Security logging oddity

base60 nobody at whitehouse.com
Fri Apr 7 03:18:38 UTC 2006


Robert Zilbauer wrote:
> I'm running BIND 9.3.2 and am having trouble understanding why some 
> denied queries are logged while others are not. I did a bunch of 
> searching around about it, but came up empty. Maybe someone here could 
> help? I'd be more than happy to RTFM if someone could point me to the 
> right FM to R. ;-)
> 
> Here's the deal. A BIND 9.3.2 server that's been locked down and doesn't 
> allow strangers to do recursive queries. All queries from external 
> sources *are* denied, no problems there. 
> 
> Example #1 --
>   hastur log # host m1.2mdn.net aaa.bbb.ccc.80
>   Using domain server:
>   Name: aaa.bbb.ccc.80
>   Address: aaa.bbb.ccc.80#53
>   Aliases: 
> 
>   Host m1.2mdn.net not found: 5(REFUSED)
> 
> Example #2 --
>   hastur log # host www.slappy.org aaa.bbb.ccc.80
>   Using domain server:
>   Name: aaa.bbb.ccc.80
>   Address: aaa.bbb.ccc.80#53
>   Aliases: 
> 
>   Host www.slappy.org not found: 5(REFUSED)
> 
> However, even with logging turned up to debug 3 or 4, only Example #1 
> comes back with a "denied" log entry: 
> 
> 06-Apr-2006 16:19:26.405 queries: info: client xx.yy.zz.33#64531: view 
> external-in: query: m1.2mdn.net IN A +
> 06-Apr-2006 16:19:26.405 security: info: client xx.yy.zz.33#64531: view 
> external-in: query 'm1.2mdn.net/A/IN' denied
> 
> Example #2 only results in a log entry of: 
> 
> 06-Apr-2006 16:28:26.102 queries: info: client xx.yy.zz.33#64543: view 
> external-in: query: www.slappy.org IN A +
> 
> No explicit "denied" message in the logs.
> 
> I'd like to see "denied" logging for all denied queries. Perhaps someone 
> could give me a shove in the right direction?

If memory serves, even with recursion disabled, if an entry is cached
it will be provided to anyone.



More information about the bind-users mailing list