Logging DNS queries with SYSLOG

In order to document the requests from the clients to the DNS server in the device, this option allows the server to additionally send its responses to clients as SYSLOG messages to a SYSLOG server on a continual basis.

Note: Please be aware that recording DNS requests must be performed in accordance with the applicable data privacy regulations in your country.

In LANconfig, you configure the documentation of DNS requests under DNS > General in the section SYSLOG.





Log the DNS resolutions on an external SYSLOG server
This option enables or disables (default setting) the sending of SYSLOG messages in the case of DNS requests.
Note: This switch is independent of the global switch in the SYSLOG module under Log & Trace > General > SYSLOG. Thus, if you enable this option to log DNS requests, the DNS server sends the corresponding SYSLOG messages to a SYSLOG server even if the global SYSLOG module is disabled.
Each DNS resolution (ANSWER record or ADDITIONAL record) generates a SYSLOG message with the following structure PACKET_INFO: DNS for IP-Address, TID {Hostname}: Resource-Record. The parameters have the following meanings:
  • The TID (transaction ID) contains a 4-character hexadecimal code.
  • The {host name} is only part of the message if the DNS server cannot resolve it without a DNS request (as in the firewall log, as well).
  • The resource record consists of three parts: The request, the type or class, and the IP resolution (for example www.mydomain.com STD A resolved to 193.99.144.32)
Server address
Enter the address of the SYSLOG server. You can enter an IPv4/IPv6 address or a DNS name.
Note: The use of the IP addresses 127.0.0.1 and ::1 to force the use of an external server is not permitted.

To configure the SYSLOG message, click on Advanced.





Source
Here you select which source is entered in the SYSLOG messages.
Priority
Here you select the source that is entered in the SYSLOG messages.
Source address (optional)
Here you can optionally specify another address (name or IP) used by your device to identify itself to the SYSLOG server as the sender. By default, your device sends its IP address from the corresponding ARF context, without you having to enter it here. By entering an optional loopback address you change the source address and route that your device uses to contact the remote site. This can be useful, for example, if your device is available over different paths and the remote site should use a specific path for its reply message.
Note: If the source address set here is a loopback address, this will be used unmasked even on masked remote clients.
Note: For more information on SYSLOG and the available settings, see the section The SYSLOG module.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo