7.1.2020 : Setting up better logging for DNS

sudo vi /etc/bind/named.conf

add
include "/etc/bind/named.conf.log";


sudo vi /etc/bind/named.conf.log

logging {
  channel bind_log {
   file "/var/log/bind/bind.log" versions 3 size 5m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
  category default { bind_log; };
  category update { bind_log; };
  category update-security { bind_log; };
  category security { bind_log; };
  category queries { bind_log; };
  category lame-servers { null; };
};

sudo mkdir /var/log/bind
sudo chown bind:root /var/log/bind
sudo chmod 775 /var/log/bind

sudo vi /etc/apparmor.d/usr.sbin.named

  # syslog do the heavy lifting.
#/var/log/named/** rw,
#/var/log/named/ rw,
/var/log/bind/** rw,
/var/log/bind/ rw,


sudo systemctl restart apparmor
sudo systemctl restart bind9


sudo vi /etc/logrotate.d/bind

/var/log/bind/bind.log

{
  rotate 7
  daily
  dateext  dateformat _%Y-%m-%d
  missingok
  create 644 bind bind
  delaycompress
  compress
  notifempty
  postrotate
    /bin/systemctl reload bind9
  endscript
}

sudo logrotate -vf /etc/logrotate.d/bind

sudo systemctl restart bind9
tail -f /var/log/bind/bind.log


 
sudo apt update
sudo apt install resolvconf
sudo systemctl start resolvconf.service
sudo systemctl enable resolvconf.service sudo systemctl status resolvconf.service
sudo dpkg-reconfigure resolvconf # answer Yes and ok

sudo vim /etc/resolvconf/resolv.conf.d/head
# your nameservers, domain, options that would go in /etc/resolv.conf in here

search nyc3.example.com # your private domain
nameserver 10.128.10.11 # ns1 private IP address
nameserver 10.128.20.12 # ns2 private IP address


Restart the server

Turn these off in named.conf.options or you get errors

 dnssec-enable no;
 dnssec-validation no;

I just completed installing my Primary and Second DNS servers.  Currently, I use the Fortinet 60E firewall for DNS.  I want to move these lookup off the firewall.  The two servers I setup have ACL lists for good computer subnets on them.  I used Fortinet’s DNS servers as the forwards.  Google DNS can be hacked and redirected.  You are better off using your ISP DNS servers. 

Sudo systemctl -l status bind9 gets check hint errors


Use wget command to retrieve file and store to /etc/bind/db.root (Debian / Ubuntu Linux), enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /etc/bind/db.root

Under Red Hat / CentOS / Fedora Linux, default location is /var/named/named.root, enter:
# wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/named.root

Reload rndc to update information, enter:
# rndc reload

I added a second subnet to the DNS and DHCP servers.  My goal is move DHCP off of the 60E.   Now all my audio/video hardware is on its own subnet.   The next goal is a slave DHCP server on the slave DNS server.