DNS Logging
I use OpenDNS to provide content filtering for my school. I receive daily reports that have shown an increase in queries to suspicious domains. When I've contacted OpenDNS to investigate they informed me that, more than likely, I have a system (or multiple systems) that have been compromised. I use a mac mini server running OS X Server 10.8.4 as an internal dns server (dhcp hands out this internal DNS, then requests are forwarded from there). After doing some investigation it appears I should be able to examine the named.log on my mini to find the originating IP address of the compromised machine, but when I open console and check for named.log I see
Jan 16 00:30:00 alpha newsyslog[29609]: logfile turned over
If I open a terminal window and try
tail -f /Library/Logs/named.log
I get the same results.
Does anybody have any ideas?