Security logging oddity
Robert Zilbauer
zilbauer at slappy.org
Fri Apr 7 01:18:31 UTC 2006
I'm running BIND 9.3.2 and am having trouble understanding why some
denied queries are logged while others are not. I did a bunch of
searching around about it, but came up empty. Maybe someone here could
help? I'd be more than happy to RTFM if someone could point me to the
right FM to R. ;-)
Here's the deal. A BIND 9.3.2 server that's been locked down and doesn't
allow strangers to do recursive queries. All queries from external
sources *are* denied, no problems there.
Example #1 --
hastur log # host m1.2mdn.net aaa.bbb.ccc.80
Using domain server:
Name: aaa.bbb.ccc.80
Address: aaa.bbb.ccc.80#53
Aliases:
Host m1.2mdn.net not found: 5(REFUSED)
Example #2 --
hastur log # host www.slappy.org aaa.bbb.ccc.80
Using domain server:
Name: aaa.bbb.ccc.80
Address: aaa.bbb.ccc.80#53
Aliases:
Host www.slappy.org not found: 5(REFUSED)
However, even with logging turned up to debug 3 or 4, only Example #1
comes back with a "denied" log entry:
06-Apr-2006 16:19:26.405 queries: info: client xx.yy.zz.33#64531: view
external-in: query: m1.2mdn.net IN A +
06-Apr-2006 16:19:26.405 security: info: client xx.yy.zz.33#64531: view
external-in: query 'm1.2mdn.net/A/IN' denied
Example #2 only results in a log entry of:
06-Apr-2006 16:28:26.102 queries: info: client xx.yy.zz.33#64543: view
external-in: query: www.slappy.org IN A +
No explicit "denied" message in the logs.
I'd like to see "denied" logging for all denied queries. Perhaps someone
could give me a shove in the right direction?
Thanks.
--
The Sun, with all the planets revolving around it, and
depending on it, can still ripen a bunch of grapes as though
it had nothing else in the Universe to do.
-- Galileo Galilei, 1564 - 1642
More information about the bind-users
mailing list