From f536c9633e59e16de089dc6b00424069a4314ba9 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Fri, 4 Sep 2020 20:56:12 -0500 Subject: [PATCH] roles/named: Support logging queries to syslog This commit adds two new variables to the *named* role: `named_queries_syslog` and `named_rpz_syslog`. These variables control whether BIND will send query and RPZ log messages to the local syslog daemon, respectively. --- group_vars/pyrocufflink-dns.yml | 2 ++ roles/named/defaults/main.yml | 2 ++ roles/named/templates/named.conf.j2 | 18 ++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/group_vars/pyrocufflink-dns.yml b/group_vars/pyrocufflink-dns.yml index 3d7312f..6378778 100644 --- a/group_vars/pyrocufflink-dns.yml +++ b/group_vars/pyrocufflink-dns.yml @@ -9,6 +9,8 @@ named_allow_query: named_dnssec_validation: false named_response_policy: - zone "blackhole.rpz" +named_queries_syslog: true +named_rpz_syslog: true pyrocufflink_common_zones: - zone: pyrocufflink.blue diff --git a/roles/named/defaults/main.yml b/roles/named/defaults/main.yml index 7c85a34..dd6a1b7 100644 --- a/roles/named/defaults/main.yml +++ b/roles/named/defaults/main.yml @@ -20,3 +20,5 @@ named_default_refresh: 900 named_default_retry: 600 named_default_expire: 86400 named_keys: [] +named_queries_syslog: false +named_rpz_syslog: false diff --git a/roles/named/templates/named.conf.j2 b/roles/named/templates/named.conf.j2 index 951fc6f..ce230a9 100644 --- a/roles/named/templates/named.conf.j2 +++ b/roles/named/templates/named.conf.j2 @@ -77,6 +77,24 @@ logging { file "data/named.run"; severity dynamic; }; +{% if named_queries_syslog %} + channel queries_syslog { + syslog daemon; + severity info; + }; +{% endif %} +{% if named_rpz_syslog %} + channel rpz_syslog { + syslog daemon; + severity info; + }; +{% endif %} +{% if named_queries_syslog %} + category queries { queries_syslog; }; +{% endif %} +{% if named_rpz_syslog %} + category rpz { rpz_syslog; }; +{% endif %} }; zone "." IN {