Bug 241745 - named query denied syslog messages lack information
named query denied syslog messages lack information
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: bind (Show other bugs)
4.5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
: FutureFeature
Depends On:
Blocks: 462575
  Show dependency treegraph
 
Reported: 2007-05-30 01:23 EDT by Landon Curt Noll
Modified: 2013-04-30 19:35 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0708
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:53:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (2.93 KB, patch)
2007-05-31 10:29 EDT, Adam Tkac
no flags Details | Diff

  None (edit)
Description Landon Curt Noll 2007-05-30 01:23:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; , en_US, en)

Description of problem:
When someone performs DNS query on a name that is not permitted by named.conf,
then named simply reports via syslog:

Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

It would be very helpful if named would report WHICH name the client was
attempting to query.



Version-Release number of selected component (if applicable):
bind-9.2.2-21

How reproducible:
Always

Steps to Reproduce:
1.Setup a non-recursion name server that permits a query of only a few zones
2.query a zone not permitted by named.conf
3.observe the /var/log/messages message
    

Actual Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query
(cache) denied

Expected Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port:
query (cache) of example.net denied

Additional info:

Here is an example of a name server that limits zones to just a few domains:

options {
        // by default we do not allow any to query anything
        // we explicitly enable queries on a per-zone basis
        allow-query { none; };
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        recursion no;
};

zone "example.com" {
        type master;
        allow-query { any; };
        file "example.com.zone";
};

zone "example.org" {
        type master;
        allow-query { any; };
        file "example.org.zone";
};
Comment 1 Landon Curt Noll 2007-05-30 01:25:17 EDT
According to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118386#c15 I
reopened this bug so that it will be fixed in RHEL4.
Comment 2 Adam Tkac 2007-05-31 10:29:01 EDT
Created attachment 155820 [details]
Proposed patch
Comment 3 Adam Tkac 2007-05-31 10:30:41 EDT
You could try proposed update (looks like 4.7) and tell me your impressions.
Avaliable on http://people.redhat.com/atkac/test_srpms/bind-9.2.4-27.1.el4.src.rpm

Regards, Adam
Comment 4 Landon Curt Noll 2007-06-07 17:13:55 EDT
We have installed bind 9.2.4-27.1.el4 and are evaluating the results.  Initial
results look encouraging.
Comment 5 Landon Curt Noll 2007-06-07 19:18:56 EDT
Looks like this update is working well.  Our tests shows that it is correctly
reporting what was denied.
Comment 6 Adam Tkac 2007-06-08 04:30:20 EDT
(In reply to comment #5)
> Looks like this update is working well.  Our tests shows that it is correctly
> reporting what was denied.

Thanks for feedback. Tell me any problems, please.

Adam
Comment 7 Landon Curt Noll 2007-06-09 03:55:22 EDT
We have not found any problems.  In fact, because the messages identified which
zones were being denied, we were able to fix a minor configuration problem that
might have gone unnoticed for a while.

I recommend this version for release.
Comment 8 Landon Curt Noll 2007-07-25 14:15:54 EDT
We are currently using your
http://people.redhat.com/atkac/test_srpms/bind-9.2.4-27.1.el4.src.rpm.  We have
been very happy with this release and have found the more informative error
messages extremely useful (they helped us discover a config issue we had with
our DNS).

We see from :Errata Update: RHSA-2007:0740-2 - Moderate: bind security update"
(CVE-2007-2926) that bind has been updaed to bind-9.2.4-27.0.1.el4.

It would be a nice favor if you could create a bind-9.2.4-27.1.1.el4.src.rpm
 that addressed the same issue (as the bind-9.2.4-27.0.1.el4 update did).  We
would be happy to test this revised code.
Comment 9 Landon Curt Noll 2007-07-25 14:28:45 EDT
Or perhaps RHEL4 might want to release a bind-9.2.4-27.1.1.el4 (containing the
merge of bind-9.2.4-27.1.el4 and bind-9.2.4-27.0.1.el4)?  The fix has been
working   very well for 6+ weeks and I believe it is ready for release.

Why don't you release such a RPM on the "RHEL WS (v. 4 for x86) Fastrack"
channel (or on the "RHEL WS (v. 4 for x86) Beta" channel)?
Comment 10 Adam Tkac 2007-07-25 15:15:52 EDT
It's quite harder process than fix it, commit it and build it ;) Proposed patch
will be in 4.7 . I've updated source (contains all bugfixes - also for
CVE-2007-2926 - which will be in 4.6 and patch for this issue -
http://people.redhat.com/atkac/test_srpms/bind-9.2.4-28.0.0.1.el4.src.rpm)

Adam
Comment 11 Landon Curt Noll 2007-07-27 03:22:57 EDT
Thanks.  We installed it on the 25th and it has been working well on our server.
Comment 12 RHEL Product and Program Management 2008-02-01 14:07:41 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 14 RHEL Product and Program Management 2008-03-13 09:28:13 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 21 errata-xmlrpc 2008-07-24 15:53:36 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0708.html
Comment 22 Robert Vogelgesang 2008-09-04 05:45:10 EDT
This patch apparently changes the logging category for this log message.

In prior versions, the "query (cache) denied" message would fall under the
"client" category, and the config entry

logging {
  category client { file "client_log"; };
};

would redirect this message away from syslog to a file.

With bind-9.2.4-30.el4, this stopped to work, and the message appears in /var/log/messages instead.

Could you please change the patch so that it does not break the logging configurability?

Note You need to log in before you can comment on or make changes to this bug.