I am currently running BIND named on my Internet facing servers to respond to authoritative query requests for my domains. So, I have configured /etc/bind/named.conf.local as follows to log all queries coming to my DNS servers:
[...]
logging {
channel query.log {
file "/var/log/named/query.log" versions 10 size 10m;
severity debug 3;
print-time yes;
};
category config { default_syslog; };
category queries { query.log; };
category default { null; };
};
Recently my servers started logging many queries coming from IP addresses around the world (see the DNS amplification attacks explained at
https://www.linuxquestions.org/questions/linux-newbie-8/there-are-many-query-this-website-on-my-dns-server-4175676097/). I do not want to use fail2ban to prevent those IP addresses from making queries to my DNS servers, simply because there are too many IP addresses (more than 500 IPs where collected in 24 hours, for example) and it seems unnecessary to fill my iptables with such unneeded entries.
I just want named not to log queries matching something like this to the query.log file (because my log file starts filling and rotating very rapidly):
client .* (pizzaseo.com): query: pizzaseo.com IN RRSIG .*
Is there a configuration in named that will allow me to filter out some query entries before being logged to query.log?
I considered to use "named pipes" to pass all the output to query.log through a grep command. But, this may have an adverse effect on the BIND daemon if the grep command dies somehow and the "named pipe" becomes full.
Note that I need to log all entries (except this pizzaseo thing) for some other purposes/needs.
