[Pdns-users] Logging queries out of the zones with IP

Brian Candler b.candler at pobox.com
Mon Oct 19 17:27:17 UTC 2020

On 19/10/2020 16:14, Luis Daniel Lucio Quiroz via Pdns-users wrote:
> I am trying to build a fail2ban rule. Because my PDNS is not a public 
> DNS, but it just hosts specific zones nobody should be querying 
> anything else but those specific zones, right?
> I can't find an option to log those queries. PDNS works okay, it 
> refuses other zones but I want to log that.
PDNS recursor or authoritative?  From context I am going to guess 

Personally I wouldn't do it.  The extra load from logging all queries is 
likely *much* higher than the load of sending a few REFUSED answers, if 
and when they occur.

There is query logging: 

# dig +short @localhost example.com
# grep example.com /var/log/syslog
Oct 19 18:17:32 ns-auth pdns_server[7420]: Lookup for 'SOA' of 
'example.com' within zoneID -1
Oct 19 18:17:32 ns-auth pdns_server[7420]: Found no authoritative zone 
for 'example.com' and/or id 0

... but it's really a debugging feature, and it appears not to show the 
client source IP address, which I expect is what you want.  (Tested with 
pdns-server 4.3.0)

I think what you'd have to do is to put dnsdist in front, which supports 
high-performance protobuf <https://dnsdist.org/reference/protobuf.html> 
logging and dnstap <https://dnsdist.org/reference/dnstap.html> logging.  
The recursor does have those features built-in, BTW.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20201019/218d7879/attachment-0001.htm>

More information about the Pdns-users mailing list