BIND DNS Enable audit logs - Authoritative

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

BIND DNS Enable audit logs - Authoritative

Daniel Dawalibi

Hello

 

Is it possible to enable the audit logs on BIND DNS so we can track changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,… records)?

 

 

Regards

Daniel


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND DNS Enable audit logs - Authoritative

Tony Finch
Daniel Dawalibi <[hidden email]> wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track changes
> performed on the DNS records level (Add/Delete/Modify A,MX,NS,. records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named`
will log changes like this ...

08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract
like:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ

You might want to use the `ixfr-from-differences` and `max-journal-size`
options if you care about preserving journal contents.

Alternatively, keep your zone contents in `git` or a database that keeps
an audit log :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel,
becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional
rain later. Good, occasionally moderate later.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: BIND DNS Enable audit logs - Authoritative

Daniel Dawalibi
Hello

We edit our zones manually (not through panel interface), is it possible to
log DNS updates in this case?
Logging is already enabled but we are unable to track the updated zones in
the logs
The enabled category on the authoritative Master DNS server  are "xfer-in",
"security", "network", "default", "config", "queries" and "update".

How can we enable the journal files in our case? Is there any impact on the
DNS performance?


Regards
Daniel

-----Original Message-----
From: Tony Finch [mailto:[hidden email]]
Sent: Tuesday, January 8, 2019 2:05 PM
To: Daniel Dawalibi
Cc: [hidden email]
Subject: Re: BIND DNS Enable audit logs - Authoritative
Importance: High

Daniel Dawalibi <[hidden email]> wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track
> changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,.
records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will
log changes like this ...

08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract
like:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ

You might want to use the `ixfr-from-differences` and `max-journal-size`
options if you care about preserving journal contents.

Alternatively, keep your zone contents in `git` or a database that keeps an
audit log :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/ Mull of Galloway to Mull
of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel,
becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional
rain later. Good, occasionally moderate later.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: BIND DNS Enable audit logs - Authoritative

John W. Blue
> We edit our zones manually ..

*cringe*

No wonder you are looking for audit logging!  Yikes.

Outside of DDI specific solutions like Infoblox or Bluecat, you might want to check out Webmin.  It logs all changes made via it's interface:

https://doxfer.webmin.com/Webmin/Webmin_Actions_Log

John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: BIND DNS Enable audit logs - Authoritative

Tony Finch
In reply to this post by Daniel Dawalibi
Daniel Dawalibi <[hidden email]> wrote:
>
> We edit our zones manually (not through panel interface), is it possible to
> log DNS updates in this case?

I would recommend using version control: git, mercurial, subversion, even
RCS is better than nothing! Best time to start is about 25 years ago;
second best time is today :-)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Great Orme Head to the Mull of Galloway: West 3 or 4, increasing 5 to 7.
Slight becoming moderate. Occasional rain or drizzle. Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND DNS Enable audit logs - Authoritative

Kevin Darcy
In reply to this post by Daniel Dawalibi
I don't believe there is any logging category for this, even when zones are enabled for Dynamic Update, in which case the versioning is done automatically. There used to be a "journalprint" utility that one could run against the .jnl files to show the update history. But, even if the journaling mechanism and the "journalprint" utility still exist as I remember it, it would most likely only work for Dynamic-Update-enabled zones. I don't believe .jnl files are created for non-Dynamic-Update-enabled zones, although I could be wrong on that -- maybe named synthesizes .jnl files for purposes of IXFR (???).

If you're doing manual editing, I assume you have some mechanism to reload the zone after each edit, presumably a script of some sort. The best suggestion I have, short of evolving your solution significantly, is to add a "diff against previous version" + "make a copy of the current version of the file" sequence into that script, to capture the deltas, along with a decision on how much history you want to keep, and perhaps a cron script to purge the stale versions so the repository doesn't grow without bound. (The maintenance/garbage-collection function could theoretically be integrated into the main diff logic).

The next evolution might be to use a version-control system. The next evolution beyond that might be a web interface with a dynamic-update backend (which still serves some of our use cases) or a "panel" package (assuming it has sufficient logging/auditing for your needs) or an enterprise-strength DNS management solution (e.g. Infoblox, which we also use).

                                                                                                - Kevin

On Fri, Jan 11, 2019 at 9:50 AM Daniel Dawalibi <[hidden email]> wrote:
Hello

We edit our zones manually (not through panel interface), is it possible to
log DNS updates in this case?
Logging is already enabled but we are unable to track the updated zones in
the logs
The enabled category on the authoritative Master DNS server  are "xfer-in",
"security", "network", "default", "config", "queries" and "update".

How can we enable the journal files in our case? Is there any impact on the
DNS performance?


Regards
Daniel

-----Original Message-----
From: Tony Finch [mailto:[hidden email]]
Sent: Tuesday, January 8, 2019 2:05 PM
To: Daniel Dawalibi
Cc: [hidden email]
Subject: Re: BIND DNS Enable audit logs - Authoritative
Importance: High

Daniel Dawalibi <[hidden email]> wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track
> changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,.
records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will
log changes like this ...

08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
        client @0x55b747f47ec0 ::1#5685/key local-ddns:
        updating zone 'private.cam.ac.uk/IN':
        adding an RR at 'QQQQ.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract
like:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600    IN      SOA     primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add QQQQ.lcil.private.cam.ac.uk. 3600 IN        A       172.22.QQ.QQ

You might want to use the `ixfr-from-differences` and `max-journal-size`
options if you care about preserving journal contents.

Alternatively, keep your zone contents in `git` or a database that keeps an
audit log :-)

Tony.
--
f.anthony.n.finch  <[hidden email]http://dotat.at/ Mull of Galloway to Mull
of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel,
becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional
rain later. Good, occasionally moderate later.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND DNS Enable audit logs - Authoritative

Dave Warren-2
On 2019-01-11 11:55, Kevin Darcy wrote:
> I don't believe there is any logging category for this, even when zones
> are enabled for Dynamic Update, in which case the versioning is done
> automatically. There used to be a "journalprint" utility that one could
> run against the .jnl files to show the update history. But, even if the
> journaling mechanism and the "journalprint" utility still exist as I
> remember it, it would most likely only work for Dynamic-Update-enabled
> zones. I don't believe .jnl files are created for
> non-Dynamic-Update-enabled zones, although I could be wrong on that --
> maybe named synthesizes .jnl files for purposes of IXFR (???).

Interestingly enough, it does, but with some limitations/quirks that
occasionally require you to manually delete your jnl file (and of course
force a AXFR-style IXFR transfer in these situations).

I don't recall the exact trigger, I think it related to when a zone is
updated when BIND is offline (or at least, my notes say that it happens
when the billing system removes a zone from named.conf and later re-adds
the same zone). I do have something monitoring the log to detect the
situation and clear the appropriate jnl files, such that if there are
other situations where this occurs, I wouldn't notice.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND DNS Enable audit logs - Authoritative

Chris Buxton
>
> On Jan 11, 2019, at 11:33 AM, Dave Warren <[hidden email]> wrote:
>
> On 2019-01-11 11:55, Kevin Darcy wrote:
>> I don't believe there is any logging category for this, even when zones are enabled for Dynamic Update, in which case the versioning is done automatically. There used to be a "journalprint" utility that one could run against the .jnl files to show the update history. But, even if the journaling mechanism and the "journalprint" utility still exist as I remember it, it would most likely only work for Dynamic-Update-enabled zones. I don't believe .jnl files are created for non-Dynamic-Update-enabled zones, although I could be wrong on that -- maybe named synthesizes .jnl files for purposes of IXFR (???).
>
> Interestingly enough, it does, but with some limitations/quirks that occasionally require you to manually delete your jnl file (and of course force a AXFR-style IXFR transfer in these situations).

That makes sense, since presumably the journal could only be generated during execution of "rndc reload" or "rndc reload <zone>".

Chris
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users