> Thanks Jim. I'd never ever seen anything happen to named, on BSD or
> Linux before. As for logs, what level of logging is "stock" is what I
> would expect doing a dump. May give that a shot and see what, if
> anything is in there.
> Not really been plagued by hackers too much, but I notice I've been
> probed several days in a row now from something/body in the same /16 ip
> block. Don't think it's local to the colocation site tho.
For what it's worth, I've included my named logging information below.
Normally I don't set to debug, but when I need to troubleshoot it
helps. I've included that here. Might help you to track things down if
you care, or give other people some information for something they
haven't asked.
In /etc/syslog.conf
#line altered to eliminate named cruft in default logging
*.info;mail.none;authpriv.none;cron.none;local6.none
/var/log/messages
# line added for syslog logging of named
local6.* /var/log/named.log
In /etc/named.conf
logging {
channel "default_syslog" {
syslog local6;
severity debug;
};
category default { default_syslog; };
category general { default_syslog; };
category config { default_syslog; };
category security { default_syslog; };
category resolver { default_syslog; };
category xfer-in { default_syslog; };
category xfer-out { default_syslog; };
category notify { default_syslog; };
category client { default_syslog; };
category network { default_syslog; };
category update { default_syslog; };
category queries { default_syslog; };
category lame-servers { default_syslog; };
};
In /etc/logrotate.d/named
/var/log/named.log {
missingok
create 0644 named named
postrotate
/sbin/service named reload 2> /dev/null > /dev/null || true
endscript
}
Hope it's marginally useful to someone out there.
--
Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center