Security logging oddity

Robert Zilbauer zilbauer at slappy.org
Fri Apr 7 20:50:33 UTC 2006


On Thursday 06 April 2006 08:18 pm, you wrote:
> > I'd like to see "denied" logging for all denied queries. Perhaps
> > someone could give me a shove in the right direction?

It was suggested that I post my BIND config, so here it is. In hopes of 
clearing this up myself I set up a 9.3.2 server with two views and a 
bare-bones config.

It still all works as I would expect: 
  1. Queries coming in from trusted IPs are answered.
  2. Queries coming in from untrusted IPs are refused.

So, no problems there. It's just that there aren't any "denied" messages 
in the logs when an untrusted host tries to do a recursive query. 

Perhaps I'm misunderstanding when a query would be logged as "denied"? 

Thanks again. 
Test details and named.conf follows...


For my test, I used this --
             DNS server: 192.168.12.6
  Trusted query machine: 192.168.12.97
Untrusted query machine: 192.168.14.87

And this as the named.conf --
#
acl "trusted" {
        localhost;
        192.168.12.97;
};

acl "bogon" {
    172.16.0.0/12;
};

options {
        directory "/etc/dns";
        pid-file   "/var/tmp/named.pid";
        blackhole {
                bogon;
        };
};

view "internal-in" in {
    match-clients { trusted; };
    recursion yes;
    additional-from-auth yes;
    additional-from-cache yes;

    # Bootstrap the root.
    #
    zone "." {
        type hint;
        file "named.ca";
    };

    # 127.0.0.0/24 The loopback network
    # 
    zone "0.0.127.in-addr.arpa" {
        type master;
        file "127.000.000";
        allow-query {
                localhost;
        };
        allow-transfer {
                none;
        };
    };
}; // End of internal view

# Create a view for external DNS clients.
#
view "external-in" in {
    match-clients { any; };
    recursion no;
    additional-from-auth no;
    additional-from-cache no;
};  // End of external view.

# logging controls
#
logging {
        channel "bind-log" {
                file "/var/tmp/named.log" versions 20 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
        };

        channel "stderr_errors" {
                stderr;
        };

        category "general" { "bind-log"; };
        category "resolver" { "bind-log"; };
        category "client" { "bind-log"; };
        category "network" { "bind-log"; };
        category "xfer-in" { "bind-log"; };
        category "xfer-out" { "bind-log"; };
        category "notify" { "bind-log"; };
        category "lame-servers" { "bind-log"; };
        category "security" { "bind-log"; };
        category "config" { "bind-log"; };
        category "queries" { "bind-log"; };
        category "update" { "bind-log"; };
        category "default" { "bind-log"; };
};

key "rndc-key" {
      algorithm hmac-md5;
      secret "nr9zfwG6FmGhlZ2y9hh2pw==";
};

controls {
        inet * port 953 
                allow { any; } keys { "rndc-key"; };
};


A test from the trusted host returned this --

  $ host www.colorado.edu 192.168.12.6
  Using domain server 192.168.12.6:

  www.colorado.edu has address 128.138.129.98

And was logged on the DNS machine like this --

07-Apr-2006 13:44:17.249 queries: info: client 192.168.12.97#45014: view 
internal-in: query: www.colorado.edu IN A +
07-Apr-2006 13:44:17.473 queries: info: client 192.168.12.97#45016: view 
internal-in: query: www.colorado.edu IN AAAA +
07-Apr-2006 13:44:17.547 queries: info: client 192.168.12.97#45017: view 
internal-in: query: www.colorado.edu IN MX +


A test from the untrusted host returned this --

  $ host www.colorado.edu 192.168.12.6
  Using domain server:
  Name: 192.168.12.6
  Address: 192.168.12.6#53
  Aliases: 

  Host www.colorado.edu not found: 5(REFUSED)

And was logged on the DNS machine like this --

07-Apr-2006 13:44:29.960 queries: info: client 192.168.14.87#32974: view 
external-in: query: www.colorado.edu IN A +




-- 
The Sun,  with all  the planets  revolving  around  it,  and 
depending on it, can still ripen a bunch of grapes as though 
it had nothing else in the Universe to do.
                             -- Galileo Galilei, 1564 - 1642



More information about the bind-users mailing list