DNS logging for TLD queries?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

DNS logging for TLD queries?

Samba - General mailing list
Hello,

     Is it possible to filter DNS queries for specific TLD's using the
internal logging system? My IPS/IDS alerts me when a suspicious TLD is
being queried. However I'm only able to see the DC as the source.  Thanks.

Ubuntu 14.04 Samba 4.7.3.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
Hi LingPanda101,


>     Is it possible to filter DNS queries for specific TLD's using the
> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
> being queried. However I'm only able to see the DC as the source.  Thanks.
>
> Ubuntu 14.04 Samba 4.7.3.

First you should really upgrade to 4.7.4 (see recent changelog)

Second, if you are not using Bind DLZ, you should set it up, it works
much better than the internal DNS engine.

And third it is then just a matter of configuring Bind properly, you can
check our wiki at the following address (yeah, it's in French, but it
shouldn't be too much of a hassle for your favorite translation tool):

https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9

Actually we had exactly the same question from a client a few month ago...

Cheers, and happy new year 2018!

Denis

>


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
On 1/2/2018 2:50 AM, Denis Cardon wrote:

> Hi LingPanda101,
>
>
>>     Is it possible to filter DNS queries for specific TLD's using the
>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>> being queried. However I'm only able to see the DC as the source. 
>> Thanks.
>>
>> Ubuntu 14.04 Samba 4.7.3.
>
> First you should really upgrade to 4.7.4 (see recent changelog)
>
> Second, if you are not using Bind DLZ, you should set it up, it works
> much better than the internal DNS engine.
>
> And third it is then just a matter of configuring Bind properly, you
> can check our wiki at the following address (yeah, it's in French, but
> it shouldn't be too much of a hassle for your favorite translation tool):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>
> Actually we had exactly the same question from a client a few month
> ago...
>
> Cheers, and happy new year 2018!
>
> Denis
>
>>
>
>
Thanks Denis.

     I was trying to avoid Bind but will give it a go as I do require
more insight into DNS.

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
Yes,, this is very welkom! Thanks Dennis!!

I've "Debianized" this a bit also.
It now matched the "adm" administrative group that is allowed to read the logs.

if [ ! -d /var/log/bind ]; then
  install -d /var/log/bind -m 0750 -o bind -g adm
fi

if [ ! -e /etc/logrotate.d/bind ]; then
cat << EOF >> /etc/logrotate.d/bind
/var/log/bind/*.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 0640 bind adm
  postrotate
    systemctl reload bind9 > /dev/null
  endscript
}
EOF
fi


And configure it as shown on the site.


Greetz and Happy New Year Everybody.


Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> lingpanda101 via samba
> Verzonden: dinsdag 2 januari 2018 16:25
> Aan: Denis Cardon; [hidden email]
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
>
> On 1/2/2018 2:50 AM, Denis Cardon wrote:
> > Hi LingPanda101,
> >
> >
> >>     Is it possible to filter DNS queries for specific
> TLD's using the
> >> internal logging system? My IPS/IDS alerts me when a
> suspicious TLD is
> >> being queried. However I'm only able to see the DC as the source. 
> >> Thanks.
> >>
> >> Ubuntu 14.04 Samba 4.7.3.
> >
> > First you should really upgrade to 4.7.4 (see recent changelog)
> >
> > Second, if you are not using Bind DLZ, you should set it
> up, it works
> > much better than the internal DNS engine.
> >
> > And third it is then just a matter of configuring Bind
> properly, you
> > can check our wiki at the following address (yeah, it's in
> French, but
> > it shouldn't be too much of a hassle for your favorite
> translation tool):
> >
> >
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >
> > Actually we had exactly the same question from a client a few month
> > ago...
> >
> > Cheers, and happy new year 2018!
> >
> > Denis
> >
> >>
> >
> >
> Thanks Denis.
>
>      I was trying to avoid Bind but will give it a go as I do require
> more insight into DNS.
>
> --
> --
> James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 1/2/2018 2:50 AM, Denis Cardon wrote:

> Hi LingPanda101,
>
>
>>     Is it possible to filter DNS queries for specific TLD's using the
>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>> being queried. However I'm only able to see the DC as the source. 
>> Thanks.
>>
>> Ubuntu 14.04 Samba 4.7.3.
>
> First you should really upgrade to 4.7.4 (see recent changelog)
>
> Second, if you are not using Bind DLZ, you should set it up, it works
> much better than the internal DNS engine.
>
> And third it is then just a matter of configuring Bind properly, you
> can check our wiki at the following address (yeah, it's in French, but
> it shouldn't be too much of a hassle for your favorite translation tool):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>
> Actually we had exactly the same question from a client a few month
> ago...
>
> Cheers, and happy new year 2018!
>
> Denis
>
>>
>
>
Denis,

     I've attempted to setup the logging per your link. I ran into a
couple issues.

  * Using your template for log.conf. Bind refuses to start because of
    the following lines.
      o 'local syslog2;' Bind complains it doesn't know how to interpret
        local
          + I'm assuming this line tells the logging system where to
            find syslog? I replaced with 'file "var/log/syslog";'
  * Bind also didn't know how to interpret 'blade-servers {null; };'
      o Seeing as I'm not using one. I commented the line out.

After these changes Bind still wouldn't start, but not because of these
errors. Now its a permission issue.

set up managed keys zone for view _default, file 'managed-keys.bind'
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
127.0.0.1#953
Jan  3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
failed: permission denied
Jan  3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
Jan  3 09:25:03 ddc2 named[13127]: loading configuration: permission denied
Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)

Before I go changing permissions. Am I correct in the two changes I made
previously to get to this point? Thanks.

  --

James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
On 1/3/2018 9:38 AM, lingpanda101 wrote:

> On 1/2/2018 2:50 AM, Denis Cardon wrote:
>> Hi LingPanda101,
>>
>>
>>>     Is it possible to filter DNS queries for specific TLD's using the
>>> internal logging system? My IPS/IDS alerts me when a suspicious TLD is
>>> being queried. However I'm only able to see the DC as the source. 
>>> Thanks.
>>>
>>> Ubuntu 14.04 Samba 4.7.3.
>>
>> First you should really upgrade to 4.7.4 (see recent changelog)
>>
>> Second, if you are not using Bind DLZ, you should set it up, it works
>> much better than the internal DNS engine.
>>
>> And third it is then just a matter of configuring Bind properly, you
>> can check our wiki at the following address (yeah, it's in French,
>> but it shouldn't be too much of a hassle for your favorite
>> translation tool):
>>
>> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>>
>> Actually we had exactly the same question from a client a few month
>> ago...
>>
>> Cheers, and happy new year 2018!
>>
>> Denis
>>
>>>
>>
>>
> Denis,
>
>     I've attempted to setup the logging per your link. I ran into a
> couple issues.
>
>   * Using your template for log.conf. Bind refuses to start because of
>     the following lines.
>       o 'local syslog2;' Bind complains it doesn't know how to
>         interpret local
>           + I'm assuming this line tells the logging system where to
>             find syslog? I replaced with 'file "var/log/syslog";'
>   * Bind also didn't know how to interpret 'blade-servers {null;  };'
>       o Seeing as I'm not using one. I commented the line out.
>
> After these changes Bind still wouldn't start, but not because of
> these errors. Now its a permission issue.
>
> set up managed keys zone for view _default, file 'managed-keys.bind'
> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
> 127.0.0.1#953
> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on ::1#953
> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
> failed: permission denied
> Jan  3 09:25:03 ddc2 named[13127]: configuring logging: permission denied
> Jan  3 09:25:03 ddc2 named[13127]: loading configuration: permission
> denied
> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
>
> Before I go changing permissions. Am I correct in the two changes I
> made previously to get to this point? Thanks.
>
>  --
>
> James
>
Denis,

     One issue was a typo. I omitted the 2 from the syslog file. Bind
now starts but I do get

rndc: connect failed: 127.0.0.1#953: connection refused


--
--
James

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
The last error you get is because bind was not stopped, there is still something running.
ps -faux | egrep "rndc|bind|named"

Kill it and run the stopcommand again ( systemctl stop bind9 )
The start it again, should work.


Gr,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens
> lingpanda101 via samba
> Verzonden: woensdag 3 januari 2018 16:00
> Aan: [hidden email]
> CC: Denis Cardon
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
>
> On 1/3/2018 9:38 AM, lingpanda101 wrote:
> > On 1/2/2018 2:50 AM, Denis Cardon wrote:
> >> Hi LingPanda101,
> >>
> >>
> >>>     Is it possible to filter DNS queries for specific
> TLD's using the
> >>> internal logging system? My IPS/IDS alerts me when a
> suspicious TLD is
> >>> being queried. However I'm only able to see the DC as the
> source. 
> >>> Thanks.
> >>>
> >>> Ubuntu 14.04 Samba 4.7.3.
> >>
> >> First you should really upgrade to 4.7.4 (see recent changelog)
> >>
> >> Second, if you are not using Bind DLZ, you should set it
> up, it works
> >> much better than the internal DNS engine.
> >>
> >> And third it is then just a matter of configuring Bind
> properly, you
> >> can check our wiki at the following address (yeah, it's in French,
> >> but it shouldn't be too much of a hassle for your favorite
> >> translation tool):
> >>
> >>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >>
> >> Actually we had exactly the same question from a client a
> few month
> >> ago...
> >>
> >> Cheers, and happy new year 2018!
> >>
> >> Denis
> >>
> >>>
> >>
> >>
> > Denis,
> >
> >     I've attempted to setup the logging per your link. I ran into a
> > couple issues.
> >
> >   * Using your template for log.conf. Bind refuses to start
> because of
> >     the following lines.
> >       o 'local syslog2;' Bind complains it doesn't know how to
> >         interpret local
> >           + I'm assuming this line tells the logging system where to
> >             find syslog? I replaced with 'file "var/log/syslog";'
> >   * Bind also didn't know how to interpret 'blade-servers
> {null;  };'
> >       o Seeing as I'm not using one. I commented the line out.
> >
> > After these changes Bind still wouldn't start, but not because of
> > these errors. Now its a permission issue.
> >
> > set up managed keys zone for view _default, file 'managed-keys.bind'
> > Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
> > 127.0.0.1#953
> > Jan  3 09:25:03 ddc2 named[13127]: command channel
> listening on ::1#953
> > Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
> > failed: permission denied
> > Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
> permission denied
> > Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
> permission
> > denied
> > Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
> >
> > Before I go changing permissions. Am I correct in the two changes I
> > made previously to get to this point? Thanks.
> >
> >  --
> >
> > James
> >
> Denis,
>
>      One issue was a typo. I omitted the 2 from the syslog file. Bind
> now starts but I do get
>
> rndc: connect failed: 127.0.0.1#953: connection refused
>
>
> --
> --
> James
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:

> The last error you get is because bind was not stopped, there is still something running.
> ps -faux | egrep "rndc|bind|named"
>
> Kill it and run the stopcommand again ( systemctl stop bind9 )
> The start it again, should work.
>
>
> Gr,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:[hidden email]] Namens
>> lingpanda101 via samba
>> Verzonden: woensdag 3 januari 2018 16:00
>> Aan: [hidden email]
>> CC: Denis Cardon
>> Onderwerp: Re: [Samba] DNS logging for TLD queries?
>>
>> On 1/3/2018 9:38 AM, lingpanda101 wrote:
>>> On 1/2/2018 2:50 AM, Denis Cardon wrote:
>>>> Hi LingPanda101,
>>>>
>>>>
>>>>>      Is it possible to filter DNS queries for specific
>> TLD's using the
>>>>> internal logging system? My IPS/IDS alerts me when a
>> suspicious TLD is
>>>>> being queried. However I'm only able to see the DC as the
>> source.
>>>>> Thanks.
>>>>>
>>>>> Ubuntu 14.04 Samba 4.7.3.
>>>> First you should really upgrade to 4.7.4 (see recent changelog)
>>>>
>>>> Second, if you are not using Bind DLZ, you should set it
>> up, it works
>>>> much better than the internal DNS engine.
>>>>
>>>> And third it is then just a matter of configuring Bind
>> properly, you
>>>> can check our wiki at the following address (yeah, it's in French,
>>>> but it shouldn't be too much of a hassle for your favorite
>>>> translation tool):
>>>>
>>>>
>> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
>>>> Actually we had exactly the same question from a client a
>> few month
>>>> ago...
>>>>
>>>> Cheers, and happy new year 2018!
>>>>
>>>> Denis
>>>>
>>>>
>>> Denis,
>>>
>>>      I've attempted to setup the logging per your link. I ran into a
>>> couple issues.
>>>
>>>    * Using your template for log.conf. Bind refuses to start
>> because of
>>>      the following lines.
>>>        o 'local syslog2;' Bind complains it doesn't know how to
>>>          interpret local
>>>            + I'm assuming this line tells the logging system where to
>>>              find syslog? I replaced with 'file "var/log/syslog";'
>>>    * Bind also didn't know how to interpret 'blade-servers
>> {null;  };'
>>>        o Seeing as I'm not using one. I commented the line out.
>>>
>>> After these changes Bind still wouldn't start, but not because of
>>> these errors. Now its a permission issue.
>>>
>>> set up managed keys zone for view _default, file 'managed-keys.bind'
>>> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
>>> 127.0.0.1#953
>>> Jan  3 09:25:03 ddc2 named[13127]: command channel
>> listening on ::1#953
>>> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open '/var/log/syslog'
>>> failed: permission denied
>>> Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
>> permission denied
>>> Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
>> permission
>>> denied
>>> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
>>>
>>> Before I go changing permissions. Am I correct in the two changes I
>>> made previously to get to this point? Thanks.
>>>
>>>   --
>>>
>>> James
>>>
>> Denis,
>>
>>       One issue was a typo. I omitted the 2 from the syslog file. Bind
>> now starts but I do get
>>
>> rndc: connect failed: 127.0.0.1#953: connection refused
>>
>>
>> --
>> --
>> James
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Louis,

     You were correct. Thanks.

Logging appears to be working per Denis instructions. However the client
is identified by it's A record. Any way to have it resolve to it's
Netbios or DNS name in the logs?

--
--
James


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
A quick google did not tell me that thats possible.
So no clear answere from me here, but...

Have a look here.
http://www.zytrax.com/books/dns/ch7/logging.html 

Check the category category_name's
What i normaly do in such cases.
Create /var/log/bind folder, set the correct rights on it.
Create all categories you see and log everyone to a file. ! Separated files, imo better.
If one logs the hostname, you wil find it.

Best i can quickly think off..


Greetz,

Louis







> -----Oorspronkelijk bericht-----
> Van: lingpanda101 [mailto:[hidden email]]
> Verzonden: woensdag 3 januari 2018 16:12
> Aan: [hidden email]
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] DNS logging for TLD queries?
>
> On 1/3/2018 10:05 AM, L.P.H. van Belle wrote:
> > The last error you get is because bind was not stopped,
> there is still something running.
> > ps -faux | egrep "rndc|bind|named"
> >
> > Kill it and run the stopcommand again ( systemctl stop bind9 )
> > The start it again, should work.
> >
> >
> > Gr,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:[hidden email]] Namens
> >> lingpanda101 via samba
> >> Verzonden: woensdag 3 januari 2018 16:00
> >> Aan: [hidden email]
> >> CC: Denis Cardon
> >> Onderwerp: Re: [Samba] DNS logging for TLD queries?
> >>
> >> On 1/3/2018 9:38 AM, lingpanda101 wrote:
> >>> On 1/2/2018 2:50 AM, Denis Cardon wrote:
> >>>> Hi LingPanda101,
> >>>>
> >>>>
> >>>>>      Is it possible to filter DNS queries for specific
> >> TLD's using the
> >>>>> internal logging system? My IPS/IDS alerts me when a
> >> suspicious TLD is
> >>>>> being queried. However I'm only able to see the DC as the
> >> source.
> >>>>> Thanks.
> >>>>>
> >>>>> Ubuntu 14.04 Samba 4.7.3.
> >>>> First you should really upgrade to 4.7.4 (see recent changelog)
> >>>>
> >>>> Second, if you are not using Bind DLZ, you should set it
> >> up, it works
> >>>> much better than the internal DNS engine.
> >>>>
> >>>> And third it is then just a matter of configuring Bind
> >> properly, you
> >>>> can check our wiki at the following address (yeah, it's
> in French,
> >>>> but it shouldn't be too much of a hassle for your favorite
> >>>> translation tool):
> >>>>
> >>>>
> >>
> https://dev.tranquil.it/wiki/SAMBA_-_Audit_requetes_DNS_et_logs_Bind9
> >>>> Actually we had exactly the same question from a client a
> >> few month
> >>>> ago...
> >>>>
> >>>> Cheers, and happy new year 2018!
> >>>>
> >>>> Denis
> >>>>
> >>>>
> >>> Denis,
> >>>
> >>>      I've attempted to setup the logging per your link. I
> ran into a
> >>> couple issues.
> >>>
> >>>    * Using your template for log.conf. Bind refuses to start
> >> because of
> >>>      the following lines.
> >>>        o 'local syslog2;' Bind complains it doesn't know how to
> >>>          interpret local
> >>>            + I'm assuming this line tells the logging
> system where to
> >>>              find syslog? I replaced with 'file "var/log/syslog";'
> >>>    * Bind also didn't know how to interpret 'blade-servers
> >> {null;  };'
> >>>        o Seeing as I'm not using one. I commented the line out.
> >>>
> >>> After these changes Bind still wouldn't start, but not because of
> >>> these errors. Now its a permission issue.
> >>>
> >>> set up managed keys zone for view _default, file
> 'managed-keys.bind'
> >>> Jan  3 09:25:03 ddc2 named[13127]: command channel listening on
> >>> 127.0.0.1#953
> >>> Jan  3 09:25:03 ddc2 named[13127]: command channel
> >> listening on ::1#953
> >>> Jan  3 09:25:03 ddc2 named[13127]: isc_stdio_open
> '/var/log/syslog'
> >>> failed: permission denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: configuring logging:
> >> permission denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: loading configuration:
> >> permission
> >>> denied
> >>> Jan  3 09:25:03 ddc2 named[13127]: exiting (due to fatal error)
> >>>
> >>> Before I go changing permissions. Am I correct in the two
> changes I
> >>> made previously to get to this point? Thanks.
> >>>
> >>>   --
> >>>
> >>> James
> >>>
> >> Denis,
> >>
> >>       One issue was a typo. I omitted the 2 from the
> syslog file. Bind
> >> now starts but I do get
> >>
> >> rndc: connect failed: 127.0.0.1#953: connection refused
> >>
> >>
> >> --
> >> --
> >> James
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> >>
> Louis,
>
>      You were correct. Thanks.
>
> Logging appears to be working per Denis instructions. However
> the client
> is identified by it's A record. Any way to have it resolve to it's
> Netbios or DNS name in the logs?
>
> --
> --
> James
>
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: DNS logging for TLD queries?

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi LingPanda101,

>     You were correct. Thanks.
>
> Logging appears to be working per Denis instructions.

There may be some mix-up between CentOS and Debian conf on that page,
I'll double check tomorrow.

 > However the client
> is identified by it's A record. Any way to have it resolve to it's
> Netbios or DNS name in the logs?

As far as NetBIOS is concerned, just try to kill it, it will be better
for humanity :-)

I'd say that the IP address is the best thing to have in the log as it
is the only reliable information the DNS server has when it receive a
request (if we put aside UDP source ip spoofing...). You can then
post-process the log in a SIEM with information from DHCP and reverse
DNS. But even then DHCP and reverse DNS cannot be completely reliable
unless you add in some 802.1x and strong authentication in the mix.

Cheers,

Denis

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba