On 1/2/2018 2:50 AM, Denis Cardon wrote:> Hi LingPanda101, > > >> Is it possible to filter DNS queries for specific TLD's using the >> internal logging system? My IPS/IDS alerts me when a suspicious TLD is >> being queried. However I'm only able to see the DC as the source. >> Thanks. >> >> Ubuntu 14.04 Samba 4.7.3. > > First you should really upgrade to 4.7.4 (see recent changelog) > > Second, if you are not using Bind DLZ, you should set it up, it works > much better than the internal DNS engine. > > And third it is then just a matter of configuring Bind properly, you > can check our wiki at the following address (yeah, it's in French, but > it shouldn't be too much of a hassle for your favorite translation tool): > > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > > Actually we had exactly the same question from a client a few month > ago... > > Cheers, and happy new year 2018! > > Denis > >> > >Denis, I've attempted to setup the logging per your link. I ran into a couple issues. * Using your template for log.conf. Bind refuses to start because of the following lines. o 'local syslog2;' Bind complains it doesn't know how to interpret local + I'm assuming this line tells the logging system where to find syslog? I replaced with 'file "var/log/syslog";' * Bind also didn't know how to interpret 'blade-servers {null; };' o Seeing as I'm not using one. I commented the line out. After these changes Bind still wouldn't start, but not because of these errors. Now its a permission issue. set up managed keys zone for view _default, file 'managed-keys.bind' Jan 3 09:25:03 ddc2 named[13127]: command channel listening on 127.0.0.1#953 Jan 3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953 Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' failed: permission denied Jan 3 09:25:03 ddc2 named[13127]: configuring logging: permission denied Jan 3 09:25:03 ddc2 named[13127]: loading configuration: permission denied Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) Before I go changing permissions. Am I correct in the two changes I made previously to get to this point? Thanks. -- James
On 1/3/2018 9:38 AM, lingpanda101 wrote:> On 1/2/2018 2:50 AM, Denis Cardon wrote: >> Hi LingPanda101, >> >> >>> Is it possible to filter DNS queries for specific TLD's using the >>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is >>> being queried. However I'm only able to see the DC as the source. >>> Thanks. >>> >>> Ubuntu 14.04 Samba 4.7.3. >> >> First you should really upgrade to 4.7.4 (see recent changelog) >> >> Second, if you are not using Bind DLZ, you should set it up, it works >> much better than the internal DNS engine. >> >> And third it is then just a matter of configuring Bind properly, you >> can check our wiki at the following address (yeah, it's in French, >> but it shouldn't be too much of a hassle for your favorite >> translation tool): >> >> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 >> >> Actually we had exactly the same question from a client a few month >> ago... >> >> Cheers, and happy new year 2018! >> >> Denis >> >>> >> >> > Denis, > > I've attempted to setup the logging per your link. I ran into a > couple issues. > > * Using your template for log.conf. Bind refuses to start because of > the following lines. > o 'local syslog2;' Bind complains it doesn't know how to > interpret local > + I'm assuming this line tells the logging system where to > find syslog? I replaced with 'file "var/log/syslog";' > * Bind also didn't know how to interpret 'blade-servers {null; };' > o Seeing as I'm not using one. I commented the line out. > > After these changes Bind still wouldn't start, but not because of > these errors. Now its a permission issue. > > set up managed keys zone for view _default, file 'managed-keys.bind' > Jan 3 09:25:03 ddc2 named[13127]: command channel listening on > 127.0.0.1#953 > Jan 3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953 > Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' > failed: permission denied > Jan 3 09:25:03 ddc2 named[13127]: configuring logging: permission denied > Jan 3 09:25:03 ddc2 named[13127]: loading configuration: permission > denied > Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) > > Before I go changing permissions. Am I correct in the two changes I > made previously to get to this point? Thanks. > > -- > > James >Denis, One issue was a typo. I omitted the 2 from the syslog file. Bind now starts but I do get rndc: connect failed: 127.0.0.1#953: connection refused -- -- James
The last error you get is because bind was not stopped, there is still something running. ps -faux | egrep "rndc|bind|named" Kill it and run the stopcommand again ( systemctl stop bind9 ) The start it again, should work. Gr, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > lingpanda101 via samba > Verzonden: woensdag 3 januari 2018 16:00 > Aan: samba at lists.samba.org > CC: Denis Cardon > Onderwerp: Re: [Samba] DNS logging for TLD queries? > > On 1/3/2018 9:38 AM, lingpanda101 wrote: > > On 1/2/2018 2:50 AM, Denis Cardon wrote: > >> Hi LingPanda101, > >> > >> > >>> Is it possible to filter DNS queries for specific > TLD's using the > >>> internal logging system? My IPS/IDS alerts me when a > suspicious TLD is > >>> being queried. However I'm only able to see the DC as the > source. > >>> Thanks. > >>> > >>> Ubuntu 14.04 Samba 4.7.3. > >> > >> First you should really upgrade to 4.7.4 (see recent changelog) > >> > >> Second, if you are not using Bind DLZ, you should set it > up, it works > >> much better than the internal DNS engine. > >> > >> And third it is then just a matter of configuring Bind > properly, you > >> can check our wiki at the following address (yeah, it's in French, > >> but it shouldn't be too much of a hassle for your favorite > >> translation tool): > >> > >> > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > >> > >> Actually we had exactly the same question from a client a > few month > >> ago... > >> > >> Cheers, and happy new year 2018! > >> > >> Denis > >> > >>> > >> > >> > > Denis, > > > > I've attempted to setup the logging per your link. I ran into a > > couple issues. > > > > * Using your template for log.conf. Bind refuses to start > because of > > the following lines. > > o 'local syslog2;' Bind complains it doesn't know how to > > interpret local > > + I'm assuming this line tells the logging system where to > > find syslog? I replaced with 'file "var/log/syslog";' > > * Bind also didn't know how to interpret 'blade-servers > {null; };' > > o Seeing as I'm not using one. I commented the line out. > > > > After these changes Bind still wouldn't start, but not because of > > these errors. Now its a permission issue. > > > > set up managed keys zone for view _default, file 'managed-keys.bind' > > Jan 3 09:25:03 ddc2 named[13127]: command channel listening on > > 127.0.0.1#953 > > Jan 3 09:25:03 ddc2 named[13127]: command channel > listening on ::1#953 > > Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' > > failed: permission denied > > Jan 3 09:25:03 ddc2 named[13127]: configuring logging: > permission denied > > Jan 3 09:25:03 ddc2 named[13127]: loading configuration: > permission > > denied > > Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) > > > > Before I go changing permissions. Am I correct in the two changes I > > made previously to get to this point? Thanks. > > > > -- > > > > James > > > Denis, > > One issue was a typo. I omitted the 2 from the syslog file. Bind > now starts but I do get > > rndc: connect failed: 127.0.0.1#953: connection refused > > > -- > -- > James > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:> The last error you get is because bind was not stopped, there is still something running. > ps -faux | egrep "rndc|bind|named" > > Kill it and run the stopcommand again ( systemctl stop bind9 ) > The start it again, should work. > > > Gr, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> lingpanda101 via samba >> Verzonden: woensdag 3 januari 2018 16:00 >> Aan: samba at lists.samba.org >> CC: Denis Cardon >> Onderwerp: Re: [Samba] DNS logging for TLD queries? >> >> On 1/3/2018 9:38 AM, lingpanda101 wrote: >>> On 1/2/2018 2:50 AM, Denis Cardon wrote: >>>> Hi LingPanda101, >>>> >>>> >>>>> Is it possible to filter DNS queries for specific >> TLD's using the >>>>> internal logging system? My IPS/IDS alerts me when a >> suspicious TLD is >>>>> being queried. However I'm only able to see the DC as the >> source. >>>>> Thanks. >>>>> >>>>> Ubuntu 14.04 Samba 4.7.3. >>>> First you should really upgrade to 4.7.4 (see recent changelog) >>>> >>>> Second, if you are not using Bind DLZ, you should set it >> up, it works >>>> much better than the internal DNS engine. >>>> >>>> And third it is then just a matter of configuring Bind >> properly, you >>>> can check our wiki at the following address (yeah, it's in French, >>>> but it shouldn't be too much of a hassle for your favorite >>>> translation tool): >>>> >>>> >> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 >>>> Actually we had exactly the same question from a client a >> few month >>>> ago... >>>> >>>> Cheers, and happy new year 2018! >>>> >>>> Denis >>>> >>>> >>> Denis, >>> >>> I've attempted to setup the logging per your link. I ran into a >>> couple issues. >>> >>> * Using your template for log.conf. Bind refuses to start >> because of >>> the following lines. >>> o 'local syslog2;' Bind complains it doesn't know how to >>> interpret local >>> + I'm assuming this line tells the logging system where to >>> find syslog? I replaced with 'file "var/log/syslog";' >>> * Bind also didn't know how to interpret 'blade-servers >> {null; };' >>> o Seeing as I'm not using one. I commented the line out. >>> >>> After these changes Bind still wouldn't start, but not because of >>> these errors. Now its a permission issue. >>> >>> set up managed keys zone for view _default, file 'managed-keys.bind' >>> Jan 3 09:25:03 ddc2 named[13127]: command channel listening on >>> 127.0.0.1#953 >>> Jan 3 09:25:03 ddc2 named[13127]: command channel >> listening on ::1#953 >>> Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog' >>> failed: permission denied >>> Jan 3 09:25:03 ddc2 named[13127]: configuring logging: >> permission denied >>> Jan 3 09:25:03 ddc2 named[13127]: loading configuration: >> permission >>> denied >>> Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) >>> >>> Before I go changing permissions. Am I correct in the two changes I >>> made previously to get to this point? Thanks. >>> >>> -- >>> >>> James >>> >> Denis, >> >> One issue was a typo. I omitted the 2 from the syslog file. Bind >> now starts but I do get >> >> rndc: connect failed: 127.0.0.1#953: connection refused >> >> >> -- >> -- >> James >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>Louis, You were correct. Thanks. Logging appears to be working per Denis instructions. However the client is identified by it's A record. Any way to have it resolve to it's Netbios or DNS name in the logs? -- -- James
A quick google did not tell me that thats possible. So no clear answere from me here, but... Have a look here. http://www.zytrax.com/books/dns/ch7/logging.html Check the category category_name's What i normaly do in such cases. Create /var/log/bind folder, set the correct rights on it. Create all categories you see and log everyone to a file. ! Separated files, imo better. If one logs the hostname, you wil find it. Best i can quickly think off.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: lingpanda101 [mailto:lingpanda101 at gmail.com] > Verzonden: woensdag 3 januari 2018 16:12 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] DNS logging for TLD queries? > > On 1/3/2018 10:05 AM, L.P.H. van Belle wrote: > > The last error you get is because bind was not stopped, > there is still something running. > > ps -faux | egrep "rndc|bind|named" > > > > Kill it and run the stopcommand again ( systemctl stop bind9 ) > > The start it again, should work. > > > > > > Gr, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> lingpanda101 via samba > >> Verzonden: woensdag 3 januari 2018 16:00 > >> Aan: samba at lists.samba.org > >> CC: Denis Cardon > >> Onderwerp: Re: [Samba] DNS logging for TLD queries? > >> > >> On 1/3/2018 9:38 AM, lingpanda101 wrote: > >>> On 1/2/2018 2:50 AM, Denis Cardon wrote: > >>>> Hi LingPanda101, > >>>> > >>>> > >>>>> Is it possible to filter DNS queries for specific > >> TLD's using the > >>>>> internal logging system? My IPS/IDS alerts me when a > >> suspicious TLD is > >>>>> being queried. However I'm only able to see the DC as the > >> source. > >>>>> Thanks. > >>>>> > >>>>> Ubuntu 14.04 Samba 4.7.3. > >>>> First you should really upgrade to 4.7.4 (see recent changelog) > >>>> > >>>> Second, if you are not using Bind DLZ, you should set it > >> up, it works > >>>> much better than the internal DNS engine. > >>>> > >>>> And third it is then just a matter of configuring Bind > >> properly, you > >>>> can check our wiki at the following address (yeah, it's > in French, > >>>> but it shouldn't be too much of a hassle for your favorite > >>>> translation tool): > >>>> > >>>> > >> > https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9 > >>>> Actually we had exactly the same question from a client a > >> few month > >>>> ago... > >>>> > >>>> Cheers, and happy new year 2018! > >>>> > >>>> Denis > >>>> > >>>> > >>> Denis, > >>> > >>> I've attempted to setup the logging per your link. I > ran into a > >>> couple issues. > >>> > >>> * Using your template for log.conf. Bind refuses to start > >> because of > >>> the following lines. > >>> o 'local syslog2;' Bind complains it doesn't know how to > >>> interpret local > >>> + I'm assuming this line tells the logging > system where to > >>> find syslog? I replaced with 'file "var/log/syslog";' > >>> * Bind also didn't know how to interpret 'blade-servers > >> {null; };' > >>> o Seeing as I'm not using one. I commented the line out. > >>> > >>> After these changes Bind still wouldn't start, but not because of > >>> these errors. Now its a permission issue. > >>> > >>> set up managed keys zone for view _default, file > 'managed-keys.bind' > >>> Jan 3 09:25:03 ddc2 named[13127]: command channel listening on > >>> 127.0.0.1#953 > >>> Jan 3 09:25:03 ddc2 named[13127]: command channel > >> listening on ::1#953 > >>> Jan 3 09:25:03 ddc2 named[13127]: isc_stdio_open > '/var/log/syslog' > >>> failed: permission denied > >>> Jan 3 09:25:03 ddc2 named[13127]: configuring logging: > >> permission denied > >>> Jan 3 09:25:03 ddc2 named[13127]: loading configuration: > >> permission > >>> denied > >>> Jan 3 09:25:03 ddc2 named[13127]: exiting (due to fatal error) > >>> > >>> Before I go changing permissions. Am I correct in the two > changes I > >>> made previously to get to this point? Thanks. > >>> > >>> -- > >>> > >>> James > >>> > >> Denis, > >> > >> One issue was a typo. I omitted the 2 from the > syslog file. Bind > >> now starts but I do get > >> > >> rndc: connect failed: 127.0.0.1#953: connection refused > >> > >> > >> -- > >> -- > >> James > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > Louis, > > You were correct. Thanks. > > Logging appears to be working per Denis instructions. However > the client > is identified by it's A record. Any way to have it resolve to it's > Netbios or DNS name in the logs? > > -- > -- > James > >