Bug 118386 - named query denied syslog messages lack information
Summary: named query denied syslog messages lack information
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Adam Tkac
QA Contact:
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2004-03-16 08:23 UTC by Landon Curt Noll
Modified: 2013-04-30 23:33 UTC (History)
1 user (show)

Fixed In Version: bind-9.2.4rc6-4
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-29 13:52:32 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Landon Curt Noll 2004-03-16 08:23:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; , en_US, en)

Description of problem:
When someone performs DNS query on a name that is not permitted by named.conf, then named simply reports via syslog:

Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

It would be very helpful if named would report WHICH name the client was
attempting to query.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Setup a non-recursion name server that permits a query of only a few zones
2.query a zone not permitted by named.conf
3.observe the /var/log/messages message

Actual Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

Expected Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) of example.net denied

Additional info:

Here is an example of a name server that limits zones to just a few domains:

options {
        // by default we do not allow any to query anything
        // we explicitly enable queries on a per-zone basis
        allow-query { none; };
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        recursion no;

zone "example.com" {
        type master;
        allow-query { any; };
        file "example.com.zone";

zone "example.org" {
        type master;
        allow-query { any; };
        file "example.org.zone";

Comment 1 Suzanne Hillman 2004-03-19 16:59:52 UTC
Internal RFE bug #118730 entered; will be considered for future releases.

Comment 2 Suzanne Hillman 2004-03-22 21:57:28 UTC
Feature request acknowledged; suggest requesting the feature with the
upstream package maintainer.

Comment 3 Landon Curt Noll 2004-04-06 16:30:50 UTC
Per suggestions from Comment #2, I send a feature suggestion to 
the bind-suggest at isc dot org EMail address.  Paul Vixie replied: 
> thanks!  and can you please ask redhat to contact us? 
Please contact the ISC folks per Paul's request. 
I am re-opening this enhancement request to help ensure that 
Paul's request does not fall thru the cracks. 

Comment 4 Landon Curt Noll 2004-04-13 21:49:51 UTC
Did somebody contact the ISC folks per Paul's request? 
If so, please update / close this bug. 

Comment 5 Jason Vas Dias 2004-08-04 19:57:52 UTC
It looks like bind-9.2.4rc6 writes out the denied query:
    client query 'localhost/IN' denied
so I guess this bug is closed.

Comment 6 Landon Curt Noll 2004-08-05 02:11:08 UTC
I am now running 9.2.4rc6.  The query cache denied messages from
remote clients are not telling what query was denied:

Aug  4 18:57:07 hostname named[PID]: client query
(cache) denied

Or is there some flag that I need to set to enable full message?

FYI, I installed:


Comment 7 Landon Curt Noll 2004-08-05 06:21:21 UTC
After several hours of logs, I have found that none of the
external client "query (cache) denied" log entries state
what lookup was being denied.

Did the named folks only implement this for localhost queries?
Or is there some flag that must be set to enable them?

Comment 8 Landon Curt Noll 2004-10-18 06:09:34 UTC
I just want to confirm that bind is NOT writing out the denied query
when a remote client does an invalid query.  I.e., it does NOT say
what query the remote client was doing.

This is confirmed for both bind-9.2.4rc6-3 and the current

Comment 9 Landon Curt Noll 2005-01-11 06:04:13 UTC
According to ISC today, they have just fixed this bug in their
source code tree.  Can RedHat pick up their base or patch so that
this issue can be resolved?

From: "Mark Andrews via RT" <bind-suggest@isc.org>
Date: Tue, 11 Jan 2005 05:30:34 +0000 (UTC)
Subject: [ISC-Bugs #10977] Ticket Resolved

[ISC-Bugs #10977]: request to improve the "query (cache) denied"
syslog message has been resolved. If you have any further questions or
concerns, please respond to this message.

Comment 10 Landon Curt Noll 2005-01-11 08:10:29 UTC
BTW: The functionality to fix this bug is in 9.3.x.  There are no
plans to back port this to 9.2.x according to the ISC folks.

When will RHEL be up to 9.3.x?

Comment 11 Jason Vas Dias 2005-01-11 17:05:31 UTC
Actually, from the ISC BIND 9.3.0 change log, the fix for ISC bug
# 10977 is not in 9.3.0 - it will probably be in bind 9.4.x+

If you'd like to test BIND 9.3.0 for RHEL-3, I've compiled it for
the RHEL-3 i386 platform - it is available in binary and source from :
If you need it compiled for a different architecture (eg. x86_64, ppc)
let me know.

Comment 12 Landon Curt Noll 2006-02-09 06:57:27 UTC
RHEL 4 update 2 still has bind-9.2.4-2.

Please please please please please update RHEL to use 9.3.0 or backport
the ISC fix so that the "query (cache) denied" message reports what
they attempted to query!


Comment 13 Jason Vas Dias 2006-02-09 15:25:33 UTC
We are not allowed to update existing RHEL packages by major version numbers.
ISC BIND 9.3.2 has been built and tested for RHEL-4, and is available from:
this will be the BIND major version used for RHEL-5 .

Comment 14 Landon Curt Noll 2006-02-10 10:48:37 UTC
That version of bind appears to be working well under RHEL4 and is reporting
what query was cache denied.  FYI: I installed all rpm modules except
bind-sdb-9.3.2-1_EL4.i386.rpm.  Thanks much!

Comment 15 Adam Tkac 2007-05-29 13:52:32 UTC
I'm pretty unsure WHY this bug has RELEASE_PENDING status. This wasn't released
into RHEL-4. If you still demand this feature in RHEL-4, please reopen.

Regards, Adam

Note You need to log in before you can comment on or make changes to this bug.