Bind9 Logs On Debian & Ubuntu

If you have installed Bind DNS Server on Debian or Ubuntu, you probably noticed that all the output will be redirected to /var/log/syslog. We like to have our logs separate for each daemon, so in order to make that change we will need to add some configuration to bind9. First in /etc/bind/named.conf you will need to add the line below:

include "/etc/bind/named.conf.log";

Next, create the file /etc/bind/named.conf.log with the following content:

logging {
  channel bind_log {
    file "/var/log/bind/bind.log" versions 3 size 5m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
  category default { bind_log; };
  category update { bind_log; };
  category update-security { bind_log; };
  category security { bind_log; };
  category queries { bind_log; };
  category lame-servers { null; };
};

Next open up PuTTY or log onto the terminal and run the following commands:

# create the bind9 log directory
mkdir /var/log/bind
# give bind access to the log directory
chown bind:bind /var/log/bind
# restart the bind service
service bind9 restart

Last but certainly not least, in order to keep our log file from growing uncontrollably, we will need to logrotate our bind.log file using the method from my previous article How To Logrotate Custom Logs. So, create the file /etc/logrotate.d/bind with the following content.

/var/log/bind/bind.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 644 bind bind
  postrotate
    /usr/sbin/invoke-rc.d bind9 reload > /dev/null
  endscript
}

Finally, to verify that your logrotate script is correct, run the following command.

logrotate -d /etc/logrotate.d/bind
Did you find this article useful? Why not share it with your friends?

22 thoughts on “Bind9 Logs On Debian & Ubuntu

  1. Debian Bullseye
    I made the changes per your instructions.

    Now my dns server won’t start. The working directory is not writable
    systemctl status named
    named.service – BIND Domain Name Server
    Loaded: loaded (/lib/system/named.service; enabled; vender preset; enabled)
    Active: failed (Result: exit-code) since Sun 2022-03-20 06:03:40 PDT; 48min ago
    Process : 4717 ExecStart=/usr/sbin/named -f $OPTIONS (CODE=EXITED, STATUS=1/FAILURE)
    named: configuring command channel from ‘/etc/bind/rndc.key’
    named: command channel listening on ::1#953
    named: the working directory is not writable
    named: loading configuration: permission denied
    named: exiting (due to fatal error)

    I can’t copy the log files with an inactive dns server.

    I spent all day yesterday looking for the cause, any help much appreciated

    1. unfortunately, those instructions were written pre-systemd. sounds like your permissions issue is on the log file. make sure you manually create the file at /[path]/[location]/[specified] and set permissions. otherwise, back out your changes and you should be back up and running.

      1. Thanks. I discovered after I posted this that bind9 updated to BIND 9.16.27-Debian (Extended Support Version) the same day I made the changes to the logger.

        I’ll try backing everything out as you suggest.

      2. Going back to the original configuration didn’t change anything. sytemctl status bind9 still reports the working directory is not writable. Loading configuration: permission denied exiting (due to fatal error)

    1. You should update your manual and write that it’s necessary to configure the apparmor less restrictive!!

      Every Person that uses Debian 9 would think your steps are adaptable 1:1 – but they are not. (Maybe in an earlier Debian 9 Version than the current one…?)

      1. Works great on Debian 10 (Buster). I did change the log dir from “bind” to “named” to accommodate fail2ban’s pre-written configs, though I don’t seem to have apparmour running so that wasn’t an issue. Many thanks for straightforward how-to!

  2. Why is logrotate necessary when we are already specifying the versions and size of log in bind9 logging information ?

  3. In this text section:
    “Last but certainly not least, in order to keep our log file from growing uncontrollably, we will need to logrotate our bind.log file using the method from my previous article How To Logrotate Custom Logs. So, create the file /etc/logrorate.d/bind with the following content.”
    have an error

    /etc/logrorate.d/bind is /etc/logrotate.d/bind

    It’s a little slip
    Regards

  4. Weird. bind:bind owns the folder. var and log are executable, so bind should be able to see down through the folders to it’s owned bind folder…

    ubuntu@dns-server:~$ ls -al /var/log/bind
    total 8
    drwxrwxr-x 2 bind bind 4096 Jan 14 14:31 .
    drwxrwxr-x 9 root syslog 4096 Jan 14 14:25 ..
    -rw-rw-r– 1 bind bind 0 Jan 14 14:31 bind.log

    However, when i restart bind9 i still get this error:

    Jan 14 14:31:36 dns-server named[12436]: isc_stdio_open ‘/var/log/bind/bind.log’ failed: permission denied
    Jan 14 14:31:36 dns-server named[12436]: configuring logging: permission denied
    Jan 14 14:31:36 dns-server named[12436]: loading configuration: permission denied
    Jan 14 14:31:36 dns-server named[12436]: exiting (due to fatal error)
    Jan 14 14:31:36 dns-server kernel: [41383.169275] type=1400 audit(1421245896.727:21): apparmor=”DENIED” operation=”open” profile=”/usr/sbin/named” name=”/var/log/bind/bind.log” pid=12437 comm=”named” requested_mask=”c” denied_mask=”c” fsuid=106 ouid=106

      1. Yes, apparmor is the issue.

        Try:-
        —————–
        # Site-specific additions and overrides for usr.sbin.named.
        # For more details, please see /etc/apparmor.d/local/README.
        # Below added to allow logging
        /var/log/bind9/query.log rw,
        /var/log/bind9/bind.log rw,
        /var/log/bind9/debug.log rw,
        /var/cache/bind/named.stats rw,
        —————
        In :
        /etc/apparmor.d/local/usr.sbin.named

        Changing the paths/filenames to suit your config.

      2. You’re right! Looking back on this now… the error is right there as DENIED in my post. So many years and linux distros, i forget whats what between legacy 2.x kernel and 3.x across windows,solaris,rhel/centos,ubuntu and debian. And people ask why I dont use Mac, lol.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.