squash 'client query (cache) denied' syslog entries

Jeremy C. Reed jreed at isc.org
Thu Oct 18 19:30:12 UTC 2012


On Thu, 18 Oct 2012, David Dowdle wrote:

> Some of my external facing nameservers are under attack, and the biggiest
> fallout, is the machines goign into iowait from logging all the client query
> denied syslog messages.
> 
> note: yes, recursion is turned off on these machines.
> 
> The current logging is a very vanilla
> 
> logging {
>         category default { default_syslog; default_debug; };
>         category lame-servers { null; };
>         // below 2 lines are for logging EVERY query. this can fill a drive
>         //channel "querylog" { file "/var/log/named/query.log"; print-time
> yes; };
>         //category queries { querylog; };
> };
> 
> 
> I'd like to keep logging going, for obvious reasns, but need to kill the
> 'client query (cache) denied' messages
> 
> sofar all the google-found  'solutions' are: turn off all logging

Maybe discard all security logging with:

category security { null; };

Or setup a new channel for handling security with a "severity" of 
"notice" or higher --and then set the category for security to use that 
custom channel. (This cache denied logging is at the "info" level so 
shouldn't be logged at notice or higher.)

A custom my_security_channel example is in the ARM documentation 
which may provide some hints.



More information about the bind-users mailing list