Minor "query (cache) denied" Logging Bug?
Mark Andrews
Mark_Andrews at isc.org
Thu Apr 2 01:25:29 UTC 2009
In message <49D40CA4.70404 at chrysler.com>, Kevin Darcy writes:
> bsfinkel at anl.gov wrote:
> > I have a name server that is authoritative for the zone
> >
> > tlh.fl.us.
> >
> > In that zone is a record
> >
> > freenet.tlh.fl.us. IN CNAME tfn.net.
> >
> > My server is not authoritative for tfn.net.
> >
> > Some external client sends a request:
> >
> > What is the MX for freenet.tlh.fl.us.?
> >
> > My server responds (this is from a snoop trace):
> >
> > DNS: Response ID = 61546
> > DNS: AA (Authoritative Answer)
> > DNS: Response Code: 0 (OK)
> > DNS: Reply to 1 question(s)
> > DNS: Domain Name: freenet.tlh.fl.us.
> > DNS: Class: 1 (Internet)
> > DNS: Type: 15 (Mail Exchange)
> > DNS:
> > DNS: 1 answer(s)
> > DNS: Domain Name: freenet.tlh.fl.us.
> > DNS: Class: 1 (Internet)
> > DNS: Type: 5 (Canonical Name)
> > DNS: TTL (Time To Live): 86400
> > DNS: Canonical Name: tfn.net.
> > DNS:
> > DNS: 0 name server resource(s)
> > DNS: 0 additional record(s)
> >
> > This is a correct answer. Note that there are no authority nor
> > additional sections. But I also see in /var/adm/messages:
> >
> Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
> > client 217.232.216.120#10000:
> > query (cache) 'tfn.net/MX/IN' denied
> >
> > I assume that in the process of getting more information about
> >
> > tfn.net
> >
> > to give the authority section and the additional section (this is from
> > an query I made to an internal BIND server, where queries are not
> > denied):
> >
> > ;; AUTHORITY SECTION:
> > tfn.net. 1d23h59m59s IN NS ns92.worldnic.com.
> > tfn.net. 1d23h59m59s IN NS ns91.worldnic.com.
> >
> > ;; ADDITIONAL SECTION:
> > freenet.tfn.net. 2H IN A 199.44.235.10
> > ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46
> > ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46
> >
> > BIND 9.6.0-P1 determines that although it may have this information
> > about tfn.net in its cache, it cannot give the information to the
> > requester because I have not configured BIND to allow external users
> > to query the cache. If BIND did not have the information about tfn.net
> > in its cache, would it go and retrieve the information and then
> > decide that it was unable to give the cached information to the
> > requester?
> >
> > Should the "query (cache) denied" message be produced? We were
> > confused because we did not see any queries for tfn.net in the
> > named.querylog file, where we log all DNS queries. I had to run a
> > snoop trace to see what was happening.
> >
> > In this case, should BIND give the information about tfn.net in its
> > cache back to the requester?
> >
> Barry,
> It's not logging that message merely because it couldn't populate the
> Authority and/or Additional Sections. It's logging that message because
> freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were
> allowed, and the tfn.net MX record(s) were present in the cache, they
> would be provided in the *Answer* Section of the response. I think it's
> reasonable for BIND to log a "denied" message when omitting data that
> would otherwise be in the Answer Section of a response. After all, BIND
> is explicitly giving the client less information than they asked for.
> That's a _bona_fide_ "denial". Omitting records from the Authority or
> Additional Sections, which in most cases BIND is not obligated to
> provide anyway, probably doesn't warrant a log message, except perhaps
> at very detailed logging levels.
>
> I suppose one might question whether BIND should log "denied" messages
> for data that wouldn't have been provided anyway, because it was not in
> authoritative data, or in the cache, and recursion was not requested
> and/or not available But, as a general matter, if you're denying access
> to the cache, wouldn't you want to know *unsuccessful* attempts to fetch
> data from your cache, which might tip you off to DoS or "cache sniffing"
> attempts?
>
> Perhaps the denied attempts to fetch *non-existent* cache data could be
> logged at a different level than the denied attempts to fetch existing
> cache data, not sure if that would be a valuable feature or not...
For the listed senario the message should only be emitted if RD=1.
The following was done on a system with the following acl's that is
also authoritative for dv.isc.org. cname.dv.isc.org is a test
CNAME record. Named's syslog messages are being "tail -f"'d while
the test was in progress.
allow-query-cache { 127.0.0.1; ::/1; };
allow-recursion { 127.0.0.1; ::/1; };
Note the first query did not elicit a log message and the second query
did. A direct query for ftp.uu.net results in REFUSED being returned
which is independent of RD.
The test was run against BIND 9.6.1b1.
Mark
drugs# dig cname.dv.isc.org @192.168.191.236 +norec
; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236 +norec
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13081
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cname.dv.isc.org. IN A
;; ANSWER SECTION:
cname.dv.isc.org. 86400 IN CNAME ftp.uu.net.
;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr 2 12:11:09 2009
;; MSG SIZE rcvd: 58
drugs# dig cname.dv.isc.org @192.168.191.236
Apr 2 12:11:50 drugs named[896]: client 192.168.191.236#60255: view default: query (cache) 'ftp.uu.net/A/IN' denied
; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24655
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cname.dv.isc.org. IN A
;; ANSWER SECTION:
cname.dv.isc.org. 86400 IN CNAME ftp.uu.net.
;; Query time: 1 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr 2 12:11:50 2009
;; MSG SIZE rcvd: 58
drugs# dig ftp.uu.net @192.168.191.236
Apr 2 12:20:47 drugs named[896]: client 192.168.191.236#58715: view default: query (cache) 'ftp.uu.net/A/IN' denied
; <<>> DiG 9.3.6-P1 <<>> ftp.uu.net @192.168.191.236
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61980
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.uu.net. IN A
;; Query time: 0 msec
;; SERVER: 192.168.191.236#53(192.168.191.236)
;; WHEN: Thu Apr 2 12:20:47 2009
;; MSG SIZE rcvd: 28
drugs#
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list