From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; , en_US, en) Description of problem: When someone performs DNS query on a name that is not permitted by named.conf, then named simply reports via syslog: Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied It would be very helpful if named would report WHICH name the client was attempting to query. Version-Release number of selected component (if applicable): bind-9.2.2-21 How reproducible: Always Steps to Reproduce: 1.Setup a non-recursion name server that permits a query of only a few zones 2.query a zone not permitted by named.conf 3.observe the /var/log/messages message Actual Results: Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied Expected Results: Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) of example.net denied Additional info: Here is an example of a name server that limits zones to just a few domains: options { // by default we do not allow any to query anything // we explicitly enable queries on a per-zone basis allow-query { none; }; directory "/var/named"; pid-file "/var/run/named/named.pid"; recursion no; }; zone "example.com" { type master; allow-query { any; }; file "example.com.zone"; }; zone "example.org" { type master; allow-query { any; }; file "example.org.zone"; };
Internal RFE bug #118730 entered; will be considered for future releases.
Feature request acknowledged; suggest requesting the feature with the upstream package maintainer.
Per suggestions from Comment #2, I send a feature suggestion to the bind-suggest at isc dot org EMail address. Paul Vixie replied: > thanks! and can you please ask redhat to contact us? Please contact the ISC folks per Paul's request. I am re-opening this enhancement request to help ensure that Paul's request does not fall thru the cracks.
Did somebody contact the ISC folks per Paul's request? If so, please update / close this bug.
It looks like bind-9.2.4rc6 writes out the denied query: client 127.0.0.1#32789: query 'localhost/IN' denied so I guess this bug is closed.
I am now running 9.2.4rc6. The query cache denied messages from remote clients are not telling what query was denied: Aug 4 18:57:07 hostname named[PID]: client 210.104.1.15#36100: query (cache) denied Or is there some flag that I need to set to enable full message? FYI, I installed: bind-9.2.4rc6-3 bind-libs-9.2.4rc6-3 bind-debuginfo-9.2.4rc6-3 bind-chroot-9.2.4rc6-3 bind-utils-9.2.4rc6-3
After several hours of logs, I have found that none of the external client "query (cache) denied" log entries state what lookup was being denied. Did the named folks only implement this for localhost queries? Or is there some flag that must be set to enable them?
I just want to confirm that bind is NOT writing out the denied query when a remote client does an invalid query. I.e., it does NOT say what query the remote client was doing. This is confirmed for both bind-9.2.4rc6-3 and the current bind-9.2.4-EL3-10.
According to ISC today, they have just fixed this bug in their source code tree. Can RedHat pick up their base or patch so that this issue can be resolved? From: "Mark Andrews via RT" <bind-suggest> Date: Tue, 11 Jan 2005 05:30:34 +0000 (UTC) Subject: [ISC-Bugs #10977] Ticket Resolved [ISC-Bugs #10977]: request to improve the "query (cache) denied" syslog message has been resolved. If you have any further questions or concerns, please respond to this message.
BTW: The functionality to fix this bug is in 9.3.x. There are no plans to back port this to 9.2.x according to the ISC folks. When will RHEL be up to 9.3.x?
Actually, from the ISC BIND 9.3.0 change log, the fix for ISC bug # 10977 is not in 9.3.0 - it will probably be in bind 9.4.x+ If you'd like to test BIND 9.3.0 for RHEL-3, I've compiled it for the RHEL-3 i386 platform - it is available in binary and source from : http://people.redhat.com/~jvdias/bind/9.3.0/RHEL-3 If you need it compiled for a different architecture (eg. x86_64, ppc) let me know.
RHEL 4 update 2 still has bind-9.2.4-2. Please please please please please update RHEL to use 9.3.0 or backport the ISC fix so that the "query (cache) denied" message reports what they attempted to query! Please?
We are not allowed to update existing RHEL packages by major version numbers. ISC BIND 9.3.2 has been built and tested for RHEL-4, and is available from: http://people.redhat.com/~jvdias/bind/RHEL-4/9.3.2-1_EL4 this will be the BIND major version used for RHEL-5 .
That version of bind appears to be working well under RHEL4 and is reporting what query was cache denied. FYI: I installed all rpm modules except bind-sdb-9.3.2-1_EL4.i386.rpm. Thanks much!
I'm pretty unsure WHY this bug has RELEASE_PENDING status. This wasn't released into RHEL-4. If you still demand this feature in RHEL-4, please reopen. Regards, Adam