Configuring Fail2Ban for Bind9

Suppose Fail2Ban is already installed, if not, then see my article – Installing and Configuring Fail2ban.

By default, Bind9 does not write logs, so open its configuration file in any text editor:

sudo nano /etc/bind/named.conf

And add:

logging {
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    };
    category security {
        security_file;
    };
};

Continue reading “Configuring Fail2Ban for Bind9”

Monitoring Bind9 in Zabbix

For example, I will describe the option of monitoring the DNS server Bind9 in Zabbix.

To start, we turn on the Bind9 statistics, open the configuration file in a text editor, for example nano (Ctrl+X to exit, y/n to save or discard changes):

sudo nano /etc/bind/named.conf

And add the following lines (where the first IP and port is the interface on which statistics will be visible, and the following – from which access to it is allowed):

statistics-channels {
     inet 192.168.10.1 port 8053 allow { 127.0.0.1; 192.168.10.1; 192.168.10.15;};
};

And restart Bind to apply the changes:

sudo /etc/init.d/bind9 restart

After that, in the browser typing http://192.168.10.1:8053/ you can see Bind9 statistics.

We will install the necessary components necessary for obtaining statistics from the terminal:

sudo apt-get install xml2 curl

Check if the statistics are displayed:

curl http://192.168.10.1:8053/ 2>/dev/null | xml2 | grep -A1 queries

Now we will add the parameters of Zabbix agent /etc/zabbix/zabbix_agentd.conf to the parameters that we will monitor:

# The number of connections udp to DNS:
UserParameter=bind.net.udp,netstat -nua | grep :53 | wc -l
# Number of tcp connections to DNS:
UserParameter=bind.net.tcp,netstat -nta | grep :53 | wc -l
# Number of incoming and outgoing requests:
UserParameter=bind.queries.in[*],curl http://192.168.10.1:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/server/queries-in/rdtype/name=$1$" | tail -1 | cut -d= -f2
UserParameter=bind.queries.out[*],curl http://192.168.10.1:8053/ 2>/dev/null | xml2 | grep -A1 "/isc/bind/statistics/views/view/rdtype/name=$1$" | tail -1 | cut -d= -f2

And restart the Zabbix agent to apply the changes:

sudo /etc/init.d/zabbix-agent restart

Add data and graphics elements to the desired network node or template in the Zabbix server (type – Zabbix agent, examples of keys below):

bind.queries.in[A]
bind.queries.out[A]
bind.queries.in[AAAA]
bind.queries.out[AAAA]
bind.queries.in[NS]
bind.queries.out[NS]
bind.queries.in[MX]
bind.queries.out[MX]
bind.queries.in[PTR]
bind.queries.out[PTR]
bind.queries.in[SOA]
bind.queries.out[SOA]
bind.queries.in[TXT]
bind.queries.out[TXT]
bind.queries.in[ANY]
bind.queries.out[ANY]
etc.

See also my article:
Monitoring DNS from Zabbix

Configuring Bind9 logs

By default, Bind9 logs are written to the system log / var / log / syslog and to separate them, I will perform the actions that I will point out below.

On the test, I will configure Bind9 in Ubuntu Server 16.04.
Open the main Bind9 configuration file, for example, in the nano editor (Ctrl+X for exit, y/x for saving or canceling changes):

sudo nano /etc/bind/named.conf

Add to its end:

logging {
    channel bind.log {
        file "/var/lib/bind/bind.log" versions 10 size 20m;
        severity notice;
        print-category yes;
        print-severity yes;
        print-time yes;
    };

        category queries { bind.log; };
        category default { bind.log; };
        category config { bind.log; };
};

severity indicates the level of logging, it can be: critical, error, warning, notice, info, debug, dynamic.

The second example, or you can configure the saving of logs in different files:

logging {
          channel "misc" {
                    file "/var/log/named/misc.log" versions 4 size 4m;
                    print-time YES;
                    print-severity YES;
                    print-category YES;
          };

          channel "query" {
                    file "/var/log/named/query.log" versions 4 size 4m;
                    print-time YES;
                    print-severity NO;
                    print-category NO;
          };

          category default {
                    "misc";
          };

          category queries {
                    "query";
          };
};

I will give you another example:

logging {
          channel "misc" {
                    file "/var/log/named/misc.log" versions 10 size 10m;
                    print-time YES;
                    print-severity YES;
                    print-category YES;
          };

          channel "query" {
                    file "/var/log/named/query.log" versions 10 size 10m;
                    print-time YES;
                    print-severity NO;
                    print-category NO;
          };

          channel "lame" {
                    file "/var/log/named/lamers.log" versions 1 size 5m;
                    print-time yes;
                    print-severity yes;
                    severity info;
          };

          category "default" { "misc"; };
          category "queries" { "query"; };
          category "lame-servers" { "lame"; };

};

Restart Bind9 to apply the changes:

sudo /etc/init.d/bind9 restart

You can make a reference to /var/log/ to make it easier for others to find them:

sudo ln -s /var/lib/bind/ /var/log/

To see logs in real time, you can use the command (Ctrl+C to stop the preview):

sudo tail -f /var/lib/bind/bind.log

If logging is done in a non-standard directory, then you need to allow this in the apparmor:

sudo nano /etc/apparmor.d/usr.sbin.named

See also:
Installing and Configuring DNS Server BIND9

Installing and Configuring DNS Server BIND9

BIND (Berkeley Internet Name Domain) — open and the most common implementation of the DNS server, which ensures that the DNS name is converted to an IP address and vice versa.

Installing in Linux Ubuntu:

sudo apt-get install bind9

Stop / Start / Restart Bind9:

sudo /etc/init.d/bind9 stop/start/restart

To use the local DNS, you need to register in /etc/resolv.conf:

nameserver 127.0.0.1

We edit the configuration files in the /etc/bind/ directory for your needs.

Open the configuration file named.conf.options for example in the text editor nano:

sudo nano /etc/bind/named.conf.options

First, add ACLs with networks that will be allowed to query the DNS server:

acl localclients {
localhost;
localnets;
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};

In options, we specify this ACL by resolving queries:

allow-recursion { localclients; };
allow-query { localclients;};
allow-query-cache { localclients; };

You can specify the IP addresses on which bind9 will work:

listen-on {
      127.0.0.1;
      192.168.1.1;
    };

Or at all:

listen-on { any; };

Alternatively, you can specify the addresses to which recursion is allowed, so that DNS does not serve the requests of all clients, but only those specified (all other unregistered addresses will be able to receive only the information specified in this DNS):

allow-recursion { 127.0.0.1; 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/16; };

The correctness of the settings can be checked by the following command (if it did not say anything, it means everything is in order):

named-checkconf

Apply the changes:

sudo rndc reload

or so:

sudo  /etc/init.d/bind9 restart

Verification:

rndc status
netstat -lnp | grep :53
sudo ps -ax | grep bind

From Windows, you can check with the command (where 192.168.1.1 is the address of bind9):

nslookup example.com 192.168.1.1

You can clear the cache of the DNS server with:

sudo rndc flush

Save the cache to a file (/var/cache/bind/):

sudo rndc dumpdb

See also:
Configuring Bind9 logs
Configuring Fail2Ban for Bind9