RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1845672 - RFE: make named log NXDOMAIN negative responses
Summary: RFE: make named log NXDOMAIN negative responses
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: bind
Version: 8.2
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: 8.0
Assignee: Petr Menšík
QA Contact: Petr Sklenar
URL:
Whiteboard:
Depends On: 1854148
Blocks: 1771008
TreeView+ depends on / blocked
 
Reported: 2020-06-09 19:47 UTC by Jihoon Kim
Modified: 2022-08-22 12:48 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-08-22 12:48:23 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Internet Systems Consortium (ISC) isc-projects bind9 issues 459 0 None None None 2020-08-07 09:19:34 UTC
Internet Systems Consortium (ISC) isc-projects bind9 merge_requests 4224 0 None None None 2020-10-02 16:39:51 UTC

Description Jihoon Kim 2020-06-09 19:47:41 UTC 
Description of problem:

In order to enable NXDOMAIN response logging, I followed the bind documentation. Under query-errors Category, it states: "At the debug levels of 4 or higher, the same messages as those at the debug 2 level are logged for other errors than SERVFAIL. Unlike the above case of level 3, messages are logged for negative responses. This is because any unexpected results can be difficult to debug in the recursion case."

But, even I set the debug level to 10, NXDOMAIN responses are not getting log under query-errors.

Version-Release number of selected component (if applicable):
 
bind-9.11.13-5.el8_2.x86_64

How reproducible:

consistently reproducible.

Steps to Reproduce:
1. Configure "query-errors" logging as above in /etc/named.conf

  logging {
        channel default_debug {
                  file "data/named.run";
                  severity dynamic;
          };
 
       channel query-errors_log {
            file "/var/named/log/query-errors" versions 5 size 20m;
            print-time yes;
            print-category yes;
            print-severity yes;
            severity dynamic;
       };
       category query-errors {query-errors_log; };
  };
2. Restart the named service 
   # systemctl restart named

3. set debug level to 10
   # rndc trace 10

4. confirm the debug level
   # rndc status

5. produce NXDOMAIN query with dig
   # dig @localhost this-domain-does-not-exist

6. monitor query-errors log in /var/named/log/query-errors


Actual results:
dig query received an NXDOMAIN response but no logs were produced under /var/named/log/query-errors

Expected results:
dig query received an NXDOMAIN response and logs were produced under /var/named/log/query-erros


Additional info:

The same behavior observed in RHEL6.10(bind-9.8.2-0.68.rc1.el6_10.7.x86_64) and RHEL7.8(bind-9.11.4-22.P2.el7.x86_64)
Comment 2 Petr Menšík 2020-06-22 12:43:44 UTC 
I could successfully reproduce this issue on bind-9.11.19-2.el8.x86_64, but the name requested must be remove one. It would not log local name it is authoritative for. It logs NXDOMAIN, only when remote fetch is involved.

Used this log configuration:
logging {
        channel default_debug {
            file "data/named.run";
            severity dynamic;
            print-time yes;
            print-category yes;
            print-severity yes;
        };

       channel query-errors_log {
            file "/var/named/data/query-errors" versions 5 size 20m;
            print-time yes;
            print-category yes;
            print-severity yes;
            severity dynamic;
       };
       category query-errors {query-errors_log; };
};

Then run commands:
rndc trace 10
dig @localhost nx.{nic.cz,centos.org,localhost}

my query-errors contains just first two:
22-Jun-2020 08:14:30.151 query-errors: debug 4: fetch completed at ../../../lib/dns/resolver.c:5262 for nx.nic.cz/A in 5.739270: success/success [domain:cz,referral:1,restart:1,qrysent:2,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]
22-Jun-2020 08:14:37.970 query-errors: debug 4: fetch completed at ../../../lib/dns/resolver.c:5262 for nx.centos.org/A in 7.816879: success/success [domain:centos.org,referral:2,restart:1,qrysent:1,timeout:0,lame:0,quota:0,neterr:0,badresp:0,adberr:0,findfail:0,valfail:0]

The last one is answered locally, so no query is logged. Also, if any subsequent query arrive, it will NOT be logged again when it is still in cache.
Unfortunately, I do not see any alternative option to log NXDOMAIN responses. rndc querylog might help, but it does log only queried name and type. Found result is not logged.

It seems such information could be obtained by querying the names again for their response. Alternatively rndc dumpdb could be used to get cached NXDOMAIN responses.

As another option, it might be simpler to capture all traffic to dns port using tcpdump and listing nxdomain responses by wireshark filter.
Comment 9 Petr Menšík 2020-10-02 16:39:58 UTC 
Created addition to original MR of upstream. Adds logging only negative answers. I think positive queries were not requested by our request. While upstream change allowed grepping NXDOMAIN results in log, it did not allow query on existing names, but with wrong type. That means for example AAAA queries for name having only A record.

1. https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/4224
Note You need to log in before you can comment on or make changes to this bug.