How to log verbose details about DNS update queries in bind

Milo

9/4/23, 9:22 AM

Is there any way to log failed DNS update queries with Bind 9 (9.16.22 on Debian) in a more verbose format?

I tried all logging categories and found update messages in an update-security one. But messages are quite brief, like update forwarding 'domain.tld/IN' denied.

I would like to get verbose message, like update forwarding 'domain.tld/IN', add foo.domain.tld 600 IN A 10.10.10.10 denied.

0 + 0

domain-name-system

bind

ddns

Score:0

Server

Nikita Kipriyanov

9/5/23, 11:13 AM

BIND's logging differentiates categories, and for each category you can set a set of channels to send messages to. For each channel you set a logging verbosity and other behaviour.

For example, you can have a dedicated channel verbose_updates, where you'll log a category update:

logging {
...
  channel verbose_updates {
    file "/var/log/bind/update.log";
    severity debug 3;
    print-time yes;
  };
  category update {
    verbose_updates; # other channels can go here, if you want to also have updates logged elsewhere in more typical form
  };
...
};

This way you can have a quite verbose debug log just for updates.

Read ISC BIND documentation for reference.

0 + 0

Milo

9/6/23, 12:31 PM

I already tried that and there is no additional information in log. Additionaly I tried ```rndc trace 3``` and higher without any log verbosity change.Such configuration works for you?

Nikita Kipriyanov

9/7/23, 12:04 PM

This only could mean it is unable to log such information in the form you want it. Which reminds me, *why* do you need that? It seems nobody else needs that. Probably you've chosen a wrong way to solve some other problem (do we have "XY problem" here)?

Milo

9/9/23, 7:26 AM

No side reason. Only want to know which records are tried to be updated. Do I understand correctly, that log by configuration which you proposed does not contain such information and you only cited the documentation without verification? I want to be sure that I've done it right.

Nikita Kipriyanov

9/9/23, 11:32 AM

I've actually built the configuration I suggested and tried how it works. Technically, my answer satisfies your question as it is presented now. The question is formulated in a quite generic way, and the only place from which one can deduce that you may need to log a record name is an example, without clarifications this is not obvious. So I suggest you to at least change a title to be concrete: "How to log a name of a record that is being updated in bind", something like that. And describe what configurations you've already tried and that none of them helped.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to log verbose details about DNS update queries in bind

TH: วิธีการบันทึกรายละเอียดอย่างละเอียดเกี่ยวกับแบบสอบถามการปรับปรุง DNS ในการผูก

RO: Cum să înregistrați detalii detaliate despre interogările de actualizare DNS în bind

RU: Как регистрировать подробные сведения о запросах на обновление DNS в привязке

VI: Cách ghi nhật ký chi tiết dài dòng về các truy vấn cập nhật DNS trong liên kết

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.