recent changelog)
>
> Second, if you are not using Bind DLZ, you should set it up, it works 
> much better than the internal DNS engine.
>
> And third it is then just a matter of configuring Bind properly, you 
> can check our wiki at the following address (yeah, it's in French, but 
> it shouldn't be too much of a hassle for your favorite translation
tool):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>
> Actually we had exactly the same question from a client a few month 
> ago...
>
> Cheers, and happy new year 2018!
>
> Denis
>
>>
>
>
Denis,

     I've attempted to setup the logging per your link. I ran into a 
couple issues.

  * Using your template for log.conf. Bind refuses to start because of
    the following lines.
      o 'local syslog2;' Bind complains it doesn't know how to
interpret
        local
          + I'm assuming this line tells the logging system where to
            find syslog? I replaced with 'file
"var/log/syslog";'
  * Bind also didn't know how to interpret 'blade-servers {null; };'
      o Seeing as I'm not using one. I commented the line out.

After these changes Bind still wouldn't start, but not because of these 
errors. Now its a permission issue.

set up managed keys zone for view _default, file 'managed-keys.bind'
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on 
127.0.0.1#953
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' 
failed: permission denied
Jan  3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
Jan  3 09:25:03 ddc2 named[13127]: loading configuration: permission denied
Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)

Before I go changing permissions. Am I correct in the two changes I made 
previously to get to this point? Thanks.

  --

James