Minor "query (cache) denied" Logging Bug?

Kevin Darcy kcd at chrysler.com
Thu Apr 2 00:53:56 UTC 2009


bsfinkel at anl.gov wrote:
> I have a name server that is authoritative for the zone
>
>      tlh.fl.us.
>
> In that zone is a record
>
>      freenet.tlh.fl.us.  IN  CNAME   tfn.net.
>
> My server is not authoritative for tfn.net.
>
> Some external client sends a request:
>
>      What is the MX for freenet.tlh.fl.us.?
>
> My server responds (this is from a snoop trace):
>
>      DNS:  Response ID = 61546
>      DNS:  AA (Authoritative Answer)
>      DNS:  Response Code: 0 (OK)
>      DNS:  Reply to 1 question(s)
>      DNS:      Domain Name: freenet.tlh.fl.us.
>      DNS:      Class: 1 (Internet)
>      DNS:      Type:  15 (Mail Exchange)
>      DNS:
>      DNS:  1 answer(s)
>      DNS:      Domain Name: freenet.tlh.fl.us.
>      DNS:      Class: 1 (Internet)
>      DNS:      Type:  5 (Canonical Name)
>      DNS:      TTL (Time To Live): 86400
>      DNS:      Canonical Name: tfn.net.
>      DNS:
>      DNS:  0 name server resource(s)
>      DNS:  0 additional record(s)
>
> This is a correct answer.  Note that there are no authority nor
> additional sections.  But I also see in /var/adm/messages:
>
>      Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
>        client 217.232.216.120#10000:
>        query (cache) 'tfn.net/MX/IN' denied
>
> I assume that in the process of getting more information about
>
>      tfn.net
>
> to give the authority section and the additional section (this is from
> an query I made to an internal BIND server, where queries are not
> denied):
>
>      ;; AUTHORITY SECTION:
>      tfn.net.                1d23h59m59s IN NS  ns92.worldnic.com.
>      tfn.net.                1d23h59m59s IN NS  ns91.worldnic.com.
>
>      ;; ADDITIONAL SECTION:
>      freenet.tfn.net.        2H IN A         199.44.235.10
>      ns91.worldnic.com.      1d6h26m5s IN A  205.178.190.46
>      ns92.worldnic.com.      1d6h26m5s IN A  205.178.144.46
>
> BIND 9.6.0-P1 determines that although it may have this information
> about tfn.net in its cache, it cannot give the information to the
> requester because I have not configured BIND to allow external users
> to query the cache.  If BIND did not have the information about tfn.net
> in its cache, would it go and retrieve the information and then
> decide that it was unable to give the cached information to the
> requester?
>
> Should the "query (cache) denied" message be produced?  We were
> confused because we did not see any queries for tfn.net in the
> named.querylog file, where we log all DNS queries.  I had to run a
> snoop trace to see what was happening.
>
> In this case, should BIND give the information about tfn.net in its
> cache back to the requester?
>   
Barry,
It's not logging that message merely because it couldn't populate the 
Authority and/or Additional Sections. It's logging that message because 
freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were 
allowed, and the tfn.net MX record(s) were present in the cache, they 
would be provided in the *Answer* Section of the response. I think it's 
reasonable for BIND to log a "denied" message when omitting data that 
would otherwise be in the Answer Section of a response. After all, BIND 
is explicitly giving the client less information than they asked for. 
That's a _bona_fide_ "denial". Omitting records from the Authority or 
Additional Sections, which in most cases BIND is not obligated to 
provide anyway, probably doesn't warrant a log message, except perhaps 
at very detailed logging levels.

I suppose one might question whether BIND should log "denied" messages 
for data that wouldn't have been provided anyway, because it was not in 
authoritative data, or in the cache, and recursion was not requested 
and/or not available But, as a general matter, if you're denying access 
to the cache, wouldn't you want to know *unsuccessful* attempts to fetch 
data from your cache, which might tip you off to DoS or "cache sniffing" 
attempts?

Perhaps the denied attempts to fetch *non-existent* cache data could be 
logged at a different level than the denied attempts to fetch existing 
cache data, not sure if that would be a valuable feature or not...

- Kevin




More information about the bind-users mailing list