Bind 9

Supported OS Linux Windows Mac OS

Integration version1.1.0

Overview

Bind 9 is a complete, highly portable implementation of the Domain Name System (DNS) protocol. The Bind 9 name server (named), can act as an authoritative name server, recursive resolver, DNS forwarder, or all three simultaneously.

This integration provides enrichment and visualization for Query, Query Errors, Network, Lame Servers, Notify, and Security log types. It helps to visualize detailed insights into DNS request patterns, DNS communication, proper server configurations, and DNS attacks, ensuring a robust and reliable DNS environment through the out-of-the-box dashboards. Additionally, this integration provides out-of-the-box detection rules. Also, it will collect Bind 9 stats in form of metrics that can be used for visualizations as needed.

Setup

Installation

To install the Bind 9 integration, run the following Agent installation command and the steps below. For more information, see the Integration Management documentation.

Note: This step is not necessary for Agent version >= 7.58.0.

Linux command

sudo -u dd-agent -- datadog-agent integration install datadog-bind9==1.1.0

Log collection

File Monitoring

  1. Log in to your Bind 9 device.

  2. Open the named.conf file to add a logging clause:

    logging {
     channel <example_channel> {
          file "/folder_path/file_name.log" versions <unlimited | <integer>> size <size> suffix <increment | timestamp>;
          print-time (yes | local | iso8601 | iso8601-utc);
          print-category yes;
          print-severity yes;
     };
     category <example-category> { <example_channel>; };
    }
    

    NOTE: Recommended value for print-time is iso8601-utc because datadog expects all logs to be in the UTC time zone by default. If the timezone of your Bind 9 logs is not UTC please make sure to follow the steps for using a different time zone. Also, check the categories defined by Bind 9.

    Example logging channel:

    logging {
     channel default_log {
          file "/var/log/named/query.log" versions 3 size 10m;
          print-time iso8601-utc;
          print-category yes;
          print-severity yes;
     };
       category default { default_log; };
    }
    
  3. Save and exit the file.

  4. Restart the service

    service named restart
    

Syslog

  1. Log in to your Bind 9 device.

  2. Open named.conf file to add a logging clause:

    logging {
     channel <example_channel> {
          syslog <syslog_facility>;
          severity (critical | error | warning | notice | info | debug [level ] | dynamic);
          print-time (yes | local | iso8601 | iso8601-utc);
          print-category yes;
          print-severity yes;
     };
     category <example-category> { <example_channel>; };
    }
    

    NOTE: Recommended value for print-time is iso8601-utc because Datadog expects all logs to be in the UTC time zone by default. If the timezone of your Bind 9 logs is not UTC please make sure to follow the steps for using a different time zone. Also, check the categories defined by Bind 9.

    Example logging channel:

    logging {
     channel default_log {
          syslog local3;
          print-time iso8601-utc;
          print-category yes;
          print-severity yes;
     };
       category default { default_log; };
    }
    
  3. Save and exit the file.

  4. Edit the syslog/rsyslog configuration to log to Datadog using the facility you selected in Bind 9:

    <syslog_facility>.* @@<DATADOG_AGENT_IP_ADDRESS>:<PORT>
    
  5. Restart the following services.

    service syslog/rsyslog restart
    service named restart
    

Note: Make sure print-category and print-severity are set to yes in the channels configured for Bind 9 application.

Configuration

Metric collection

  1. Edit the bind9.d/conf.yaml file in the conf.d/ folder at the root of your Agent’s configuration directory to start collecting your Bind 9 metrics. See the sample bind9.d/conf.yaml for all available configuration options.

    init_config:
    
    instances:
      - url: "<BIND_9_STATS_URL>"
    
  2. Restart the Agent

Log collection

  1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the datadog.yaml file:

    logs_enabled: true
    

File monitoring

  1. Add this configuration block to your bind9.d/conf.yaml file to start collecting your Bind 9 logs.

    See the sample bind9.d/conf.yaml for available configuration options.

    logs:
      - type: file
        path: /var/log/named/*.log
        service: bind9
        source: bind9
    

    Note: Change the path variable in conf.yaml to the same path configured in the file parameter in channels for the Bind 9 application.

  2. Restart the Agent.

Syslog

  1. Add this configuration block to your bind9.d/conf.yaml file to start collecting your Bind 9 logs.

    See the sample bind9.d/conf.yaml for available configuration options.

    logs:
      - type: tcp
        port: <PORT>
        service: bind9
        source: bind9
    

    Note: Value of port should be the same as mentioned in syslog.conf/rsyslog.conf.

  2. Restart the Agent.

Specify a time zone other than UTC in the Bind 9 Datadog log pipeline

Datadog expects all logs to be in the UTC time zone by default. If the time zone of your Bind 9 logs is not UTC, specify the correct time zone in the Bind 9 Datadog pipeline.

To change the time zone in the Bind 9 pipeline:

  1. Navigate to the Pipelines page in the Datadog app.

  2. Enter “Bind 9” in the Filter Pipelines search box.

  3. Hover over the Bind 9 pipeline and click on the clone button. This will create an editable clone of the Bind 9 pipeline.

  4. Edit the Grok Parser using the below steps:

    • In the cloned pipeline, find a processor with the name “Grok Parser: Parsing Bind 9 common log format” and click on the Edit button by hovering over the pipeline.
    • Under Define parsing rules,
      • Change the string UTC to the TZ identifier of the time zone of your Bind 9 server. For example, if your timezone is IST, you would change the value toAsia/Calcutta.
    • Click the update button.

Validation

Run the Agent’s status subcommand and look for bind9 under the Checks section.

Compatibility

The check is compatible with all major platforms.

Data Collected

Logs

The Bind 9 integration collects the following log types.

Event Types
Query, Query Errors, Lame Servers, Notify, Security

Metrics

bind9.nsstat_AuthQryRej
(gauge)
Number of Authoritative (non recursive) queries rejected.
Shown as query
bind9.nsstat_DNS64
(gauge)
bind9.nsstat_ExpireOpt
(gauge)
bind9.nsstat_NSIDOpt
(gauge)
bind9.nsstat_OtherOpt
(gauge)
bind9.nsstat_QryAuthAns
(gauge)
Number of queries that resulted in authoritative answer.
Shown as query
bind9.nsstat_QryDropped
(gauge)
Number of recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped.
Shown as query
bind9.nsstat_QryDuplicate
(gauge)
Number of queries for which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed.
Shown as query
bind9.nsstat_QryFailure
(gauge)
Number of queries that failed for other reason.
Shown as query
bind9.nsstat_QryFORMERR
(gauge)
Number of queries that resulted in FORMERR.
Shown as query
bind9.nsstat_QryNoauthAns
(gauge)
Number of queries that resulted in non authoritative answer.
Shown as query
bind9.nsstat_QryNXDOMAIN
(gauge)
Number of queries that resulted in NXDOMAIN.
Shown as query
bind9.nsstat_QryNXRedir
(gauge)
Number of queries that resulted in NXDOMAIN and were redirected.
Shown as query
bind9.nsstat_QryNXRedirRLookup
(gauge)
Number of queries that resulted in NXDOMAIN and were redirected and resulted in a successful remote lookup.
Shown as query
bind9.nsstat_QryNxrrset
(gauge)
Number of queries that resulted in NOERROR responses with no data
Shown as query
bind9.nsstat_QryRecursion
(gauge)
Number of queries that caused the server to perform recursion in order to find the final answer.
Shown as query
bind9.nsstat_QryReferral
(gauge)
Number of queries that resulted in referral answer.
Shown as query
bind9.nsstat_QrySERVFAIL
(gauge)
Number of queries that resulted in SERVFAIL.
Shown as query
bind9.nsstat_QrySuccess
(gauge)
Number of queries that resulted in a successful answer.
Shown as query
bind9.nsstat_QryTCP
(gauge)
bind9.nsstat_QryUDP
(gauge)
bind9.nsstat_RateDropped
(gauge)
Number of responses dropped by rate limits.
Shown as response
bind9.nsstat_RateSlipped
(gauge)
Number of responses truncated by rate limits
Shown as response
bind9.nsstat_RecQryRej
(gauge)
Number of recursive queries rejected
Shown as query
bind9.nsstat_RecursClients
(gauge)
bind9.nsstat_ReqBadEDNSVer
(gauge)
Number of requests with unsupported EDNS version received.
Shown as request
bind9.nsstat_ReqBadSIG
(gauge)
Number of requests with invalid (TSIG or SIG(0)) signature.
Shown as request
bind9.nsstat_ReqEdns0
(gauge)
Number of requests with EDNS(0) received.
Shown as request
bind9.nsstat_ReqSIG0
(gauge)
Number of requests with SIG(0) received.
Shown as request
bind9.nsstat_ReqTCP
(gauge)
Number of TCP requests received.
Shown as request
bind9.nsstat_ReqTSIG
(gauge)
Number of requests with TSIG received.
Shown as request
bind9.nsstat_Requestv4
(gauge)
Number of IPv4 requests received (this also counts non query requests).
Shown as request
bind9.nsstat_Requestv6
(gauge)
Number of IPv6 requests received (this also counts non query requests).
Shown as request
bind9.nsstat_RespEDNS0
(gauge)
Number of responses with EDNS(0) sent.
Shown as response
bind9.nsstat_Response
(gauge)
Number of Responses sent.
Shown as response
bind9.nsstat_RespSIG0
(gauge)
Number of responses with SIG(0) sent.
Shown as response
bind9.nsstat_RespTSIG
(gauge)
Number of responses with TSIG sent.
Shown as response
bind9.nsstat_RPZRewrites
(gauge)
Number of response policy zone rewrites
bind9.nsstat_SitBadSize
(gauge)
bind9.nsstat_SitBadTime
(gauge)
bind9.nsstat_SitMatch
(gauge)
bind9.nsstat_SitNew
(gauge)
bind9.nsstat_SitNoMatch
(gauge)
bind9.nsstat_SitOpt
(gauge)
bind9.nsstat_TruncatedResp
(gauge)
Number of truncated responses sent.
Shown as response
bind9.nsstat_UpdateBadPrereq
(gauge)
Dynamic updates rejected due to prerequisite failure.
bind9.nsstat_UpdateDone
(gauge)
Dynamic updates completed.
bind9.nsstat_UpdateFail
(gauge)
Dynamic updates failed.
bind9.nsstat_UpdateFwdFail
(gauge)
Dynamic update forward failed.
bind9.nsstat_UpdateRej
(gauge)
Number of dynamic update requests rejected
Shown as request
bind9.nsstat_UpdateReqFwd
(gauge)
Number of update requests forwarded.
Shown as request
bind9.nsstat_UpdateRespFwd
(gauge)
Number of update responses forwarded.
Shown as response
bind9.nsstat_XfrRej
(gauge)
Number of zone transfer requests rejected.
Shown as request
bind9.nsstat_XfrReqDone
(gauge)
Number of requested zone transfers completed.
bind9.opcode_IQUERY
(gauge)
The number of incoming queries
Shown as query
bind9.opcode_NOTIFY
(gauge)
bind9.opcode_QUERY
(gauge)
The number of outgoing queries.
Shown as query
bind9.opcode_RESERVED10
(gauge)
bind9.opcode_RESERVED11
(gauge)
bind9.opcode_RESERVED12
(gauge)
bind9.opcode_RESERVED13
(gauge)
bind9.opcode_RESERVED14
(gauge)
bind9.opcode_RESERVED15
(gauge)
bind9.opcode_RESERVED3
(gauge)
bind9.opcode_RESERVED6
(gauge)
bind9.opcode_RESERVED7
(gauge)
bind9.opcode_RESERVED8
(gauge)
bind9.opcode_RESERVED9
(gauge)
bind9.opcode_STATUS
(gauge)
bind9.opcode_UPDATE
(gauge)
bind9.sockstat_FdwatchBindFail
(gauge)
Number of failures of binding FDWatch sockets.
bind9.sockstat_FDWatchClose
(gauge)
Number of FDWatch sockets closed.
bind9.sockstat_FDwatchConn
(gauge)
Number of FDWatch connections established successfully.
Shown as connection
bind9.sockstat_FDwatchConnFail
(gauge)
Number of failures of FDWatch connecting sockets.
bind9.sockstat_FDwatchRecvErr
(gauge)
Number of errors in FDWatch socket receive operations.
bind9.sockstat_FDwatchSendErr
(gauge)
Number of errors in FDWatch socket send operations.
bind9.sockstat_RawActive
(gauge)
Number of active raw socket.
Shown as connection
bind9.sockstat_RawClose
(gauge)
Number of raw sockets closed.
Shown as connection
bind9.sockstat_RawOpen
(gauge)
Raw sockets opened successfully.
Shown as connection
bind9.sockstat_RawOpenFail
(gauge)
Number of raw sockets with a failure upon opening.
Shown as connection
bind9.sockstat_RawRecvErr
(gauge)
Number of errors in raw socket receive operations.
bind9.sockstat_TCP4Accept
(gauge)
Number of incoming TCP4 connections successfully accepted.
Shown as connection
bind9.sockstat_TCP4AcceptFail
(gauge)
Number of failures of accepting incoming TCP4 connection requests.
bind9.sockstat_TCP4Active
(gauge)
Number of active TCP4 socket.
Shown as connection
bind9.sockstat_TCP4BindFail
(gauge)
Number of failures of binding TCP4 sockets.
bind9.sockstat_TCP4Close
(gauge)
Number of TCP4 sockets closed.
Shown as connection
bind9.sockstat_TCP4Conn
(gauge)
Number of TCP4 connections established successfully.
Shown as connection
bind9.sockstat_TCP4ConnFail
(gauge)
Number of failures of TCP4 connecting sockets.
bind9.sockstat_TCP4Open
(gauge)
Number of TCP4 sockets opened successfully.
Shown as connection
bind9.sockstat_TCP4OpenFail
(gauge)
Number of TCP4 sockets with a failure upon opening.
Shown as connection
bind9.sockstat_TCP4RecvErr
(gauge)
Number of errors in TCP4 socket receive operations.
bind9.sockstat_TCP4SendErr
(gauge)
Number of errors in TCP4 socket send operations.
bind9.sockstat_TCP6Accept
(gauge)
Number of incoming TCP4 connections successfully accepted.
Shown as connection
bind9.sockstat_TCP6AcceptFail
(gauge)
Number of failures of accepting incoming TCP6 connection requests.
bind9.sockstat_TCP6Active
(gauge)
Number of active TCP6 socket.
Shown as connection
bind9.sockstat_TCP6BindFail
(gauge)
Number of failures of binding TCP6 sockets.
bind9.sockstat_TCP6Close
(gauge)
Number of TCP6 sockets closed.
Shown as connection
bind9.sockstat_TCP6Conn
(gauge)
Number of TCP6 connections established successfully.
Shown as connection
bind9.sockstat_TCP6ConnFail
(gauge)
Number of failures of TCP6 connecting sockets.
bind9.sockstat_TCP6Open
(gauge)
Number of TCP6 sockets opened successfully.
Shown as connection
bind9.sockstat_TCP6OpenFail
(gauge)
Number of TCP6 sockets with a failure upon opening.
Shown as connection
bind9.sockstat_TCP6RecvErr
(gauge)
Number of errors in TCP6 socket receive operations.
bind9.sockstat_TCP6SendErr
(gauge)
Number of errors in TCP6 socket send operations.
bind9.sockstat_UDP4Active
(gauge)
Number of active UDP4 socket.
Shown as connection
bind9.sockstat_UDP4BindFail
(gauge)
Number of failures of binding UDP4 sockets.
bind9.sockstat_UDP4Close
(gauge)
Number of UDP4 sockets closed.
Shown as connection
bind9.sockstat_UDP4Conn
(gauge)
Number of UDP4 connections established successfully.
Shown as connection
bind9.sockstat_UDP4ConnFail
(gauge)
Number of failures of UDP4 connecting sockets.
bind9.sockstat_UDP4Open
(gauge)
Number of UDP4 sockets opened successfully.
Shown as connection
bind9.sockstat_UDP4OpenFail
(gauge)
Number of UDP4 sockets with a failure upon opening.
Shown as connection
bind9.sockstat_UDP4RecvErr
(gauge)
Number of errors in UDP4 socket receive operations.
bind9.sockstat_UDP4SendErr
(gauge)
Number of errors in UDP4 socket send operations.
bind9.sockstat_UDP6Active
(gauge)
Number of active UDP6 socket.
Shown as connection
bind9.sockstat_UDP6BindFail
(gauge)
Number of failures of binding UDP6 sockets.
bind9.sockstat_UDP6Close
(gauge)
Number of UDP6 sockets closed.
Shown as connection
bind9.sockstat_UDP6Conn
(gauge)
Number of UDP6 connections established successfully.
Shown as connection
bind9.sockstat_UDP6ConnFail
(gauge)
Number of failures of UDP6 connecting sockets.
bind9.sockstat_UDP6Open
(gauge)
Number of UDP6 sockets opened successfully.
Shown as connection
bind9.sockstat_UDP6OpenFail
(gauge)
Number of UDP6 sockets with a failure upon opening.
Shown as connection
bind9.sockstat_UDP6RecvErr
(gauge)
Number of errors in UDP6 socket receive operations.
bind9.sockstat_UDP6SendErr
(gauge)
Number of errors in UDP6 socket send operations.
bind9.sockstat_UnixAccept
(gauge)
Number of incoming Unix connections successfully accepted.
bind9.sockstat_UnixAcceptFail
(gauge)
Number of failures of accepting incoming Unix connection requests.
bind9.sockstat_UnixActive
(gauge)
Number of active Unix socket.
Shown as connection
bind9.sockstat_UnixBindFail
(gauge)
Number of failures of binding Unix sockets.
bind9.sockstat_UnixClose
(gauge)
Number of Unix sockets closed.
bind9.sockstat_UnixConn
(gauge)
Number of Unix connections established successfully.
bind9.sockstat_UnixConnFail
(gauge)
Number of failures of Unix connecting sockets.
bind9.sockstat_UnixOpen
(gauge)
Number of Unix sockets opened successfully.
bind9.sockstat_UnixOpenFail
(gauge)
Number of Unix sockets with a failure upon opening.
bind9.sockstat_UnixRecvErr
(gauge)
Number of errors in Unix socket receive operations.
bind9.sockstat_UnixSendErr
(gauge)
Number of errors in Unix socket send operations.
bind9.zonestat_AXFRReqv4
(gauge)
IPv4 AXFR requested.
bind9.zonestat_AXFRReqv6
(gauge)
IPv6 AXFR requested.
bind9.zonestat_IXFRReqv4
(gauge)
IPv4 IXFR requested.
bind9.zonestat_IXFRReqv6
(gauge)
IPv6 IXFR requested.
bind9.zonestat_NotifyInv4
(gauge)
IPv4 notifies received.
bind9.zonestat_NotifyInv6
(gauge)
IPv6 notifies received.
bind9.zonestat_NotifyOutv4
(gauge)
IPv4 notifies sent.
bind9.zonestat_NotifyOutv6
(gauge)
IPv6 notifies sent.
bind9.zonestat_NotifyRej
(gauge)
Incoming notifies rejected.
bind9.zonestat_SOAOutv4
(gauge)
Number of IPv4 SOA queries sent.
Shown as query
bind9.zonestat_SOAOutv6
(gauge)
Number of IPv4 SOA queries sent.
Shown as query
bind9.zonestat_XfrFail
(gauge)
Number of zone transfer requests failed.
Shown as request
bind9.zonestat_XfrSuccess
(gauge)
Number of zone transfer requests succeeded.
Shown as request

Events

The Bind 9 check does not include any events.

Service Checks

bind9.can_connect
Returns OK If Statistics-channel URL of DNS is present in Instance. Returns CRITICAL If URL Errors occurs.
Statuses: ok, critical

Troubleshooting

If you see a Permission denied error while monitoring the log files, give the dd-agent user read permission on them.

sudo chown -R dd-agent:dd-agent /var/log/named/

For any further assistance, contact Datadog support.