Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Strummer5
Strummer5 Author
User level: Level 1
18 points

DNS Logging

I use OpenDNS to provide content filtering for my school. I receive daily reports that have shown an increase in queries to suspicious domains. When I've contacted OpenDNS to investigate they informed me that, more than likely, I have a system (or multiple systems) that have been compromised. I use a mac mini server running OS X Server 10.8.4 as an internal dns server (dhcp hands out this internal DNS, then requests are forwarded from there). After doing some investigation it appears I should be able to examine the named.log on my mini to find the originating IP address of the compromised machine, but when I open console and check for named.log I see


Jan 16 00:30:00 alpha newsyslog[29609]: logfile turned over


If I open a terminal window and try


tail -f /Library/Logs/named.log


I get the same results.


Does anybody have any ideas?

Posted on Jan 16, 2014 10:50 AM

Reply
14 replies
User profile for user: Strummer5
Strummer5 Author
User level: Level 1
18 points

Jan 17, 2014 6:25 AM in response to cpragman

So I've located my named.conf file and found the section that controls logging:



logging {

channel "_default_log" {

file "/Library/Logs/named.log";

severity info;

print-time yes;

};

category "default" {

"_default_log";

};



From my inexperienced reading of the BIND documentation, the


severity info;


entry should be producing a some kind of log entry, correct?



cpragman wrote:


Wouldn't you need to increase the logging level of named first?


Check "man 5 named.conf" for details on logging levels.

Reply
User profile for user: Strummer5
Strummer5 Author
User level: Level 1
18 points

Jan 17, 2014 10:47 AM in response to Linc Davis

Linc,


Here's part of the named.conf file:


include "/etc/rndc.key";

options {

directory "/var/named";

allow-recursion {

com.apple.ServerAdmin.DNS.public;

};

allow-transfer {

none;

};

forwarders {

208.67.222.222;

208.67.220.220;

};

};

controls {

inet 127.0.0.1 port 54 allow {

"any";

} keys {

"rndc-key";

};

};

acl "com.apple.ServerAdmin.DNS.public" {

any;

};

logging {

channel "_default_log" {

file "/Library/Logs/named.log";

severity info;

print-time yes;

};

category "default" {

"_default_log";

};

};



Anything amiss?


btw: thanks for the help!

Reply
User profile for user: Strummer5
Strummer5 Author
User level: Level 1
18 points

Jan 17, 2014 12:34 PM in response to Linc Davis

I restarted DNS service and started to get some log activity (still nothing from the rndc query you linked to, though).


If I want to increase the log level so that I can trace which internal clients are the ones querying the suspect domains, would I change the line in named.conf from


severity info;


to


severity debug;


If that is the right syntax, I imagine the procedure would be:


1) backup named.conf ( named.conf.old or something similar)

2) turn off dns

3) make change to named.conf

4) start dns

5) test log level


As you can tell I'm new to this (and obviously know just enough to really screw things up).


Thanks again,


Christopher

Reply

DNS Logging

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up