[plug] BIND9 query logging.
brad at fnarfbargle.com
Fri Sep 4 12:16:47 AWST 2020
I have a /23 subnet set up at home. Devices I trust and need net access go on the .0 and stuff I don't goes on .1.
Only .0 is forwarded to the outside world. Anything from .1 gets dropped at the firewall. Due to the DHCP config the .1 section still gets DNS from the main resolver (and it needs that to resolve internal addresses). I was mostly ok with this until I found a bit of software in a VM on the .1 section exfiltrating data over DNS.
Initially I dealt with this by setting up a blacklist in BIND to resolve the suspect domains with a local IP, but after a couple of months I started to think that playing whack-a-mole with this stuff was likely to get old quick, and it's on that part of the network because I don't trust it and none of it *needs* to resolve the outside world anyway.
First up I just dropped all DNS traffic from those devices. That sounded like a good idea until I realised software in VMs was slowing down terribly while trying to resolve things outside.
Next up I set up an acl in BIND to deny recursion to that part of the subnet. That sped the software back up as at least it was getting a rapid response. It all sounded like a good idea until one of the IoT devices started trying to resolve an external domain and immediately retrying on failure in an infinite loop (god knows what will happen to those devices when the company folds and the domains lapse). I woke up this morning to a very large pile of logcheck e-mails full of BIND "query denied" lines. Not ideal. I initially dropped DNS from that device at the firewall, but as it's wireless it was still generating piles of unwanted traffic and I wanted to shut it up.
I subsequently set up a dnsmasq instance on an alternate port which happily responds to any DNS request with a single local IP. I initially had an iptables NAT redirect to send all DNS traffic from that subnet to the dnsmaq instance, but then I had to get dnsmasq to forward requests for the local network to BIND and it was all getting messy. There must be a better way.
I implemented a couple of views in BIND with one forwarding all non-local requests from that subnet to the dnsmasq instance. That works and I can log each query using dnsmasq excepting that the queries all originate from BIND so I don't get the IP of the device making the query. I don't have to have dnsmasq filter anything, it just responds with a single address to any query.
I thought I might simplify it by adding a default zone to the BIND view removing the requirement for dnsmasq at all. That works too, but for the life of me I can't figure out how to get BIND to only log queries for either an acl, a view or a zone. It appears to be an all or nothing affair.
Does anyone know of a way to restrict what queries BIND logs or am I SOL?
More information about the plug