If you have installed Bind DNS Server on Debian or Ubuntu, you probably noticed that all the output will be redirected to /var/log/syslog. We like to have our logs separate for each daemon, so in order to make that change we will need to add some configuration to bind9. First in /etc/bind/named.conf you will need to add the line below:
include "/etc/bind/named.conf.log";
Next, create the file /etc/bind/named.conf.log with the following content:
logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category security { bind_log; };
category queries { bind_log; };
category lame-servers { null; };
};
Next open up PuTTY or log onto the terminal and run the following commands:
# create the bind9 log directory mkdir /var/log/bind # give bind access to the log directory chown bind:bind /var/log/bind # restart the bind service service bind9 restart
Last but certainly not least, in order to keep our log file from growing uncontrollably, we will need to logrotate our bind.log file using the method from my previous article How To Logrotate Custom Logs. So, create the file /etc/logrotate.d/bind with the following content.
/var/log/bind/bind.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 644 bind bind
postrotate
/usr/sbin/invoke-rc.d bind9 reload > /dev/null
endscript
}
Finally, to verify that your logrotate script is correct, run the following command.
logrotate -d /etc/logrotate.d/bind
Debian Bullseye
I made the changes per your instructions.
Now my dns server won’t start. The working directory is not writable
systemctl status named
named.service – BIND Domain Name Server
Loaded: loaded (/lib/system/named.service; enabled; vender preset; enabled)
Active: failed (Result: exit-code) since Sun 2022-03-20 06:03:40 PDT; 48min ago
Process : 4717 ExecStart=/usr/sbin/named -f $OPTIONS (CODE=EXITED, STATUS=1/FAILURE)
named: configuring command channel from ‘/etc/bind/rndc.key’
named: command channel listening on ::1#953
named: the working directory is not writable
named: loading configuration: permission denied
named: exiting (due to fatal error)
I can’t copy the log files with an inactive dns server.
I spent all day yesterday looking for the cause, any help much appreciated
unfortunately, those instructions were written pre-systemd. sounds like your permissions issue is on the log file. make sure you manually create the file at /[path]/[location]/[specified] and set permissions. otherwise, back out your changes and you should be back up and running.
Thanks. I discovered after I posted this that bind9 updated to BIND 9.16.27-Debian (Extended Support Version) the same day I made the changes to the logger.
I’ll try backing everything out as you suggest.
Going back to the original configuration didn’t change anything. sytemctl status bind9 still reports the working directory is not writable. Loading configuration: permission denied exiting (due to fatal error)
Nice !! … thank you, just need to use /var/log/named/named.log with Debian Buster 10 because apparmor is active restricting other files for logging
Thanks for the update Carlos.
Perfect, works like a treat. Of course, once you configure apparmor. :o)
Thanks. 🙂
Does not work: https://debianforum.de/forum/viewtopic.php?f=32&t=175889&p=1225752#p1225752
How about some more detailed info other than “Does not work”!
You should update your manual and write that it’s necessary to configure the apparmor less restrictive!!
Every Person that uses Debian 9 would think your steps are adaptable 1:1 – but they are not. (Maybe in an earlier Debian 9 Version than the current one…?)
Works great on Debian 10 (Buster). I did change the log dir from “bind” to “named” to accommodate fail2ban’s pre-written configs, though I don’t seem to have apparmour running so that wasn’t an issue. Many thanks for straightforward how-to!
thanks a lot
You Bet!
Why is logrotate necessary when we are already specifying the versions and size of log in bind9 logging information ?
Using logrotate will keep your log directory from growing out of control.
Thanks for this tutorial, he helped me a lot ! =)
In this text section:
“Last but certainly not least, in order to keep our log file from growing uncontrollably, we will need to logrotate our bind.log file using the method from my previous article How To Logrotate Custom Logs. So, create the file /etc/logrorate.d/bind with the following content.”
have an error
/etc/logrorate.d/bind is /etc/logrotate.d/bind
It’s a little slip
Regards
Weird. bind:bind owns the folder. var and log are executable, so bind should be able to see down through the folders to it’s owned bind folder…
ubuntu@dns-server:~$ ls -al /var/log/bind
total 8
drwxrwxr-x 2 bind bind 4096 Jan 14 14:31 .
drwxrwxr-x 9 root syslog 4096 Jan 14 14:25 ..
-rw-rw-r– 1 bind bind 0 Jan 14 14:31 bind.log
However, when i restart bind9 i still get this error:
Jan 14 14:31:36 dns-server named[12436]: isc_stdio_open ‘/var/log/bind/bind.log’ failed: permission denied
Jan 14 14:31:36 dns-server named[12436]: configuring logging: permission denied
Jan 14 14:31:36 dns-server named[12436]: loading configuration: permission denied
Jan 14 14:31:36 dns-server named[12436]: exiting (due to fatal error)
Jan 14 14:31:36 dns-server kernel: [41383.169275] type=1400 audit(1421245896.727:21): apparmor=”DENIED” operation=”open” profile=”/usr/sbin/named” name=”/var/log/bind/bind.log” pid=12437 comm=”named” requested_mask=”c” denied_mask=”c” fsuid=106 ouid=106
I believe your problem is with apparmor.
Yes, apparmor is the issue.
Try:-
—————–
# Site-specific additions and overrides for usr.sbin.named.
# For more details, please see /etc/apparmor.d/local/README.
# Below added to allow logging
/var/log/bind9/query.log rw,
/var/log/bind9/bind.log rw,
/var/log/bind9/debug.log rw,
/var/cache/bind/named.stats rw,
—————
In :
/etc/apparmor.d/local/usr.sbin.named
Changing the paths/filenames to suit your config.
Thanks for the info Andi
You’re right! Looking back on this now… the error is right there as DENIED in my post. So many years and linux distros, i forget whats what between legacy 2.x kernel and 3.x across windows,solaris,rhel/centos,ubuntu and debian. And people ask why I dont use Mac, lol.