Articles

Analyze BIND Query Logs to Debug DNS Issues (2026)

April 16, 2026 2 min read

BIND’s query logging is actually a rate-limiting mechanism for its own internal debugging, not a direct window into client requests.

Let’s watch named in action. Imagine a simple named.conf for a local resolver:

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-query { localhost; };
    listen-on { 127.0.0.1; };
};

logging {
    channel query_log {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity info;
        print-time yes;
        print-severity yes;
        print-category yes;
    };
    category queries { query_log; };
};

Now, we’ll start named and then make a query from localhost:

sudo systemctl start bind9
dig @127.0.0.1 www.google.com

The magic happens in /var/log/named/queries.log. You’ll see something like this (timestamps and exact formatting will vary):

2023-10-27T10:30:00-07:00 info named[12345]: queries: info: client 127.0.0.1#54321 (www.google.com): query: www.google.com IN A +E(0)
2023-10-27T10:30:05-07:00 info named[12345]: queries: info: client 127.0.0.1#54322 (www.example.com): query: www.example.com IN A +E(0)

This output shows named receiving a query for www.google.com from 127.0.0.1 on UDP port 54321. The +E(0) indicates no EDNS options were used. This is the raw data BIND itself sees and is processing.

The problem BIND query logging solves is understanding why a DNS resolution might be failing or slow from BIND’s perspective. It’s not about seeing every single packet that hits your network interface; it’s about BIND telling you what it’s doing with the queries it receives. The primary levers you control are the logging stanza in named.conf, dictating what gets logged (categories like queries, resolver, security) and where it goes (channels with file rotation, syslog, etc.). You can also control the severity of messages, from debug (very noisy) down to critical.

The most surprising thing about BIND query logging is that it’s often enabled by default at a low severity, meaning you might have it on but not be seeing the useful details without explicitly increasing the severity for the queries category. You can’t just turn on queries and expect to see full packet dumps; BIND only logs what it deems relevant for its own debugging based on the severity level.

If you’re seeing "query denied" messages in your logs, the next step is to examine your allow-query and allow-recursion ACLs.

Want structured learning?

Take the full Bind course →