BIND LOGGING ------------ By default, logs from named are sent to /var/log/syslog via syslog. Let's make BIND log in a more detailed fashion. On AUTH1 (auth1.grpX): 1. Create the log directory: # mkdir -p /etc/bind/log # chown bind /etc/bind/log 2. Edit /etc/bind/named.conf In the "options" section, find and *REMOVE* the "listen-on" line if still there: options { ... listen-on { 127.0.0.1; }; // <- remove this line! ... }; Now move to the bottom (end) of the file, and create the "logging section": // - - - - - - - - - - - - - - - cut below - - - - - - - - - - - - - - - logging { // Channels channel transfers { file "/etc/bind/log/transfers" versions 3 size 10M; print-time yes; severity info; }; channel notify { file "/etc/bind/log/notify" versions 3 size 10M; print-time yes; severity info; }; channel dnssec { file "/etc/bind/log/dnssec" versions 3 size 10M; print-time yes; severity info; }; channel query { file "/etc/bind/log/query" versions 5 size 10M; print-time yes; severity info; }; channel general { file "/etc/bind/log/general" versions 3 size 10M; print-time yes; severity info; }; channel slog { syslog security; severity info; }; // Categories category xfer-out { transfers; slog; }; category xfer-in { transfers; slog; }; category notify { notify; }; category lame-servers { general; }; category config { general; }; category default { general; }; category security { general; slog; }; category dnssec { dnssec; }; // category queries { query; }; }; // - - - - - - - - - - - - - - - cut above - - - - - - - - - - - - - - - Save and exit the file, and TEST that it works: # named-checkconf /etc/bind/named.conf Note that the "queries" category is commented out. This is on purpose as this log file on many servers could become very large quickly. 3. Now reconfig or restart bind: # rndc reconfig - Look into /etc/bind/log/, and see if the files get created. (e.g., "ls -lt /etc/bind/log/") If it doesn't work, try: - check permissions for /etc/bind/log - restarting named (service bind9 restart) 4. Do a zone transfer of you own domain: # dig @10.192.X.1 AXFR MYTLD ... - Verify that the transfer shows up in /etc/bind/log/transfers: 17-Feb-2016 11:18:15.331 client 10.192.X.1#61235: transfer of 'MYTLD/IN': AXFR started 17-Feb-2016 11:18:15.331 client 10.192.X.1#61235: transfer of 'MYTLD/IN': AXFR ended 5. Update the serial number on your master zone file: # vi /etc/bind/master/MYTLD Increment Serial by 1 then save the zone file. # rndc reload MYTLD In the notify log file there should be a line that looks something like this: # cat /etc/bind/log/notify 22-Feb-2016 23:43:48.647 zone MYTLD/IN: sending notifies (serial 2016022306) 6. Optional - view queries Remove the "//" from the front of "category queries { query; };" in named.conf and restart the nameserver # service bind9 restart Then start monitoring the query file # tail -F /etc/bind/log/query While that is running, in another terminal window or on someone else's machine, execute a dig. # dig @10.192.X.1 www.MYTLD. You should see the query in the logfile. Your should replace the "//" in front of "category queries { query; };" and restart bind to keep the logs from filling up.