Where do recursion denied messages go?

Barry Finkel b19141 at achilles.ctd.anl.gov
Wed Apr 26 13:17:10 UTC 2006 

Eivind Olsen <eivind at aminor.no> wrote:

>Hello.
>
>Where do "recursion denied" messages go? I have a server running BIND 
>9.3.1, and I'd like to see which queries it denies (I'm using 
>"allow-recursion" to allow just some networks to use it recursively).
>
>I have tried to provoke generation fo such messages by doing recursive 
>queries from an external network, but nothing is shown in the logs. What 
>logs? BIND has not been configured to use any special logging settings, 
>so it uses whatever the default is. OS = Solaris 5.8. I see some 
>"named"-messages in /var/adm/messages but nothing related to recursion 
>being denied anyone.
>
>Do I need to tweak the logging to get what I want? If so, which category 
>and severity level am I looking for?

In my BIND 9.2.2 (Solaris 9) I see in the syslog:

     named[183]: [ID 873579 daemon.info] client 24.15.141.154#65366:
         query (cache) denied

This is after I added

     allow-query { recursive-clients; arm_sites; };

to the global "options" and added

     allow-query { any; };

to each "zone" definition (per a recent post by Mark Andrews).  I
believe that I have no special logging enabled or disabled.

On a related topic, I would like to see this message expanded to include
the query that has been denied.  Currently, the only way I have to see
what is denied is to find the IP addresses with the largest number of
"query (cache) denied" messages, run a snoop trace, and determine what
they are querying.  In the process I found two zones that I should have
slaved on my server but I had not.  If the syslog message contained
the query, I could more easily determine if I am missing any other
zone definitions.  I have begun to look at the code, but I am not
familiar with the details of where the query is stored, so I have not
yet determined if the query is easily accessible at the time the
message is written.
----------------------------------------------------------------------
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory          Phone:    +1 (630) 252-7277
9700 South Cass Avenue               Facsimile:+1 (630) 252-4601
Building 222, Room D209              Internet: BSFinkel at anl.gov
Argonne, IL   60439-4828             IBMMAIL:  I1004994

More information about the bind-users mailing list