Enable logging with BIND

Category: DNS
Created: 2022-02-15

By default, the DNS server BIND logs its messages via syslog service to /var/log/syslog. However, in some cases this is not verbose enough.

This guide describes how to enable more verbose logging with BIND.

Create directory

First create a separate directory for the BIND log files and set the appropriate user permissions:

root@srv:~# mkdir /var/log/named
root@srv:~# chown bind:root /var/log/named
root@srv:~# chmod 0750 /var/log/named

Configure logging

Then edit the file /etc/bind/named.conf.local and add the following section:

logging {
    channel my_syslog {
        syslog daemon;
        severity notice;
    };
    channel my_file {
        file "/var/log/named/messages";
        severity info;
        print-time yes;
    };
    # channel to log all zone transfers:
    channel my_xfer_file {
        file "/var/log/named/xfers";
        severity info;
        print-time yes;
    };
    # channel to log all dynamic updates:
    channel my_update_file {
        file "/var/log/named/updates";
        severity info;
        print-time yes;
    };
    category default { my_file; };
    category update { my_update_file; };
    category xfer-in { my_xfer_file; };
    category xfer-out { my_xfer_file; };
};

The settings should actually be self-explanatory: we define different log channels (channel) and then assign them to the individual log catergories (category). In this case, there is a separate log file for DNS updates and for zone transfers - the rest ends up in another log file.

Finally, BIND needs to reload its configuration:

root@srv:~# rndc reconfig