LOGGING ZONE TRANSFER ATTEMPTS

What we need to do is detect if someone is trying to do zone transfer
of zones from our nameserver.

NOTE: The following will be conducted on your NAMESERVER machine:

1. We first need to make our name server (192.168.X.30) log to syslog,
   then configure syslog to log to our NOC machine (192.168.X.10).

   We start by making a log directory, so we have a local copy of logs
   just in case.

	NS1-TLDX> cd /var/cache/bind
	NS1-TLDX> sudo mkdir log 
	NS1-TLDX> sudo chown bind log

2. Edit the /etc/bind/named.conf.options file:

	NS1-TLDX> sudo pico /etc/bind/named.conf.options

Add a logging section at the end of the file.  Make sure you put this section after the final "};" from the 'options' section.

    // BEGIN add
    logging {
    channel transfer {
        file "log/transfer.log" size 10M versions 5;
        severity info;
        print-time yes;
        print-severity yes;
    };
    
    channel security-syslog {
        syslog security;
        severity info;
    };
    
    category xfer-out { transfer; security-syslog; };
    category xfer-in  { transfer; security-syslog; };
    category security { transfer; security-syslog; };
    };
    // END add

Save the file.

3. Check the configuration for errors:

    NS1-TLDX> named-checkconf /etc/bind/named.conf

    (Make sure there are no errors)
    In particular, be careful about missing ';' and '{ and }'

4. Finally, we need to make the syslog daemon (we're not running
   syslog-ng on the DNS box) send messages to the NOC box.

   Edit /etc/syslog.conf

   	NS1-TLDX> sudo pico /etc/syslog.conf

   Add the following line:

    	*.*         @192.168.10X.30

   Remember to replace X with your group number!

   Restart the syslog daemon:

  	NS1-TLDX> sudo /etc/init.d/sysklogd restart

5. Restart bind:

    	NS1-TLDX> sudo /etc/init.d/bind9 restart

6. Now we attempt a zone transfer attack

Check what happens in the log file of your NOC box, under /var/log/everything