This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 118386 - named query denied syslog messages lack information
named query denied syslog messages lack information
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-16 03:23 EST by Landon Curt Noll
Modified: 2013-04-30 19:33 EDT (History)
1 user (show)

See Also:
Fixed In Version: bind-9.2.4rc6-4
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-29 09:52:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Landon Curt Noll 2004-03-16 03:23:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; , en_US, en)

Description of problem:
When someone performs DNS query on a name that is not permitted by named.conf, then named simply reports via syslog:

Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

It would be very helpful if named would report WHICH name the client was
attempting to query.



Version-Release number of selected component (if applicable):
bind-9.2.2-21

How reproducible:
Always

Steps to Reproduce:
1.Setup a non-recursion name server that permits a query of only a few zones
2.query a zone not permitted by named.conf
3.observe the /var/log/messages message
    

Actual Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

Expected Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) of example.net denied

Additional info:

Here is an example of a name server that limits zones to just a few domains:

options {
        // by default we do not allow any to query anything
        // we explicitly enable queries on a per-zone basis
        allow-query { none; };
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        recursion no;
};

zone "example.com" {
        type master;
        allow-query { any; };
        file "example.com.zone";
};

zone "example.org" {
        type master;
        allow-query { any; };
        file "example.org.zone";
};
Comment 1 Suzanne Hillman 2004-03-19 11:59:52 EST
Internal RFE bug #118730 entered; will be considered for future releases.
Comment 2 Suzanne Hillman 2004-03-22 16:57:28 EST
Feature request acknowledged; suggest requesting the feature with the
upstream package maintainer.
Comment 3 Landon Curt Noll 2004-04-06 12:30:50 EDT
Per suggestions from Comment #2, I send a feature suggestion to 
the bind-suggest at isc dot org EMail address.  Paul Vixie replied: 
 
> thanks!  and can you please ask redhat to contact us? 
 
Please contact the ISC folks per Paul's request. 
 
I am re-opening this enhancement request to help ensure that 
Paul's request does not fall thru the cracks. 
Comment 4 Landon Curt Noll 2004-04-13 17:49:51 EDT
Did somebody contact the ISC folks per Paul's request? 
 
If so, please update / close this bug. 
Comment 5 Jason Vas Dias 2004-08-04 15:57:52 EDT
It looks like bind-9.2.4rc6 writes out the denied query:
    client 127.0.0.1#32789: query 'localhost/IN' denied
so I guess this bug is closed.
Comment 6 Landon Curt Noll 2004-08-04 22:11:08 EDT
I am now running 9.2.4rc6.  The query cache denied messages from
remote clients are not telling what query was denied:

Aug  4 18:57:07 hostname named[PID]: client 210.104.1.15#36100: query
(cache) denied

Or is there some flag that I need to set to enable full message?

FYI, I installed:

bind-9.2.4rc6-3
bind-libs-9.2.4rc6-3
bind-debuginfo-9.2.4rc6-3
bind-chroot-9.2.4rc6-3
bind-utils-9.2.4rc6-3

Comment 7 Landon Curt Noll 2004-08-05 02:21:21 EDT
After several hours of logs, I have found that none of the
external client "query (cache) denied" log entries state
what lookup was being denied.

Did the named folks only implement this for localhost queries?
Or is there some flag that must be set to enable them?

Comment 8 Landon Curt Noll 2004-10-18 02:09:34 EDT
I just want to confirm that bind is NOT writing out the denied query
when a remote client does an invalid query.  I.e., it does NOT say
what query the remote client was doing.

This is confirmed for both bind-9.2.4rc6-3 and the current
bind-9.2.4-EL3-10.
Comment 9 Landon Curt Noll 2005-01-11 01:04:13 EST
According to ISC today, they have just fixed this bug in their
source code tree.  Can RedHat pick up their base or patch so that
this issue can be resolved?

From: "Mark Andrews via RT" <bind-suggest@isc.org>
Date: Tue, 11 Jan 2005 05:30:34 +0000 (UTC)
Subject: [ISC-Bugs #10977] Ticket Resolved

[ISC-Bugs #10977]: request to improve the "query (cache) denied"
syslog message has been resolved. If you have any further questions or
concerns, please respond to this message.

Comment 10 Landon Curt Noll 2005-01-11 03:10:29 EST
BTW: The functionality to fix this bug is in 9.3.x.  There are no
plans to back port this to 9.2.x according to the ISC folks.

When will RHEL be up to 9.3.x?
Comment 11 Jason Vas Dias 2005-01-11 12:05:31 EST
Actually, from the ISC BIND 9.3.0 change log, the fix for ISC bug
# 10977 is not in 9.3.0 - it will probably be in bind 9.4.x+

If you'd like to test BIND 9.3.0 for RHEL-3, I've compiled it for
the RHEL-3 i386 platform - it is available in binary and source from :
    http://people.redhat.com/~jvdias/bind/9.3.0/RHEL-3
If you need it compiled for a different architecture (eg. x86_64, ppc)
let me know.
Comment 12 Landon Curt Noll 2006-02-09 01:57:27 EST
RHEL 4 update 2 still has bind-9.2.4-2.

Please please please please please update RHEL to use 9.3.0 or backport
the ISC fix so that the "query (cache) denied" message reports what
they attempted to query!

Please?
Comment 13 Jason Vas Dias 2006-02-09 10:25:33 EST
We are not allowed to update existing RHEL packages by major version numbers.
ISC BIND 9.3.2 has been built and tested for RHEL-4, and is available from:
  http://people.redhat.com/~jvdias/bind/RHEL-4/9.3.2-1_EL4
this will be the BIND major version used for RHEL-5 .
Comment 14 Landon Curt Noll 2006-02-10 05:48:37 EST
That version of bind appears to be working well under RHEL4 and is reporting
what query was cache denied.  FYI: I installed all rpm modules except
bind-sdb-9.3.2-1_EL4.i386.rpm.  Thanks much!
Comment 15 Adam Tkac 2007-05-29 09:52:32 EDT
I'm pretty unsure WHY this bug has RELEASE_PENDING status. This wasn't released
into RHEL-4. If you still demand this feature in RHEL-4, please reopen.

Regards, Adam

Note You need to log in before you can comment on or make changes to this bug.