If you ever need to look at the DNS queries sent to your server, there are two ways: Logging or looking at DNS traffic on port 53.
Logging queries in Bind
Logging is definitely more reliable and can be turned on (if you’re using bind) using
To check if logging is enabled:
# rndc status |grep query query logging is OFF
To turn logging on:
# rndc querylog on # rndc status |grep query query logging is ON
Once logging is enabled, the requests are by default logged to /var/log/messages:
# cat /var/log/messages |grep named |grep query Jul 15 13:44:36 nas named: client 10.1.1.3#64896: query: steamr.com IN A + (10.1.1.9) Jul 15 13:44:36 nas named: client 10.1.1.3#64897: query: steamr.com IN AAAA + (10.1.1.9)
To look at the actual DNS traffic (either directly to your server or sniffing on a network), use tcpdump. Here is an example of me looking up ‘steamr.com’ while tcpdump was running.
# tcpdump -n -s 1500 -i eth1 port 53 13:44:43.398635 IP 10.1.1.3.64903 > 10.1.1.9.domain: 6+ A? steamr.com. (28) 13:44:43.399434 IP 10.1.1.9.domain > 10.1.1.3.64903: 6 1/13/13 A 220.127.116.11 (463) 13:44:43.400415 IP 10.1.1.3.64904 > 10.1.1.9.domain: 7+ AAAA? steamr.com. (28) 13:44:43.401365 IP 10.1.1.9.20821 > 18.104.22.168.domain: 4278+ [1au] AAAA? steamr.com. (39) 13:44:43.412659 IP 22.214.171.124.domain > 10.1.1.9.20821: 4278 0/1/0 (74) 13:44:43.413243 IP 10.1.1.9.domain > 10.1.1.3.64904: 7 0/1/0 (74)
You can see the queries which are denoted with a question mark (?), and the responses to the queries.