Plethora of logged messages started up
Kevin Darcy
kcd at daimlerchrysler.com
Wed Dec 19 23:47:29 UTC 2001
It's probably just a change in the logging level. If you want to see exactly
what queries are being denied, one way to see that is to lift your allow-query
ACL temporarily and look at the query log. If you're paranoid, you could set
an allow-recursion ACL while you're doing that just to make sure nobody is
poisoning your cache or perpetrating a denial-of-service attack on your
server.
- Kevin
Robert Gahl wrote:
> I've got 9.2.0 up and running recently, and then left on vacation, only to
> come back to find my log files filled up with these sorts of messages:
>
> On the "master":
>
> >Dec 19 11:59:46 web in.named[9654]: client 12.35.96.66#53: query (cache)
> >denied
> >Dec 19 11:59:46 web in.named[9654]: client 63.102.65.248#53: query (cache)
> >denied
>
> On the "slave":
>
> >Dec 19 11:59:38 u1proxy in.named[14866]: [ID 866145 daemon.info] client
> >204.127.160.6#53: query (cache) denied
> >Dec 19 11:59:39 u1proxy in.named[14866]: [ID 866145 daemon.info] client
> >136.235.12.7#53: query (cache) denied
>
> My master/primary DNS named.conf looks as follows:
>
> >//DNS clients at fireclick.com
> >acl "trusted" {
> > localhost;
> > 208.45.103.16/29; // Hosts at Fireclick Corporate
> > 63.146.119.64/26; // Hosts at Qwest Cabinet
> > 64.210.184.128/28; // Hosts at Exodus
> > 65.200.204.0/26; // Hosts at UUNet
> >};
> >
> >// Official secondaries
> >acl "fireclick-xfer" {
> > 208.45.103.16/29; // Hosts at Fireclick Corporate
> > 63.146.119.64/26; // Hosts at Qwest Cabinet
> > 64.210.184.128/28; // Hosts at Exodus
> > 65.200.204.0/26; // Hosts at UUNet
> >};
> >
> >// Fireclick internal addresses
> >
> >acl "internal_clients" {
> > 208.45.103.16/29; // Hosts at Fireclick Corporate
> >};
> >
> >// Known fake source addresses shouldn't be replied to.
> >// For external queries, these should be blocked by Fireclick's
> >// border router.
> >
> >acl "bogon" {
> > 0.0.0.0/8; // Null address
> > 1.0.0.0/8; // IANA reserved, popular fake
> > 2.0.0.0/8;
> > 192.0.2.0/24; // Test address
> > 224.0.0.0/3; // Multicast address
> > // Enterprise networks may or may not be bogus
> > 10.0.0.0/8;
> > 172.16.0.0/12;
> > 192.168.0.0/16;
> >};
> >
> >options {
> > directory "/etc/dns";
> > pid-file "/var/log/named.pid";
> > listen-on { 127.0.0.1; 63.146.119.75; };
> > query-source address * port 53;
> > allow-query {
> > trusted;
> > };
> > allow-transfer {
> > none;
> > };
> > blackhole {
> > bogon;
> > };
> >};
> >
> >//
> >// View settings are manditory for each class
> >//
> >view "in" in {
> > match-clients { any; };
> >
> > // Bootstrap the root.
> >
> > zone "." in {
> > type hint;
> > file "root.cache";
> > };
> >
> > // 127.0.0.0/24 The loopback network.
> >
> > zone "0.0.127.in-addr.arpa" {
> > type master;
> > file "zone.127.0.0";
> > allow-query {
> > trusted;
> > };
> > // Every DNS server should be a master
> > // for 127.0.0.0/24.
> > allow-transfer {
> > none;
> > };
> >};
> >
> > // 63.236.34.192/27 - Old Addresses
> > zone "27/192.34.236.63.in-addr.arpa" {
> > type master;
> > file "primary/zone.63.236.34.192";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > // 63.146.119.64/26 - New addresses - VLAN segment
> > zone "26/64.119.146.63.in-addr.arpa" {
> > type master;
> > file "primary/zone.63.146.119.64";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> >
> > // Fireclick hardware (official master)
> > zone "fireclick.com" {
> > type master;
> > file "primary/zone.fireclick.com";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > // Fireclick Networking hardware (official master)
> > zone "fireclick.net" {
> > type master;
> > file "primary/zone.fireclick.net";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > // Fireclick's old name (official master)
> > zone "eracer.net" in {
> > type master;
> > file "primary/zone.eracer.net";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > // Fireclick's Sales/Mkting sites
> > zone "funsportsnet.com" in {
> > type master;
> > file "primary/zone.funsportsnet.com";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > zone "news34.com" in {
> > type master;
> > file "primary/zone.news34.com";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >
> > // Fireclick Demo (official master)
> > zone "hikenbike.com" {
> > type master;
> > file "primary/zone.hikenbike.com";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> > };
> >
> > // Fireclick Service (official master)
> > zone "netflame.com" {
> > type master;
> > file "primary/zone.netflame.com";
> > allow-query {
> > any;
> > };
> > allow-transfer {
> > localhost;
> > fireclick-xfer;
> > };
> > };
> >};
> >
> >view "chaos" chaos {
> >
> > match-clients { !127.0.0.1; !trusted; any; };
> > allow-query { none; };
> >
> > // Bootstrap the root.
> >
> > zone "." chaos {
> > type hint;
> > file "/dev/null";
> > };
> >
> > // Control access to BIND version number to
> > // users at fireclick.com only.
> > // Ref: BUGTRAQ posting from LaMont Jones
> > // <lamont at CRANSTON.FC.HP.COM> on 1998-06-12.
> > zone "bind" chaos {
> > type master;
> > file "primary/bind";
> > allow-query {
> > trusted;
> > };
> > allow-transfer {
> > none;
> > };
> > };
> >};
>
> I don't remember seeing this level of error/notification messages prior to
> this upgrade. Now, they are flying by as I tail the logs. I suspect they
> have always been there, but haven't noticed, and I also assume the denials
> are part and parcel of my configuration in named.conf.
>
> The question is: am I doing something in my named.conf that I really
> shouldn't be. That is, are my denials inappropriate. If so, any suggestions
> how I should change them.
>
> If the security isn't inappropriate, can I turn off the logging of these
> denials?
>
> Thanks.
>
> ===
> Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
> ARPA/Internet: bgahl at bawcsa.org || !_ \
> URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
> "Sahn joong moe low ful how jee yah ching wong" - "When the
> mountain has no tigers, the monkey will also declare himself
> king." Chinese Proverb
More information about the bind-users
mailing list