1

I've been trying to get BIND server query logging working, creating 3 versions, max 100mb each. The system is SUSE SLES 11. I have found numerous how to articles on the web but none of them do anything other than break the DNS server. The machine is a virtualbox guest so I can keep going back to an unmodified snapshot of a working BIND server that doesn't do any query logging.

If I manually add the logging statements into named.conf, named will no longer load. messages shows "isc_stdio_open 'whatever i told it' failed: file not found." chown named.named logfile doesn't help or change the behavior in any way. Do anything with the apparmor profile file directly including just saving it without changing it and apparmor will never load that profile again. It will say there is already a profile.

Restore snapshot -> now back to having made no changes

use the GUI tools to configure logging for the dns server. named will not start bc it still doesn't have rights or cannot find the log file. chown named.named logfile doesn't help. use the gui tools to configure apparmor. This at least doesn't kill the apparmor profile, but doesn't help the situation in any way regardless.

I have tried this on 2 different VM/s, both SLES 11, both are just basic take all the defaults installs and not in production yet.

I have tried several different combinations of using the gui tools and manually modifying the config files. I have tried different locations for the log file such as /var/log/querylog, /var/log/querylogs/querylog, /root/queries. I have tried using touch to create the log file, then chown it to named.named. I've tried using the gui to create the files/directories and then setting permissions.

Does anyone know how to get DNS Query logs, in a rotation of 3 files on a SLES 11 BIND server working? It doesn't seem like it should be anywhere near this much of a hassle.

edit

currently the logging section of named.conf looks like:

logging { channel log_file { file "/var/log/query_log.log" versions 3 size 100M; } ; catagory default { log_file; }; };

what gets reported in /var/log/messages is:

the working directory is not writable.
isc_stdio_open '/var/log/named/query_log.log' failed: file not found > configuring logging: file not found exiting (due to fatal error)

so it looks like there is some kind of permissions issue. I have created that directory and put a blank file in it named query_log.log. I made named the owner and granted everyone read, write and execute on /var/log/named and gave everyone read write on /var/log/named/query_log.log

ls -l of /var/log/named

-rwxrwxrwx l named named 0 Apr 26 08:43 query_log.log

ls - of /var/log

//various files and directories
drwxr-xr-x 2 named named 4093 Apr 26 09:26 named

edit 2

to start the bind server I use rcnamed start If I remove the logging section so that I can get named started, running ps aux | grep named shows that /usr/sbin/named is running as the user named.

Thank you for your help so far. What do I have to do to get this working?

GC78
  • 63
  • 2
  • 7
  • 2
    Posting your configuration would help. – James O'Gorman Apr 25 '13 at 17:51
  • Reviewing and posting the errors from your syslog would also be useful after you update a config. Bind produces useful errors, that will tell you exactly what file/lines are broken. – Zoredache Apr 25 '13 at 18:02
  • What command line do you use to start named? And if you start it as root *without* giving it a -u argument, do you continue to have the same permission problems? – Michael McNally Apr 26 '13 at 18:11

1 Answers1

1

Does anyone know how to get DNS Query logs, in a rotation of 3 files on a SLES 11 BIND server working? It doesn't seem like it should be anywhere near this much of a hassle.

It shouldn't be a hassle -- the syntax is straightforward and well-exercised (thousands and thousands of nameserver admins have use it.) It's theoretically possible but very unlikely you've found a new bug in it. Let's look at the more likely causes.

It never hurts to check your syntax first.. As explained in the BIND Administrator's Reference Manual (aka "ARM", a copy of the ARM appropriate to your BIND version is included with your BIND source or can be found at ISC's web site) 6.2.10, you should first define a channel, e.g.:

channel example_query_channel { 
   file "bind_query.log" versions 3 size 20m; 
   print-time yes;
   print-category yes;
};

then direct the category you are interested in logging (i.e. "queries") to that channel:

category queries {
   example_query_channel; 
};

You can use the named-checkconf utility that comes with BIND to check the syntax of your config file for errors before you try to restart BIND with it.

If that doesn't work for you, you have a filesystem permission problem of some sort and not a BIND problem specifically; BIND is being prevented somehow from writing to the file you have specified in its appropriate directory. Maybe you are dropping privileges to run as a non-root user and that user doesn't have -x perms to traverse all directories in the path from the filesystem root to the directory you are writing in, or maybe you don't have -w perms to write files in that directory. Or possibly you have another security layer (you mention AppArmor) which is complicating matters further.

Michael McNally
  • 1,450
  • 9
  • 14
  • Ok, i've disabled apparmor to try to eliminate that from causing more complications at the moment. I added to my question now to give more information. I think this probably is a permissions issue, but I can't quite figure out exactly what the issue is. – GC78 Apr 26 '13 at 17:40
  • (See my comment above about "what user is named running as" -- please supply the entire command line used to start named.) – Michael McNally Apr 26 '13 at 18:12
  • Oh sorry Michael, I forgot to put that info up too. I've now added it to the question. – GC78 Apr 26 '13 at 18:27
  • Try starting named from the command line without a -u argument, just to see if it can start. (And don't use -g, you want it to log normally, not to stdout/stderr) What happens when you do that? – Michael McNally Apr 26 '13 at 18:30
  • How do I do that on SLES? i use rcnamed start to start it and I don't specify a user. It's being told to use the named user from somewhere else ---- ok i edited /init.d/named and changed the user from named to root – GC78 Apr 26 '13 at 19:05
  • as root i get the same file not found error – GC78 Apr 26 '13 at 19:11
  • Are you running BIND chroot'ed? If so, is there a path to /var/log/named under the alternate filesystem root? – Michael McNally Apr 27 '13 at 18:38
  • I just had a chance to look more closely at the config line you posted. It reads (in part): file "/var/log/query_log.log" which means named is trying to write to the /var/log directory, not /var/log/named. It's unclear why it would not work when you ran as root, but it might explain why named is not successfully writing where you expect when running as named. – Michael McNally Apr 27 '13 at 18:46