Hello, Is it possible to filter DNS queries for specific TLD's using the internal logging system? My IPS/IDS alerts me when a suspicious TLD is being queried. However I'm only able to see the DC as the source. Thanks. Ubuntu 14.04 Samba 4.7.3. -- -- James
Hi LingPanda101,> Is it possible to filter DNS queries for specific TLD's using the > internal logging system? My IPS/IDS alerts me when a suspicious TLD is > being queried. However I'm only able to see the DC as the source. Thanks. > > Ubuntu 14.04 Samba 4.7.3.First you should really upgrade to 4.7.4 (see recent changelog) Second, if you are not using Bind DLZ, you should set it up, it works much better than the internal DNS engine. And third it is then just a matter of configuring Bind properly, you can check our wiki at the following address (yeah, it's in French, but it shouldn't be too much of a hassle for your favorite translation tool): https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 Actually we had exactly the same question from a client a few month ago... Cheers, and happy new year 2018! Denis>-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
On 1/2/2018 2:50 AM, Denis Cardon wrote:> Hi LingPanda101, > > >> Is it possible to filter DNS queries for specific TLD's using the >> internal logging system? My IPS/IDS alerts me when a suspicious TLD is >> being queried. However I'm only able to see the DC as the source. >> Thanks. >> >> Ubuntu 14.04 Samba 4.7.3. > > First you should really upgrade to 4.7.4 (see recent changelog) > > Second, if you are not using Bind DLZ, you should set it up, it works > much better than the internal DNS engine. > > And third it is then just a matter of configuring Bind properly, you > can check our wiki at the following address (yeah, it's in French, but > it shouldn't be too much of a hassle for your favorite translation tool): > > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > > Actually we had exactly the same question from a client a few month > ago... > > Cheers, and happy new year 2018! > > Denis > >> > >Thanks Denis. I was trying to avoid Bind but will give it a go as I do require more insight into DNS. -- -- James
Yes,, this is very welkom! Thanks Dennis!! I've "Debianized" this a bit also. It now matched the "adm" administrative group that is allowed to read the logs. if [ ! -d /var/log/bind ]; then install -d /var/log/bind -m 0750 -o bind -g adm fi if [ ! -e /etc/logrotate.d/bind ]; then cat << EOF >> /etc/logrotate.d/bind /var/log/bind/*.log { daily missingok rotate 7 compress delaycompress notifempty create 0640 bind adm postrotate systemctl reload bind9 > /dev/null endscript } EOF fi And configure it as shown on the site. Greetz and Happy New Year Everybody. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > lingpanda101 via samba > Verzonden: dinsdag 2 januari 2018 16:25 > Aan: Denis Cardon; samba at lists.samba.org > Onderwerp: Re: [Samba] DNS logging for TLD queries? > > On 1/2/2018 2:50 AM, Denis Cardon wrote: > > Hi LingPanda101, > > > > > >> Is it possible to filter DNS queries for specific > TLD's using the > >> internal logging system? My IPS/IDS alerts me when a > suspicious TLD is > >> being queried. However I'm only able to see the DC as the source. > >> Thanks. > >> > >> Ubuntu 14.04 Samba 4.7.3. > > > > First you should really upgrade to 4.7.4 (see recent changelog) > > > > Second, if you are not using Bind DLZ, you should set it > up, it works > > much better than the internal DNS engine. > > > > And third it is then just a matter of configuring Bind > properly, you > > can check our wiki at the following address (yeah, it's in > French, but > > it shouldn't be too much of a hassle for your favorite > translation tool): > > > > > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > > > > Actually we had exactly the same question from a client a few month > > ago... > > > > Cheers, and happy new year 2018! > > > > Denis > > > >> > > > > > Thanks Denis. > > I was trying to avoid Bind but will give it a go as I do require > more insight into DNS. > > -- > -- > James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 1/2/2018 2:50 AM, Denis Cardon wrote:> Hi LingPanda101, > > >> Is it possible to filter DNS queries for specific TLD's using the >> internal logging system? My IPS/IDS alerts me when a suspicious TLD is >> being queried. However I'm only able to see the DC as the source. >> Thanks. >> >> Ubuntu 14.04 Samba 4.7.3. > > First you should really upgrade to 4.7.4 (see recent changelog) > > Second, if you are not using Bind DLZ, you should set it up, it works > much better than the internal DNS engine. > > And third it is then just a matter of configuring Bind properly, you > can check our wiki at the following address (yeah, it's in French, but > it shouldn't be too much of a hassle for your favorite translation tool): > > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > > Actually we had exactly the same question from a client a few month > ago... > > Cheers, and happy new year 2018! > > Denis > >> > >Denis, I've attempted to setup the logging per your link. I ran into a couple issues. * Using your template for log.conf. Bind refuses to start because of the following lines. o 'local syslog2;' Bind complains it doesn't know how to interpret local + I'm assuming this line tells the logging system where to find syslog? I replaced with 'file "var/log/syslog";' * Bind also didn't know how to interpret 'blade-servers {null; };' o Seeing as I'm not using one. I commented the line out. After these changes Bind still wouldn't start, but not because of these errors. Now its a permission issue. set up managed keys zone for view _default, file 'managed-keys.bind' Jan 3 09:25:03 ddc2 named[13127]: command channel listening on 127.0.0.1#953 Jan 3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953 Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' failed: permission denied Jan 3 09:25:03 ddc2 named[13127]: configuring logging: permission denied Jan 3 09:25:03 ddc2 named[13127]: loading configuration: permission denied Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) Before I go changing permissions. Am I correct in the two changes I made previously to get to this point? Thanks. -- James