Analyzing BIND Logs using CLI

 To enhance DNS Server, we need to analyze logs we collected. On my case, there are lots of non-existent DNS queries based on my monitoring

Further checking on the logs, using this CLI command, it was found that some of these domains were non-existent domain and still queried by many endpoint clients

grep "query" /var/named/log/query-errors.2 | cut -d ' ' -f 8 | sort | uniq -c | sort -nr | head

Those domains can be handled using sinkhole DNS imlementation in BIND

Handling Non Existent Domain (NXDOMAIN) Queries

 On a large organization, where there are lots of endpoint clients, there will be a huge number of DNS queries. Many of those queries were non existent domains and sometimes causing resource exhaustion either on DNS server or on the network level

Here are the steps to set up sinkhole domains in BIND

1. Create a file /etc/blacklisted.domains and put these lines

zone "blacklisted.domain" {type master; file "/etc/blockeddomains.db";};

2. Create a file /etc/blockeddomains.db

$TTL 1D @ IN SOA localdomain. root.localdomain. ( 2024041801 ; Serial 3600 ; Refresh 600 ; Retry 86400 ; Expire 3600 ; Minimum TTL ) @ IN NS localdomain. localdomain. IN A 127.0.0.1 ; Replace with actual IP if needed

3. Add this line into your BIND configuration (/etc/named.conf)

include "/etc/blacklisted.zones";