Bind9 dns server logging options (Ubuntu 18.04)

log dns

I want to create a separate file for my DNS server (bind9) to write log. I found some info on how to do it on the Ubuntu community page.

So I added these lines to /etc/bind/named.conf.local:

logging {
    channel query.log {
        file "/var/log/query.log";
        // Set the severity to dynamic to see all the debug messages.
        severity dynamic;
    };
};

I went on to create a log file, gave all permissions to it and restarted bind9 service and when checked the status I saw an error:

cd /var/log
touch query.log
chmod 777 query.log
systemctl restart bind9
systemctl status bind9

● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2020-04-02 17:37:24 UTC; 1s ago
     Docs: man:named(8)
  Process: 5723 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
  Process: 4480 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
  Process: 5851 ExecStart=/usr/sbin/named -f $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 5851 (code=exited, status=1/FAILURE)

Apr 02 17:37:24 ballgame named[5851]: command channel listening on 127.0.0.1#953
Apr 02 17:37:24 ballgame named[5851]: configuring command channel from '/etc/bind/rndc.key'
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: command channel listening on ::1#953
Apr 02 17:37:24 ballgame named[5851]: isc_stdio_open '/var/log/query.log' failed: permission denied
Apr 02 17:37:24 ballgame named[5851]: configuring logging: permission denied
Apr 02 17:37:24 ballgame named[5851]: loading configuration: permission denied
Apr 02 17:37:24 ballgame named[5851]: exiting (due to fatal error)
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE
Apr 02 17:37:24 ballgame systemd[1]: bind9.service: Failed with result 'exit-code'.

Can someone explain me what is missing here?


Solution 1:

~# grep log /etc/apparmor.d/usr.sbin.named
  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

Logs should be in /var/log/named/ or Apparmor will silently deny access. If you REALLY want to override the package maintainer's choices, configure it in /etc/apparmor.d/local/usr.sbin.named

Related

Bad magic number in super-block
how can I compile Ortep3 on Ubuntu?
apt update seems broken
open file on network using bookmark for Keepass2
Brightness control not working on Legion 5 (Ryzen 5800H + RTX 3050 Ti)
Purpose of .wget-hsts file in Ubuntu
Is there a Powerpoint (PPT) to text/html converter?
Screen flickering on Inspiron 16 Plus 7610 after installing 20.04 LTS
Unable to change directory to cd: /Downloads error message No such file or directory
git encrypt/decrypt remote repository files while push/pull
Sort a List of objects by multiple fields [duplicate]
how to set google map fragment inside scroll view