bsfin...@anl.gov wrote:
I have a name server that is authoritative for the zone
tlh.fl.us.
In that zone is a record
freenet.tlh.fl.us. IN CNAME tfn.net.
My server is not authoritative for tfn.net.
Some external client sends a request:
What is the MX for freenet.tlh.fl.us.?
My server responds (this is from a snoop trace):
DNS: Response ID = 61546
DNS: AA (Authoritative Answer)
DNS: Response Code: 0 (OK)
DNS: Reply to 1 question(s)
DNS: Domain Name: freenet.tlh.fl.us.
DNS: Class: 1 (Internet)
DNS: Type: 15 (Mail Exchange)
DNS:
DNS: 1 answer(s)
DNS: Domain Name: freenet.tlh.fl.us.
DNS: Class: 1 (Internet)
DNS: Type: 5 (Canonical Name)
DNS: TTL (Time To Live): 86400
DNS: Canonical Name: tfn.net.
DNS:
DNS: 0 name server resource(s)
DNS: 0 additional record(s)
This is a correct answer. Note that there are no authority nor
additional sections. But I also see in /var/adm/messages:
Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
client 217.232.216.120#10000:
query (cache) 'tfn.net/MX/IN' denied
I assume that in the process of getting more information about
tfn.net
to give the authority section and the additional section (this is from
an query I made to an internal BIND server, where queries are not
denied):
;; AUTHORITY SECTION:
tfn.net. 1d23h59m59s IN NS ns92.worldnic.com.
tfn.net. 1d23h59m59s IN NS ns91.worldnic.com.
;; ADDITIONAL SECTION:
freenet.tfn.net. 2H IN A 199.44.235.10
ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46
ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46
BIND 9.6.0-P1 determines that although it may have this information
about tfn.net in its cache, it cannot give the information to the
requester because I have not configured BIND to allow external users
to query the cache. If BIND did not have the information about tfn.net
in its cache, would it go and retrieve the information and then
decide that it was unable to give the cached information to the
requester?
Should the "query (cache) denied" message be produced? We were
confused because we did not see any queries for tfn.net in the
named.querylog file, where we log all DNS queries. I had to run a
snoop trace to see what was happening.
In this case, should BIND give the information about tfn.net in its
cache back to the requester?
Barry,
It's not logging that message merely because it couldn't populate the
Authority and/or Additional Sections. It's logging that message because
freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were
allowed, and the tfn.net MX record(s) were present in the cache, they
would be provided in the *Answer* Section of the response. I think it's
reasonable for BIND to log a "denied" message when omitting data that
would otherwise be in the Answer Section of a response. After all, BIND
is explicitly giving the client less information than they asked for.
That's a _bona_fide_ "denial". Omitting records from the Authority or
Additional Sections, which in most cases BIND is not obligated to
provide anyway, probably doesn't warrant a log message, except perhaps
at very detailed logging levels.
I suppose one might question whether BIND should log "denied" messages
for data that wouldn't have been provided anyway, because it was not in
authoritative data, or in the cache, and recursion was not requested
and/or not available But, as a general matter, if you're denying access
to the cache, wouldn't you want to know *unsuccessful* attempts to fetch
data from your cache, which might tip you off to DoS or "cache sniffing"
attempts?
Perhaps the denied attempts to fetch *non-existent* cache data could be
logged at a different level than the denied attempts to fetch existing
cache data, not sure if that would be a valuable feature or not...
- Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
