Bind 9

Supported OS Linux Windows Mac OS

통합 버전1.1.0

Bind9 - 개요

Bind9 - 세부 정보

개요

Bind 9는 도메인 네임 시스템(DNS) 프로토콜의 이식성이 높은 완전한 구현 버전입니다. Bind 9 네임 서버(지정됨)는 권한 있는 네임 서버, 리커시브 리졸버(recursive resolver), DNS 포워더(Forwarder) 또는 이 세 가지 역할을 동시에 수행할 수 있습니다.

본 통합은 쿼리, 쿼리 오류, 네트워크, 렘 서버, 알림 및 보안 로그 유형에 대한 보강 및 시각화를 제공해 드립니다. 기본 제공되는 대시보드로 DNS 요청 패턴, DNS 통신, 적절한 서버 설정 및 DNS 공격에 대한 자세한 인사이트를 시각화하여 강력하고 안정적인 DNS 환경을 확보합니다. 또한 본 통합은 기본 제공 탐지 규칙을 제공합니다. 필요에 따라 시각화에 사용할 수 있는 Bind 9 통계를 메트릭 형태로 수집합니다.

설정

설치

Bind 9 통합을 설치하려면 다음 에이전트 설치 명령을 실행하고 아래 단계를 따릅니다. 자세한 내용은 통합 관리 문서를 참조하세요.

참고: 에이전트 버전 >= 7.58.0에서는 해당 단계를 수행할 필요가 없습니다.

Linux 명령

sudo -u dd-agent -- datadog-agent integration install datadog-bind9==1.1.0

로그 수집

파일 모니터링

Bind 9 기기에 로그인합니다.

named.conf 파일을 열어 다음 로깅 절을 추가합니다.

logging {
 channel <example_channel> {
      file "/folder_path/file_name.log" versions <unlimited | <integer>> size <size> suffix <increment | timestamp>;
      print-time (yes | local | iso8601 | iso8601-utc);
      print-category yes;
      print-severity yes;
 };
 category <example-category> { <example_channel>; };
}

참고: print-time의 권장 값은 iso8601-utc인데, 이는 Datadog이 기본적으로 모든 로그가 UTC 시간대일 것으로 예상하기 때문입니다. Bind 9 로그의 시간대가 UTC가 아닌 경우 다른 시간대 사용에 관한 단계를 따르세요. 아울러, Bind 9이 정의한 카테고리를 확인하세요.

로깅 채널 예시:

logging {
 channel default_log {
      file "/var/log/named/query.log" versions 3 size 10m;
      print-time iso8601-utc;
      print-category yes;
      print-severity yes;
 };
   category default { default_log; };
}

파일을 저장하고 종료합니다.
서비스를 다시 시작합니다.
```
service named restart
```

Syslog

Bind 9 기기에 로그인합니다.

named.conf 파일을 열어 다음 로깅 절을 추가합니다.

logging {
 channel <example_channel> {
      syslog <syslog_facility>;
      severity (critical | error | warning | notice | info | debug [level ] | dynamic);
      print-time (yes | local | iso8601 | iso8601-utc);
      print-category yes;
      print-severity yes;
 };
 category <example-category> { <example_channel>; };
}

로깅 채널 예시:

logging {
 channel default_log {
      syslog local3;
      print-time iso8601-utc;
      print-category yes;
      print-severity yes;
 };
   category default { default_log; };
}

파일을 저장하고 종료합니다.
syslog/Rsyslog 설정을 편집하여 Bind 9이 선택한 기능으로 Datadog에 로깅합니다.
```
<syslog_facility>.* @@<DATADOG_AGENT_IP_ADDRESS>:<PORT>
```

다음 서비스를 재시작합니다.

service syslog/rsyslog restart
service named restart

참고: Bind 9 애플리케이션용으로 설정한 채널에서 print-category 및 print-severity가 yes로 설정되어 있는지 확인하세요.

설정

메트릭 수집

에이전트 설정 디렉토리의 루트에 있는 conf.d/ 폴더에서 bind9.d/conf.yaml 파일을 편집하여 Bind 9 메트릭 수집을 시작합니다. 사용 가능한 설정 옵션 전체를 보려면 bind9.d/conf.yaml 샘플을 참고하세요.
```
init_config:

instances:
  - url: "<BIND_9_STATS_URL>"
```
에이전트를 재시작합니다.

로그 수집

Datadog 에이전트에서 로그 수집은 기본적으로 비활성화되어 있으므로 datadog.yaml 파일에서 활성화합니다.
```
logs_enabled: true
```

파일 모니터링

Bind 9 로그 수집을 시작하려면 이 설정 블록을 bind9.d/conf.yaml 파일에 추가하세요.
사용 가능한 모든 설정 옵션은 bind9.d/conf.yaml 샘플을 참조하세요.
```
logs:
  - type: file
    path: /var/log/named/*.log
    service: bind9
    source: bind9
```
참고: conf.yaml의 path 변수를 Bind 9 애플리케이션용 채널의 file 파라미터에 설정된 경로와 동일한 경로로 변경하세요.
에이전트를 재시작합니다.

Syslog

Bind 9 로그 수집을 시작하려면 이 설정 블록을 bind9.d/conf.yaml 파일에 추가하세요.
사용 가능한 모든 설정 옵션은 bind9.d/conf.yaml 샘플을 참조하세요.
```
logs:
  - type: tcp
    port: <PORT>
    service: bind9
    source: bind9
```
참고: port의 값은 syslog.conf/rsyslog.conf에서 언급한 것과 동일해야 합니다.
에이전트를 재시작합니다.

Bind 9 Datadog 로그 파이프라인에서 UTC가 아닌 다른 시간대 지정

Datadog은 기본적으로 모든 로그가 UTC 표준 시간대일 것으로 예상합니다. Bind 9 로그의 표준 시간대가 UTC가 아니라면 Bind 9 Datadog 파이프라인에서 올바른 시간대를 지정하세요.

Bind 9 파이프라인에서 다음과 같이 시간대를 변경합니다.

Datadog 앱에서 파이프라인 페이지로 이동합니다.
필터 파이프라인 검색창에 “Bind 9"을 입력합니다.
Bind 9 파이프라인 위로 마우스를 올려 클론 버튼을 클릭합니다. 그러면 Bind 9 파이프라인의 편집 가능한 복제본이 생성됩니다.
다음 단계에 따라 Grok 파서를 편집합니다.
- 복제한 파이프라인에서 “Grok Parser: Parsing Bind 9 common log format"이라는 이름의 프로세서를 찾아 파이프라인 위로 마우스를 올려 Edit 버튼을 클릭합니다.
- 파싱 규칙 정의에서,
  - UTC 문자열을 Bind 9 서버 표준 시간대의 TZ 식별자로 변경합니다. 예를 들어, 표준 시간대가 IST인 경우 값을Asia/Calcutta로 변경합니다.
- 업데이트 버튼을 클릭합니다.

검증

에이전트의 상태 하위 명령을 실행하고 점검 섹션에서 bind9을 찾습니다.

호환성

이 점검은 다른 주요 플랫폼과 모두 호환됩니다.

수집한 데이터

로그

Bind 9 통합은 다음 로그 유형을 수집합니다.

이벤트 유형
쿼리, 쿼리 오류, Lame 서버, 알림, 보안

메트릭

bind9.nsstat_AuthQryRej (gauge)	Number of Authoritative (non recursive) queries rejected. Shown as query
bind9.nsstat_DNS64 (gauge)
bind9.nsstat_ExpireOpt (gauge)
bind9.nsstat_NSIDOpt (gauge)
bind9.nsstat_OtherOpt (gauge)
bind9.nsstat_QryAuthAns (gauge)	Number of queries that resulted in authoritative answer. Shown as query
bind9.nsstat_QryDropped (gauge)	Number of recursive queries for which the server discovered an excessive number of existing recursive queries for the same name, type and class and were subsequently dropped. Shown as query
bind9.nsstat_QryDuplicate (gauge)	Number of queries for which the server attempted to recurse but discovered an existing query with the same IP address, port, query ID, name, type and class already being processed. Shown as query
bind9.nsstat_QryFailure (gauge)	Number of queries that failed for other reason. Shown as query
bind9.nsstat_QryFORMERR (gauge)	Number of queries that resulted in FORMERR. Shown as query
bind9.nsstat_QryNoauthAns (gauge)	Number of queries that resulted in non authoritative answer. Shown as query
bind9.nsstat_QryNXDOMAIN (gauge)	Number of queries that resulted in NXDOMAIN. Shown as query
bind9.nsstat_QryNXRedir (gauge)	Number of queries that resulted in NXDOMAIN and were redirected. Shown as query
bind9.nsstat_QryNXRedirRLookup (gauge)	Number of queries that resulted in NXDOMAIN and were redirected and resulted in a successful remote lookup. Shown as query
bind9.nsstat_QryNxrrset (gauge)	Number of queries that resulted in NOERROR responses with no data Shown as query
bind9.nsstat_QryRecursion (gauge)	Number of queries that caused the server to perform recursion in order to find the final answer. Shown as query
bind9.nsstat_QryReferral (gauge)	Number of queries that resulted in referral answer. Shown as query
bind9.nsstat_QrySERVFAIL (gauge)	Number of queries that resulted in SERVFAIL. Shown as query
bind9.nsstat_QrySuccess (gauge)	Number of queries that resulted in a successful answer. Shown as query
bind9.nsstat_QryTCP (gauge)
bind9.nsstat_QryUDP (gauge)
bind9.nsstat_RateDropped (gauge)	Number of responses dropped by rate limits. Shown as response
bind9.nsstat_RateSlipped (gauge)	Number of responses truncated by rate limits Shown as response
bind9.nsstat_RecQryRej (gauge)	Number of recursive queries rejected Shown as query
bind9.nsstat_RecursClients (gauge)
bind9.nsstat_ReqBadEDNSVer (gauge)	Number of requests with unsupported EDNS version received. Shown as request
bind9.nsstat_ReqBadSIG (gauge)	Number of requests with invalid (TSIG or SIG(0)) signature. Shown as request
bind9.nsstat_ReqEdns0 (gauge)	Number of requests with EDNS(0) received. Shown as request
bind9.nsstat_ReqSIG0 (gauge)	Number of requests with SIG(0) received. Shown as request
bind9.nsstat_ReqTCP (gauge)	Number of TCP requests received. Shown as request
bind9.nsstat_ReqTSIG (gauge)	Number of requests with TSIG received. Shown as request
bind9.nsstat_Requestv4 (gauge)	Number of IPv4 requests received (this also counts non query requests). Shown as request
bind9.nsstat_Requestv6 (gauge)	Number of IPv6 requests received (this also counts non query requests). Shown as request
bind9.nsstat_RespEDNS0 (gauge)	Number of responses with EDNS(0) sent. Shown as response
bind9.nsstat_Response (gauge)	Number of Responses sent. Shown as response
bind9.nsstat_RespSIG0 (gauge)	Number of responses with SIG(0) sent. Shown as response
bind9.nsstat_RespTSIG (gauge)	Number of responses with TSIG sent. Shown as response
bind9.nsstat_RPZRewrites (gauge)	Number of response policy zone rewrites
bind9.nsstat_SitBadSize (gauge)
bind9.nsstat_SitBadTime (gauge)
bind9.nsstat_SitMatch (gauge)
bind9.nsstat_SitNew (gauge)
bind9.nsstat_SitNoMatch (gauge)
bind9.nsstat_SitOpt (gauge)
bind9.nsstat_TruncatedResp (gauge)	Number of truncated responses sent. Shown as response
bind9.nsstat_UpdateBadPrereq (gauge)	Dynamic updates rejected due to prerequisite failure.
bind9.nsstat_UpdateDone (gauge)	Dynamic updates completed.
bind9.nsstat_UpdateFail (gauge)	Dynamic updates failed.
bind9.nsstat_UpdateFwdFail (gauge)	Dynamic update forward failed.
bind9.nsstat_UpdateRej (gauge)	Number of dynamic update requests rejected Shown as request
bind9.nsstat_UpdateReqFwd (gauge)	Number of update requests forwarded. Shown as request
bind9.nsstat_UpdateRespFwd (gauge)	Number of update responses forwarded. Shown as response
bind9.nsstat_XfrRej (gauge)	Number of zone transfer requests rejected. Shown as request
bind9.nsstat_XfrReqDone (gauge)	Number of requested zone transfers completed.
bind9.opcode_IQUERY (gauge)	The number of incoming queries Shown as query
bind9.opcode_NOTIFY (gauge)
bind9.opcode_QUERY (gauge)	The number of outgoing queries. Shown as query
bind9.opcode_RESERVED10 (gauge)
bind9.opcode_RESERVED11 (gauge)
bind9.opcode_RESERVED12 (gauge)
bind9.opcode_RESERVED13 (gauge)
bind9.opcode_RESERVED14 (gauge)
bind9.opcode_RESERVED15 (gauge)
bind9.opcode_RESERVED3 (gauge)
bind9.opcode_RESERVED6 (gauge)
bind9.opcode_RESERVED7 (gauge)
bind9.opcode_RESERVED8 (gauge)
bind9.opcode_RESERVED9 (gauge)
bind9.opcode_STATUS (gauge)
bind9.opcode_UPDATE (gauge)
bind9.sockstat_FdwatchBindFail (gauge)	Number of failures of binding FDWatch sockets.
bind9.sockstat_FDWatchClose (gauge)	Number of FDWatch sockets closed.
bind9.sockstat_FDwatchConn (gauge)	Number of FDWatch connections established successfully. Shown as connection
bind9.sockstat_FDwatchConnFail (gauge)	Number of failures of FDWatch connecting sockets.
bind9.sockstat_FDwatchRecvErr (gauge)	Number of errors in FDWatch socket receive operations.
bind9.sockstat_FDwatchSendErr (gauge)	Number of errors in FDWatch socket send operations.
bind9.sockstat_RawActive (gauge)	Number of active raw socket. Shown as connection
bind9.sockstat_RawClose (gauge)	Number of raw sockets closed. Shown as connection
bind9.sockstat_RawOpen (gauge)	Raw sockets opened successfully. Shown as connection
bind9.sockstat_RawOpenFail (gauge)	Number of raw sockets with a failure upon opening. Shown as connection
bind9.sockstat_RawRecvErr (gauge)	Number of errors in raw socket receive operations.
bind9.sockstat_TCP4Accept (gauge)	Number of incoming TCP4 connections successfully accepted. Shown as connection
bind9.sockstat_TCP4AcceptFail (gauge)	Number of failures of accepting incoming TCP4 connection requests.
bind9.sockstat_TCP4Active (gauge)	Number of active TCP4 socket. Shown as connection
bind9.sockstat_TCP4BindFail (gauge)	Number of failures of binding TCP4 sockets.
bind9.sockstat_TCP4Close (gauge)	Number of TCP4 sockets closed. Shown as connection
bind9.sockstat_TCP4Conn (gauge)	Number of TCP4 connections established successfully. Shown as connection
bind9.sockstat_TCP4ConnFail (gauge)	Number of failures of TCP4 connecting sockets.
bind9.sockstat_TCP4Open (gauge)	Number of TCP4 sockets opened successfully. Shown as connection
bind9.sockstat_TCP4OpenFail (gauge)	Number of TCP4 sockets with a failure upon opening. Shown as connection
bind9.sockstat_TCP4RecvErr (gauge)	Number of errors in TCP4 socket receive operations.
bind9.sockstat_TCP4SendErr (gauge)	Number of errors in TCP4 socket send operations.
bind9.sockstat_TCP6Accept (gauge)	Number of incoming TCP4 connections successfully accepted. Shown as connection
bind9.sockstat_TCP6AcceptFail (gauge)	Number of failures of accepting incoming TCP6 connection requests.
bind9.sockstat_TCP6Active (gauge)	Number of active TCP6 socket. Shown as connection
bind9.sockstat_TCP6BindFail (gauge)	Number of failures of binding TCP6 sockets.
bind9.sockstat_TCP6Close (gauge)	Number of TCP6 sockets closed. Shown as connection
bind9.sockstat_TCP6Conn (gauge)	Number of TCP6 connections established successfully. Shown as connection
bind9.sockstat_TCP6ConnFail (gauge)	Number of failures of TCP6 connecting sockets.
bind9.sockstat_TCP6Open (gauge)	Number of TCP6 sockets opened successfully. Shown as connection
bind9.sockstat_TCP6OpenFail (gauge)	Number of TCP6 sockets with a failure upon opening. Shown as connection
bind9.sockstat_TCP6RecvErr (gauge)	Number of errors in TCP6 socket receive operations.
bind9.sockstat_TCP6SendErr (gauge)	Number of errors in TCP6 socket send operations.
bind9.sockstat_UDP4Active (gauge)	Number of active UDP4 socket. Shown as connection
bind9.sockstat_UDP4BindFail (gauge)	Number of failures of binding UDP4 sockets.
bind9.sockstat_UDP4Close (gauge)	Number of UDP4 sockets closed. Shown as connection
bind9.sockstat_UDP4Conn (gauge)	Number of UDP4 connections established successfully. Shown as connection
bind9.sockstat_UDP4ConnFail (gauge)	Number of failures of UDP4 connecting sockets.
bind9.sockstat_UDP4Open (gauge)	Number of UDP4 sockets opened successfully. Shown as connection
bind9.sockstat_UDP4OpenFail (gauge)	Number of UDP4 sockets with a failure upon opening. Shown as connection
bind9.sockstat_UDP4RecvErr (gauge)	Number of errors in UDP4 socket receive operations.
bind9.sockstat_UDP4SendErr (gauge)	Number of errors in UDP4 socket send operations.
bind9.sockstat_UDP6Active (gauge)	Number of active UDP6 socket. Shown as connection
bind9.sockstat_UDP6BindFail (gauge)	Number of failures of binding UDP6 sockets.
bind9.sockstat_UDP6Close (gauge)	Number of UDP6 sockets closed. Shown as connection
bind9.sockstat_UDP6Conn (gauge)	Number of UDP6 connections established successfully. Shown as connection
bind9.sockstat_UDP6ConnFail (gauge)	Number of failures of UDP6 connecting sockets.
bind9.sockstat_UDP6Open (gauge)	Number of UDP6 sockets opened successfully. Shown as connection
bind9.sockstat_UDP6OpenFail (gauge)	Number of UDP6 sockets with a failure upon opening. Shown as connection
bind9.sockstat_UDP6RecvErr (gauge)	Number of errors in UDP6 socket receive operations.
bind9.sockstat_UDP6SendErr (gauge)	Number of errors in UDP6 socket send operations.
bind9.sockstat_UnixAccept (gauge)	Number of incoming Unix connections successfully accepted.
bind9.sockstat_UnixAcceptFail (gauge)	Number of failures of accepting incoming Unix connection requests.
bind9.sockstat_UnixActive (gauge)	Number of active Unix socket. Shown as connection
bind9.sockstat_UnixBindFail (gauge)	Number of failures of binding Unix sockets.
bind9.sockstat_UnixClose (gauge)	Number of Unix sockets closed.
bind9.sockstat_UnixConn (gauge)	Number of Unix connections established successfully.
bind9.sockstat_UnixConnFail (gauge)	Number of failures of Unix connecting sockets.
bind9.sockstat_UnixOpen (gauge)	Number of Unix sockets opened successfully.
bind9.sockstat_UnixOpenFail (gauge)	Number of Unix sockets with a failure upon opening.
bind9.sockstat_UnixRecvErr (gauge)	Number of errors in Unix socket receive operations.
bind9.sockstat_UnixSendErr (gauge)	Number of errors in Unix socket send operations.
bind9.zonestat_AXFRReqv4 (gauge)	IPv4 AXFR requested.
bind9.zonestat_AXFRReqv6 (gauge)	IPv6 AXFR requested.
bind9.zonestat_IXFRReqv4 (gauge)	IPv4 IXFR requested.
bind9.zonestat_IXFRReqv6 (gauge)	IPv6 IXFR requested.
bind9.zonestat_NotifyInv4 (gauge)	IPv4 notifies received.
bind9.zonestat_NotifyInv6 (gauge)	IPv6 notifies received.
bind9.zonestat_NotifyOutv4 (gauge)	IPv4 notifies sent.
bind9.zonestat_NotifyOutv6 (gauge)	IPv6 notifies sent.
bind9.zonestat_NotifyRej (gauge)	Incoming notifies rejected.
bind9.zonestat_SOAOutv4 (gauge)	Number of IPv4 SOA queries sent. Shown as query
bind9.zonestat_SOAOutv6 (gauge)	Number of IPv4 SOA queries sent. Shown as query
bind9.zonestat_XfrFail (gauge)	Number of zone transfer requests failed. Shown as request
bind9.zonestat_XfrSuccess (gauge)	Number of zone transfer requests succeeded. Shown as request

이벤트

Bind 9 점검은 이벤트를 포함하지 않습니다.

서비스 점검

bind9.can_connect
Returns OK If Statistics-channel URL of DNS is present in Instance. Returns CRITICAL If URL Errors occurs.
Statuses: ok, critical

트러블슈팅

로그 파일을 모니터링하는 동안 권한 거부 오류가 표시되면 dd-agent 사용자에게 해당 파일 읽기 권한을 부여합니다.

sudo chown -R dd-agent:dd-agent /var/log/named/

추가로 도움이 필요하면 Datadog 지원 팀에 문의하세요.