Unix How-To: DNS Logging

While it's generally preferable to let DNS servers to do their jobs quietly, you might sometimes want to turn on logging for troubleshooting or to view of kind of requests that are coming through the service routinely. To turn logging on, you just need to tweak the syntax in your configuration file and add some syntax that at first glimpse might seem fairly tricky.

Logging for DNS servers requires that you add a logging clause to your named.conf file. This can be mildly traumatic. There's so much syntax to choose from! But it may not be quite as difficult as you might expect.

Here's the basic syntax for the logging clause. Note that just about all of it is optional.

logging {
   [ channel channel_name {
     ( file path name
         [ versions ( number | unlimited ) ]
         [ size size_spec ]
       | syslog syslog_facility
       | stderr
       | null );
     [ severity (critical | error | warning | notice |
                 info | debug [ level ] | dynamic ); ]
     [ print-category yes | no; ]
     [ print-severity yes | no; ]
     [ print-time yes | no; ]
   }; ]
   [ category category_name {
     channel_name ; [ channel_name ; ... ]
   }; ]

Here's what some of the keywords mean:

  • channel -- the control channel you want to log
  • file -- where you want to store log data (if not via syslog), absolute path in quotes
  • versions -- number of file versions that should be kept
  • size -- size limit on log file
  • syslog -- if using syslog logging facility
  • stderr -- write to standard out
  • null -- write to /dev/null
  • severity -- defines logging levels
  • print-category -- whether category is written to log (default is no)
  • print-severity -- whether severity is written to log (default is no)
  • print-time -- whether time stamps are added to log (default is no)
  • category -- controls what categories are written to the log and can be any of these:
    • client = client requests,
    • config = confile file parsing)
    • database = internal DNS databases
    • delegation-only = queires returning NXDOMAIN following delegation-only zone or statement in a hint or stub zone declaration
    • dispatch = dispatch of incoming packets to server modules
    • dnssec = DNSSEC and TSIG protocol processing
    • general = the default (not matching other choices)
    • lame-servers = lame servers
    • network = network operations
    • notify = all NOTIFY operations
    • queries = all queries
    • resolver = name resolutions including recursive lookups
    • security = approvals and denials
    • unmatched = no matching clauses or unrecognized class value
    • update = all dynamic updates (DDNA)
    • update-security = approvals and denials of update requests
    • xfer-in = received sone transfers
    • xfer-out = sent zone transfers

Given the many choices, you can be fairly exacting about what you want to see. Comments can be inserted as shown in the example following "//" markers. In this example, we are defining what we want logged (queries) and where we want to log the information. We'll store up to three versions with a maximum size of 100 MB.

logging {
      channel query_logging {
         file "/var/log/named_query.log"
         versions 3 size 100M;
         print-time yes;                 // timestamp log entries

      category queries {

The trick is then to edit your named.conf (/etc/named.conf) file, add your logging clause and restart (or send a HUP to) BIND (named). Then you can peruse the log data and get an idea what your name service is doing.

The log data collected will look something like this:

26-May-2010 11:44:26.564 XX+/
26-May-2010 11:44:26.974 XX+/
26-May-2010 11:44:27.116 XX+/

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
7 Wi-Fi vulnerabilities beyond weak passwords
Shop Tech Products at Amazon