[Pdns-users] Logging queries out of the zones with IP
Brian Candler
b.candler at pobox.com
Mon Oct 19 17:27:17 UTC 2020
On 19/10/2020 16:14, Luis Daniel Lucio Quiroz via Pdns-users wrote:
> I am trying to build a fail2ban rule. Because my PDNS is not a public
> DNS, but it just hosts specific zones nobody should be querying
> anything else but those specific zones, right?
>
> I can't find an option to log those queries. PDNS works okay, it
> refuses other zones but I want to log that.
>
PDNS recursor or authoritative? From context I am going to guess
authoritative.
Personally I wouldn't do it. The extra load from logging all queries is
likely *much* higher than the load of sending a few REFUSED answers, if
and when they occur.
There is query logging:
https://doc.powerdns.com/authoritative/settings.html#query-logging
# dig +short @localhost example.com
# grep example.com /var/log/syslog
Oct 19 18:17:32 ns-auth pdns_server[7420]: Lookup for 'SOA' of
'example.com' within zoneID -1
Oct 19 18:17:32 ns-auth pdns_server[7420]: Found no authoritative zone
for 'example.com' and/or id 0
... but it's really a debugging feature, and it appears not to show the
client source IP address, which I expect is what you want. (Tested with
pdns-server 4.3.0)
I think what you'd have to do is to put dnsdist in front, which supports
high-performance protobuf <https://dnsdist.org/reference/protobuf.html>
logging and dnstap <https://dnsdist.org/reference/dnstap.html> logging.
The recursor does have those features built-in, BTW.
Regards,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20201019/218d7879/attachment-0001.htm>
More information about the Pdns-users
mailing list