There are a handful of occasions when the source IP address
of DNS queries needs to be isolated.
This may be due to a security requirement or troubleshooting exercise
(i.e.: is my query hitting the DNS server).
Note: Enabling DNS query logging on a very busy system may have impact
on performance, as the log must be written to for every DNS query. This may cause contention for disk I/O.
To enable DNS query logging, simply log in to the CLI as
admin, and run:
Adonis> configure querylogging
Adonis:configure:querylogging> enable
Adonis:configure:querylogging> show
State = Enable
Adonis:configure:querylogging> exit
Once query logging has been enabled, additional verbosity
will be added to the DNS logs. To view
those logs, you will need to navigate to the Servers Tab -> <DNS
server> -> <Action drop-down> View Logs -> DNS.
Once the logs are viewed from the BlueCat Address Manager,
the output will appear similar to below.
These logs above can be broken down in to the following
summarizations:
·
Client 10.10.100.1#57605
o Client
with a source IP address of 10.10.100.1 (with a source port of 57605)
·
(dds1.example.com)
o Name
of the server being queried
·
view Internal
o Which
View is being matched
·
query: dds1.example.com IN A
o The
A record for dds1.example.com was requested
·
+E
o This
is the flag which was set on the query.
In this case, EDNS with recursion was requested. For more information on which flags are
possible, please visit: https://deepthought.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html
·
(10.10.100.201)
o The
IP address of the DNS server the client is pointed to. This is useful for debugging NAT scenarios.
Is there a field for what the DNS resolution resolved to? Like what the query response was?
ReplyDelete