In message <49d40ca4.70...@chrysler.com>, Kevin Darcy writes: > bsfin...@anl.gov wrote: > > I have a name server that is authoritative for the zone > > > > tlh.fl.us. > > > > In that zone is a record > > > > freenet.tlh.fl.us. IN CNAME tfn.net. > > > > My server is not authoritative for tfn.net. > > > > Some external client sends a request: > > > > What is the MX for freenet.tlh.fl.us.? > > > > My server responds (this is from a snoop trace): > > > > DNS: Response ID = 61546 > > DNS: AA (Authoritative Answer) > > DNS: Response Code: 0 (OK) > > DNS: Reply to 1 question(s) > > DNS: Domain Name: freenet.tlh.fl.us. > > DNS: Class: 1 (Internet) > > DNS: Type: 15 (Mail Exchange) > > DNS: > > DNS: 1 answer(s) > > DNS: Domain Name: freenet.tlh.fl.us. > > DNS: Class: 1 (Internet) > > DNS: Type: 5 (Canonical Name) > > DNS: TTL (Time To Live): 86400 > > DNS: Canonical Name: tfn.net. > > DNS: > > DNS: 0 name server resource(s) > > DNS: 0 additional record(s) > > > > This is a correct answer. Note that there are no authority nor > > additional sections. But I also see in /var/adm/messages: > > > Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info] > > client 217.232.216.120#10000: > > query (cache) 'tfn.net/MX/IN' denied > > > > I assume that in the process of getting more information about > > > > tfn.net > > > > to give the authority section and the additional section (this is from > > an query I made to an internal BIND server, where queries are not > > denied): > > > > ;; AUTHORITY SECTION: > > tfn.net. 1d23h59m59s IN NS ns92.worldnic.com. > > tfn.net. 1d23h59m59s IN NS ns91.worldnic.com. > > > > ;; ADDITIONAL SECTION: > > freenet.tfn.net. 2H IN A 199.44.235.10 > > ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46 > > ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46 > > > > BIND 9.6.0-P1 determines that although it may have this information > > about tfn.net in its cache, it cannot give the information to the > > requester because I have not configured BIND to allow external users > > to query the cache. If BIND did not have the information about tfn.net > > in its cache, would it go and retrieve the information and then > > decide that it was unable to give the cached information to the > > requester? > > > > Should the "query (cache) denied" message be produced? We were > > confused because we did not see any queries for tfn.net in the > > named.querylog file, where we log all DNS queries. I had to run a > > snoop trace to see what was happening. > > > > In this case, should BIND give the information about tfn.net in its > > cache back to the requester? > > > Barry, > It's not logging that message merely because it couldn't populate the > Authority and/or Additional Sections. It's logging that message because > freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were > allowed, and the tfn.net MX record(s) were present in the cache, they > would be provided in the *Answer* Section of the response. I think it's > reasonable for BIND to log a "denied" message when omitting data that > would otherwise be in the Answer Section of a response. After all, BIND > is explicitly giving the client less information than they asked for. > That's a _bona_fide_ "denial". Omitting records from the Authority or > Additional Sections, which in most cases BIND is not obligated to > provide anyway, probably doesn't warrant a log message, except perhaps > at very detailed logging levels. > > I suppose one might question whether BIND should log "denied" messages > for data that wouldn't have been provided anyway, because it was not in > authoritative data, or in the cache, and recursion was not requested > and/or not available But, as a general matter, if you're denying access > to the cache, wouldn't you want to know *unsuccessful* attempts to fetch > data from your cache, which might tip you off to DoS or "cache sniffing" > attempts? > > Perhaps the denied attempts to fetch *non-existent* cache data could be > logged at a different level than the denied attempts to fetch existing > cache data, not sure if that would be a valuable feature or not...
For the listed senario the message should only be emitted if RD=1. The following was done on a system with the following acl's that is also authoritative for dv.isc.org. cname.dv.isc.org is a test CNAME record. Named's syslog messages are being "tail -f"'d while the test was in progress. allow-query-cache { 127.0.0.1; ::/1; }; allow-recursion { 127.0.0.1; ::/1; }; Note the first query did not elicit a log message and the second query did. A direct query for ftp.uu.net results in REFUSED being returned which is independent of RD. The test was run against BIND 9.6.1b1. Mark drugs# dig cname.dv.isc.org @192.168.191.236 +norec ; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236 +norec ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13081 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.dv.isc.org. IN A ;; ANSWER SECTION: cname.dv.isc.org. 86400 IN CNAME ftp.uu.net. ;; Query time: 0 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:11:09 2009 ;; MSG SIZE rcvd: 58 drugs# dig cname.dv.isc.org @192.168.191.236 Apr 2 12:11:50 drugs named[896]: client 192.168.191.236#60255: view default: query (cache) 'ftp.uu.net/A/IN' denied ; <<>> DiG 9.3.6-P1 <<>> cname.dv.isc.org @192.168.191.236 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24655 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cname.dv.isc.org. IN A ;; ANSWER SECTION: cname.dv.isc.org. 86400 IN CNAME ftp.uu.net. ;; Query time: 1 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:11:50 2009 ;; MSG SIZE rcvd: 58 drugs# dig ftp.uu.net @192.168.191.236 Apr 2 12:20:47 drugs named[896]: client 192.168.191.236#58715: view default: query (cache) 'ftp.uu.net/A/IN' denied ; <<>> DiG 9.3.6-P1 <<>> ftp.uu.net @192.168.191.236 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61980 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ftp.uu.net. IN A ;; Query time: 0 msec ;; SERVER: 192.168.191.236#53(192.168.191.236) ;; WHEN: Thu Apr 2 12:20:47 2009 ;; MSG SIZE rcvd: 28 drugs# -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users