Switching off the BIND DNS server logs for GDPR compliance
Original Publishing Date:
2020-03-05
Problem
The BIND DNS server writes domain names to log files located in /var/log/messages. However, domain names are considered sensitive information, and to comply with GDPR, it must be removed by a customer's request.
Resolution
Switch off BIND logging:
- Connect to the node that runs BIND.
- Add this code block to the end of the
/var/named/chroot/etc/named.conf file:logging {
category default {
null;
};
};
- Replace the contents of the section "Service.ExecStartPre" in the
/usr/lib/systemd/system/named-chroot.service file with the following:ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi > /dev/null 2>&1'
If you need to learn more about BIND logging, see the BIND documentation.
Internal content