diff --git a/docs/projects/docker/bind/index.md b/docs/projects/docker/bind/index.md index d9ec97d..1ef0cec 100644 --- a/docs/projects/docker/bind/index.md +++ b/docs/projects/docker/bind/index.md @@ -35,8 +35,8 @@ services: ports: - "53:53" volumes: - - data_bind9:/etc/bind - # - logs_bind9:/var/logs + - data_bind9:/etc/bind/conf.d + - logs_bind9:/var/logs environment: - TIMEZONE=UTC restart: always @@ -47,7 +47,7 @@ services: volumes: data_bind9: - # logs_bind9: + logs_bind9: networks: diff --git a/includes/etc/bind/conf.d/logging.conf b/includes/etc/bind/conf.d/logging.conf new file mode 100644 index 0000000..d6cfdef --- /dev/null +++ b/includes/etc/bind/conf.d/logging.conf @@ -0,0 +1,201 @@ +logging { + channel default_log { + file "/var/log/default" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel auth_servers_log { + file "/var/log/auth_servers" versions 100 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel dnssec_log { + file "/var/log/dnssec" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel zone_transfers_log { + file "/var/log/zone_transfers" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel ddns_log { + file "/var/log/ddns" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel client_security_log { + file "/var/log/client_security" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel rate_limiting_log { + file "/var/log/rate_limiting" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel rpz_log { + file "/var/log/rpz" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel dnstap_log { + file "/var/log/dnstap" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; +// +// If you have the category ‘queries’ defined, and you don’t want query logging +// by default, make sure you add option ‘querylog no;’ - then you can toggle +// query logging on (and off again) using command ‘rndc querylog’ +// + channel queries_log { + file "/var/log/queries" versions 600 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; +// +// This channel is dynamic so that when the debug level is increased using +// rndc while the server is running, extra information will be logged about +// failing queries. Other debug information for other categories will be +// sent to the channel default_debug (which is also dynamic), but without +// affecting the regular logging. +// + channel query-errors_log { + file "/var/log/query-errors" versions 5 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity dynamic; + }; + +// +// This is the default debug output channel, defined here for clarity. You +// might want to redefine the output destination if it doesn’t fit with your +// local system administration plans for logging. It is also a special +// channel that only produces output if the debug level is non-zero. +// + channel default_debug { + print-time yes; + print-category yes; + print-severity yes; + file "named.run"; + severity dynamic; + }; +// +// Log routine stuff to syslog and default log: +// + category default { default_syslog; default_debug; default_log; }; + category config { default_syslog; default_debug; default_log; }; + category dispatch { default_syslog; default_debug; default_log; }; + category network { default_syslog; default_debug; default_log; }; + category general { default_syslog; default_debug; default_log; }; +// +// From BIND 9.12 and newer, you can direct zone load logging to another +// channel with the new zoneload logging category. If this would be useful +// then firstly, configure the new channel, and then edit the line below +// to direct the category there instead of to syslog and default log: +// + category zoneload { default_syslog; default_debug; default_log; }; +// +// Log messages relating to what we got back from authoritative servers during +// recursion (if lame-servers and edns-disabled are obscuring other messages +// they can be sent to their own channel or to null). Sometimes these log +// messages will be useful to research why some domains don’t resolve or +// don’t resolve reliably +// + category resolver { auth_servers_log; default_debug; }; + category cname { auth_servers_log; default_debug; }; + category delegation-only { auth_servers_log; default_debug; }; + category lame-servers { auth_servers_log; default_debug; }; + category edns-disabled { auth_servers_log; default_debug; }; +// +// Log problems with DNSSEC: +// + category dnssec { dnssec_log; default_debug; }; +// +// Log together all messages relating to authoritative zone propagation +// + category notify { zone_transfers_log; default_debug; }; + category xfer-in { zone_transfers_log; default_debug; }; + category xfer-out { zone_transfers_log; default_debug; }; +// +// Log together all messages relating to dynamic updates to DNS zone data: +// + category update{ ddns_log; default_debug; }; + category update-security { ddns_log; default_debug; }; +// +// Log together all messages relating to client access and security. +// (There is an additional category ‘unmatched’ that is by default sent to +// null but which can be added here if you want more than the one-line +// summary that is logged for failures to match a view). +// + category client{ client_security_log; default_debug; }; + category security { client_security_log; default_debug; }; +// +// Log together all messages that are likely to be related to rate-limiting. +// This includes RRL (Response Rate Limiting) - usually deployed on authoritative +// servers and fetches-per-server|zone. Note that it does not include +// logging of changes for clients-per-query (which are logged in category +// resolver). Also note that there may on occasions be other log messages +// emitted by the database category that don’t relate to rate-limiting +// behaviour by named. +// + category rate-limit { rate_limiting_log; default_debug; }; + category spill { rate_limiting_log; default_debug; }; + category database { rate_limiting_log; default_debug; }; +// +// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ +// then you may want to comment out this category and associated channel) +// + category rpz { rpz_log; default_debug; }; +// +// Log messages relating to the "dnstap" DNS traffic capture system (if you +// are not using dnstap, then you may want to comment out this category and +// associated channel). +// + category dnstap { dnstap_log; default_debug; }; +// +// If you are running a server (for example one of the Internet root +// nameservers) that is providing RFC 5011 trust anchor updates, then you +// may be interested in logging trust anchor telemetry reports that your +// server receives to analyze anchor propagation rates during a key rollover. +// If this would be useful then firstly, configure the new channel, and then +// un-comment and the line below to direct the category there instead of to +// syslog and default log: +// +// + category trust-anchor-telemetry { default_syslog; default_debug; default_log; }; +// +// If you have the category ‘queries’ defined, and you don’t want query logging +// by default, make sure you add option ‘querylog no;’ - then you can toggle +// query logging on (and off again) using command ‘rndc querylog’ +// + category queries { queries_log; }; +// +// This logging category will only emit messages at debug levels of 1 or +// higher - it can be useful to troubleshoot problems where queries are +// resulting in a SERVFAIL response. +// + category query-errors {query-errors_log; }; +}; \ No newline at end of file