Finding Out Whos Querying a Name Server
Finding Out Who s Querying a Name Server
5.13.1 Problem
You want to find out which resolvers and name servers are querying a name server.
5.13.2 Solution
For BIND 9, turn on query logging with:
# rndc querylog
Or, for BIND 8:
# ndc querylog
Then examine the name server's syslog output. The name server will log a one-line message each time it receives a query. For BIND 9, the messages look like this:
May 4 22:45:14 ns1 named[80090]: client 192.168.0.99#3261: query: www.foo.example IN A
This tells us that our name server received a query from the client at 192.168.0.99, port 3261, for A records attached to www.foo.example in the Internet class.
On a BIND 8 name server, the messages look like this:
May 4 22:53:52 ns1 named[80323]: XX+/192.168.0.99/www.foo.example/A/IN
Most of the same information is there, but in a slightly different format: the address the query was received from, the domain name the query asked about, the type of query, and the class of query, separated by slashes. The "XX+" at the beginning indicates that it is a recursive query. Nonrecursive queries show just "XX."
5.13.3 Discussion
Query logging can come in handy if you're trying to track down a problem. However, it generates a lot of output -- quickly, on a busy name server -- so it's probably a bad idea to use all the time. If you're really just interested in how many queries the name server receives, use the name server's statistics instead (Recipes Section 5.14 and Section 5.15).
You can also turn on query logging by assigning the logging category queries to a particular channel. See Recipe Section 10.4 for details.
There's no indication in the BIND 9 query logging output of which queries were recursive and which not.
5.13.4 See Also
Recipes Section 5.14 and Section 5.15, for measuring the queries a name server receives, and Section 10.4, for sending one category of messages to a particular file.