Security logging oddity
base60
nobody at whitehouse.com
Fri Apr 7 03:18:38 UTC 2006
Robert Zilbauer wrote:
> I'm running BIND 9.3.2 and am having trouble understanding why some
> denied queries are logged while others are not. I did a bunch of
> searching around about it, but came up empty. Maybe someone here could
> help? I'd be more than happy to RTFM if someone could point me to the
> right FM to R. ;-)
>
> Here's the deal. A BIND 9.3.2 server that's been locked down and doesn't
> allow strangers to do recursive queries. All queries from external
> sources *are* denied, no problems there.
>
> Example #1 --
> hastur log # host m1.2mdn.net aaa.bbb.ccc.80
> Using domain server:
> Name: aaa.bbb.ccc.80
> Address: aaa.bbb.ccc.80#53
> Aliases:
>
> Host m1.2mdn.net not found: 5(REFUSED)
>
> Example #2 --
> hastur log # host www.slappy.org aaa.bbb.ccc.80
> Using domain server:
> Name: aaa.bbb.ccc.80
> Address: aaa.bbb.ccc.80#53
> Aliases:
>
> Host www.slappy.org not found: 5(REFUSED)
>
> However, even with logging turned up to debug 3 or 4, only Example #1
> comes back with a "denied" log entry:
>
> 06-Apr-2006 16:19:26.405 queries: info: client xx.yy.zz.33#64531: view
> external-in: query: m1.2mdn.net IN A +
> 06-Apr-2006 16:19:26.405 security: info: client xx.yy.zz.33#64531: view
> external-in: query 'm1.2mdn.net/A/IN' denied
>
> Example #2 only results in a log entry of:
>
> 06-Apr-2006 16:28:26.102 queries: info: client xx.yy.zz.33#64543: view
> external-in: query: www.slappy.org IN A +
>
> No explicit "denied" message in the logs.
>
> I'd like to see "denied" logging for all denied queries. Perhaps someone
> could give me a shove in the right direction?
If memory serves, even with recursion disabled, if an entry is cached
it will be provided to anyone.
More information about the bind-users
mailing list