Plethora of logged messages started up
Robert Gahl
bgahl at bawcsa.org
Wed Dec 19 20:09:41 UTC 2001
I've got 9.2.0 up and running recently, and then left on vacation, only to
come back to find my log files filled up with these sorts of messages:
On the "master":
>Dec 19 11:59:46 web in.named[9654]: client 12.35.96.66#53: query (cache)
>denied
>Dec 19 11:59:46 web in.named[9654]: client 63.102.65.248#53: query (cache)
>denied
On the "slave":
>Dec 19 11:59:38 u1proxy in.named[14866]: [ID 866145 daemon.info] client
>204.127.160.6#53: query (cache) denied
>Dec 19 11:59:39 u1proxy in.named[14866]: [ID 866145 daemon.info] client
>136.235.12.7#53: query (cache) denied
My master/primary DNS named.conf looks as follows:
>//DNS clients at fireclick.com
>acl "trusted" {
> localhost;
> 208.45.103.16/29; // Hosts at Fireclick Corporate
> 63.146.119.64/26; // Hosts at Qwest Cabinet
> 64.210.184.128/28; // Hosts at Exodus
> 65.200.204.0/26; // Hosts at UUNet
>};
>
>// Official secondaries
>acl "fireclick-xfer" {
> 208.45.103.16/29; // Hosts at Fireclick Corporate
> 63.146.119.64/26; // Hosts at Qwest Cabinet
> 64.210.184.128/28; // Hosts at Exodus
> 65.200.204.0/26; // Hosts at UUNet
>};
>
>// Fireclick internal addresses
>
>acl "internal_clients" {
> 208.45.103.16/29; // Hosts at Fireclick Corporate
>};
>
>// Known fake source addresses shouldn't be replied to.
>// For external queries, these should be blocked by Fireclick's
>// border router.
>
>acl "bogon" {
> 0.0.0.0/8; // Null address
> 1.0.0.0/8; // IANA reserved, popular fake
> 2.0.0.0/8;
> 192.0.2.0/24; // Test address
> 224.0.0.0/3; // Multicast address
> // Enterprise networks may or may not be bogus
> 10.0.0.0/8;
> 172.16.0.0/12;
> 192.168.0.0/16;
>};
>
>options {
> directory "/etc/dns";
> pid-file "/var/log/named.pid";
> listen-on { 127.0.0.1; 63.146.119.75; };
> query-source address * port 53;
> allow-query {
> trusted;
> };
> allow-transfer {
> none;
> };
> blackhole {
> bogon;
> };
>};
>
>//
>// View settings are manditory for each class
>//
>view "in" in {
> match-clients { any; };
>
> // Bootstrap the root.
>
> zone "." in {
> type hint;
> file "root.cache";
> };
>
> // 127.0.0.0/24 The loopback network.
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "zone.127.0.0";
> allow-query {
> trusted;
> };
> // Every DNS server should be a master
> // for 127.0.0.0/24.
> allow-transfer {
> none;
> };
>};
>
> // 63.236.34.192/27 - Old Addresses
> zone "27/192.34.236.63.in-addr.arpa" {
> type master;
> file "primary/zone.63.236.34.192";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> // 63.146.119.64/26 - New addresses - VLAN segment
> zone "26/64.119.146.63.in-addr.arpa" {
> type master;
> file "primary/zone.63.146.119.64";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
>
> // Fireclick hardware (official master)
> zone "fireclick.com" {
> type master;
> file "primary/zone.fireclick.com";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> // Fireclick Networking hardware (official master)
> zone "fireclick.net" {
> type master;
> file "primary/zone.fireclick.net";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> // Fireclick's old name (official master)
> zone "eracer.net" in {
> type master;
> file "primary/zone.eracer.net";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> // Fireclick's Sales/Mkting sites
> zone "funsportsnet.com" in {
> type master;
> file "primary/zone.funsportsnet.com";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> zone "news34.com" in {
> type master;
> file "primary/zone.news34.com";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>
> // Fireclick Demo (official master)
> zone "hikenbike.com" {
> type master;
> file "primary/zone.hikenbike.com";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
> };
>
> // Fireclick Service (official master)
> zone "netflame.com" {
> type master;
> file "primary/zone.netflame.com";
> allow-query {
> any;
> };
> allow-transfer {
> localhost;
> fireclick-xfer;
> };
> };
>};
>
>view "chaos" chaos {
>
> match-clients { !127.0.0.1; !trusted; any; };
> allow-query { none; };
>
> // Bootstrap the root.
>
> zone "." chaos {
> type hint;
> file "/dev/null";
> };
>
> // Control access to BIND version number to
> // users at fireclick.com only.
> // Ref: BUGTRAQ posting from LaMont Jones
> // <lamont at CRANSTON.FC.HP.COM> on 1998-06-12.
> zone "bind" chaos {
> type master;
> file "primary/bind";
> allow-query {
> trusted;
> };
> allow-transfer {
> none;
> };
> };
>};
I don't remember seeing this level of error/notification messages prior to
this upgrade. Now, they are flying by as I tail the logs. I suspect they
have always been there, but haven't noticed, and I also assume the denials
are part and parcel of my configuration in named.conf.
The question is: am I doing something in my named.conf that I really
shouldn't be. That is, are my denials inappropriate. If so, any suggestions
how I should change them.
If the security isn't inappropriate, can I turn off the logging of these
denials?
Thanks.
===
Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
ARPA/Internet: bgahl at bawcsa.org || !_ \
URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb
More information about the bind-users
mailing list