<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 19/10/2020 16:14, Luis Daniel Lucio
Quiroz via Pdns-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAFLo2QzDqKPxryYMeRKHqA72MYbJ7rCOUjhrNQ9A+GzqSPPhrg@mail.gmail.com">
<div>I am trying to build a fail2ban rule. Because my PDNS is not
a public DNS, but it just hosts specific zones nobody should be
querying anything else but those specific zones, right?</div>
<div><br>
</div>
<div>I can't find an option to log those queries. PDNS works okay,
it refuses other zones but I want to log that.</div>
<div><br>
</div>
</blockquote>
<p>PDNS recursor or authoritative? From context I am going to guess
authoritative.</p>
<p>Personally I wouldn't do it. The extra load from logging all
queries is likely *much* higher than the load of sending a few
REFUSED answers, if and when they occur.</p>
<p>There is query logging: <a moz-do-not-send="true"
href="https://doc.powerdns.com/authoritative/settings.html#query-logging">https://doc.powerdns.com/authoritative/settings.html#query-logging</a></p>
<p><tt># dig +short @localhost example.com</tt><tt><br>
</tt><tt># grep example.com /var/log/syslog</tt><tt><br>
</tt><tt>Oct 19 18:17:32 ns-auth pdns_server[7420]: Lookup for
'SOA' of 'example.com' within zoneID -1</tt><tt><br>
</tt><tt>Oct 19 18:17:32 ns-auth pdns_server[7420]: Found no
authoritative zone for 'example.com' and/or id 0</tt><br>
</p>
<p>... but it's really a debugging feature, and it appears not to
show the client source IP address, which I expect is what you
want. (Tested with pdns-server 4.3.0)<br>
</p>
<p>I think what you'd have to do is to put dnsdist in front, which
supports high-performance <a
href="https://dnsdist.org/reference/protobuf.html">protobuf</a>
logging and <a href="https://dnsdist.org/reference/dnstap.html">dnstap</a>
logging. The recursor does have those features built-in, BTW.<br>
</p>
<p>Regards,</p>
<p>Brian.<br>
</p>
</body>
</html>