Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 241745

Summary: named query denied syslog messages lack information
Product: Red Hat Enterprise Linux 4 Reporter: Landon Curt Noll <redhat-mail>
Component: bindAssignee: Adam Tkac <atkac>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.5CC: ovasik, vogel
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0708 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:53:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 462575    
Attachments:
Description Flags
Proposed patch none

Description Landon Curt Noll 2007-05-30 05:23:35 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.1; Linux; X11; , en_US, en)

Description of problem:
When someone performs DNS query on a name that is not permitted by named.conf,
then named simply reports via syslog:

Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query (cache) denied

It would be very helpful if named would report WHICH name the client was
attempting to query.



Version-Release number of selected component (if applicable):
bind-9.2.2-21

How reproducible:
Always

Steps to Reproduce:
1.Setup a non-recursion name server that permits a query of only a few zones
2.query a zone not permitted by named.conf
3.observe the /var/log/messages message
    

Actual Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port: query
(cache) denied

Expected Results:  Mar 16 00:08:11 XXX named[pid]: client ip.ad.dr.ess#port:
query (cache) of example.net denied

Additional info:

Here is an example of a name server that limits zones to just a few domains:

options {
        // by default we do not allow any to query anything
        // we explicitly enable queries on a per-zone basis
        allow-query { none; };
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        recursion no;
};

zone "example.com" {
        type master;
        allow-query { any; };
        file "example.com.zone";
};

zone "example.org" {
        type master;
        allow-query { any; };
        file "example.org.zone";
};
Comment 1 Landon Curt Noll 2007-05-30 05:25:17 UTC 
According to https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=118386#c15 I
reopened this bug so that it will be fixed in RHEL4.
Comment 2 Adam Tkac 2007-05-31 14:29:01 UTC 
Created attachment 155820 [details]
Proposed patch
Comment 3 Adam Tkac 2007-05-31 14:30:41 UTC 
You could try proposed update (looks like 4.7) and tell me your impressions.
Avaliable on http://people.redhat.com/atkac/test_srpms/bind-9.2.4-27.1.el4.src.rpm

Regards, Adam
Comment 4 Landon Curt Noll 2007-06-07 21:13:55 UTC 
We have installed bind 9.2.4-27.1.el4 and are evaluating the results.  Initial
results look encouraging.
Comment 5 Landon Curt Noll 2007-06-07 23:18:56 UTC 
Looks like this update is working well.  Our tests shows that it is correctly
reporting what was denied.
Comment 6 Adam Tkac 2007-06-08 08:30:20 UTC 
(In reply to comment #5)
> Looks like this update is working well.  Our tests shows that it is correctly
> reporting what was denied.

Thanks for feedback. Tell me any problems, please.

Adam
Comment 7 Landon Curt Noll 2007-06-09 07:55:22 UTC 
We have not found any problems.  In fact, because the messages identified which
zones were being denied, we were able to fix a minor configuration problem that
might have gone unnoticed for a while.

I recommend this version for release.
Comment 8 Landon Curt Noll 2007-07-25 18:15:54 UTC 
We are currently using your
http://people.redhat.com/atkac/test_srpms/bind-9.2.4-27.1.el4.src.rpm.  We have
been very happy with this release and have found the more informative error
messages extremely useful (they helped us discover a config issue we had with
our DNS).

We see from :Errata Update: RHSA-2007:0740-2 - Moderate: bind security update"
(CVE-2007-2926) that bind has been updaed to bind-9.2.4-27.0.1.el4.

It would be a nice favor if you could create a bind-9.2.4-27.1.1.el4.src.rpm
 that addressed the same issue (as the bind-9.2.4-27.0.1.el4 update did).  We
would be happy to test this revised code.
Comment 9 Landon Curt Noll 2007-07-25 18:28:45 UTC 
Or perhaps RHEL4 might want to release a bind-9.2.4-27.1.1.el4 (containing the
merge of bind-9.2.4-27.1.el4 and bind-9.2.4-27.0.1.el4)?  The fix has been
working   very well for 6+ weeks and I believe it is ready for release.

Why don't you release such a RPM on the "RHEL WS (v. 4 for x86) Fastrack"
channel (or on the "RHEL WS (v. 4 for x86) Beta" channel)?
Comment 10 Adam Tkac 2007-07-25 19:15:52 UTC 
It's quite harder process than fix it, commit it and build it ;) Proposed patch
will be in 4.7 . I've updated source (contains all bugfixes - also for
CVE-2007-2926 - which will be in 4.6 and patch for this issue -
http://people.redhat.com/atkac/test_srpms/bind-9.2.4-28.0.0.1.el4.src.rpm)

Adam
Comment 11 Landon Curt Noll 2007-07-27 07:22:57 UTC 
Thanks.  We installed it on the 25th and it has been working well on our server.
Comment 12 RHEL Program Management 2008-02-01 19:07:41 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 14 RHEL Program Management 2008-03-13 13:28:13 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 21 errata-xmlrpc 2008-07-24 19:53:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0708.html
Comment 22 Robert Vogelgesang 2008-09-04 09:45:10 UTC 
This patch apparently changes the logging category for this log message.

In prior versions, the "query (cache) denied" message would fall under the
"client" category, and the config entry

logging {
  category client { file "client_log"; };
};

would redirect this message away from syslog to a file.

With bind-9.2.4-30.el4, this stopped to work, and the message appears in /var/log/messages instead.

Could you please change the patch so that it does not break the logging configurability?