Re: Minor "query (cache) denied" Logging Bug?
In message <49d40ca4.70...@chrysler.com>, Kevin Darcy writes: > bsfin...@anl.gov wrote: > > I have a name server that is authoritative for the zone > > > > tlh.fl.us. > > > > In that zone is a record > > > > freenet.tlh.fl.us. IN CNAME tfn.net. > > > > My server is not authoritative for tfn.net. > > > > Some external client sends a request: > > > > What is the MX for freenet.tlh.fl.us.? > > > > My server responds (this is from a snoop trace): > > > > DNS: Response ID = 61546 > > DNS: AA (Authoritative Answer) > > DNS: Response Code: 0 (OK) > > DNS: Reply to 1 question(s) > > DNS: Domain Name: freenet.tlh.fl.us. > > DNS: Class: 1 (Internet) > > DNS: Type: 15 (Mail Exchange) > > DNS: > > DNS: 1 answer(s) > > DNS: Domain Name: freenet.tlh.fl.us. > > DNS: Class: 1 (Internet) > > DNS: Type: 5 (Canonical Name) > > DNS: TTL (Time To Live): 86400 > > DNS: Canonical Name: tfn.net. > > DNS: > > DNS: 0 name server resource(s) > > DNS: 0 additional record(s) > > > > This is a correct answer. Note that there are no authority nor > > additional sections. But I also see in /var/adm/messages: > > > Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info] > >client 217.232.216.120#1: > >query (cache) 'tfn.net/MX/IN' denied > > > > I assume that in the process of getting more information about > > > > tfn.net > > > > to give the authority section and the additional section (this is from > > an query I made to an internal BIND server, where queries are not > > denied): > > > > ;; AUTHORITY SECTION: > > tfn.net.1d23h59m59s IN NS ns92.worldnic.com. > > tfn.net.1d23h59m59s IN NS ns91.worldnic.com. > > > > ;; ADDITIONAL SECTION: > > freenet.tfn.net.2H IN A 199.44.235.10 > > ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46 > > ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46 > > > > BIND 9.6.0-P1 determines that although it may have this information > > about tfn.net in its cache, it cannot give the information to the > > requester because I have not configured BIND to allow external users > > to query the cache. If BIND did not have the information about tfn.net > > in its cache, would it go and retrieve the information and then > > decide that it was unable to give the cached information to the > > requester? > > > > Should the "query (cache) denied" message be produced? We were > > confused because we did not see any queries for tfn.net in the > > named.querylog file, where we log all DNS queries. I had to run a > > snoop trace to see what was happening. > > > > In this case, should BIND give the information about tfn.net in its > > cache back to the requester? > > > Barry, > It's not logging that message merely because it couldn't populate the > Authority and/or Additional Sections. It's logging that message because > freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were > allowed, and the tfn.net MX record(s) were present in the cache, they > would be provided in the *Answer* Section of the response. I think it's > reasonable for BIND to log a "denied" message when omitting data that > would otherwise be in the Answer Section of a response. After all, BIND > is explicitly giving the client less information than they asked for. > That's a _bona_fide_ "denial". Omitting records from the Authority or > Additional Sections, which in most cases BIND is not obligated to > provide anyway, probably doesn't warrant a log message, except perhaps > at very detailed logging levels. > > I suppose one might question whether BIND should log "denied" messages > for data that wouldn't have been provided anyway, because it was not in > authoritative data, or in the cache, and recursion was not requested > and/or not available But, as a general matter, if you're denying access > to the cache, wouldn't you want to know *unsuccessful* attempts to fetch > data from your cache, which might tip you off to DoS or "cache sniffing" > attempts? > > Perhaps the denied attempts to fetch *non-existent* cache data could be > logged at a different level than the denied attempts to fetch existing > cache data, not sure if that would be a valuable feature or not... For the listed senario the message should only be emitted if RD=1. The following was done on a system with the following acl's that is also authoritative for dv.isc.org. cname.dv.isc.org is a test CNAME record. Named's syslog messages are being "tail -f"'d while the test was in progress. allow-query-cache { 127.0.0.1; ::/1; }; allow-recursion { 127.0.0.1; ::/1; }; Note the first query did not elicit a log message and the second query did. A direct query for ftp.uu.net results in REFUSED being returned which is independent of RD. The test was run
Re: Minor "query (cache) denied" Logging Bug?
bsfin...@anl.gov wrote: I have a name server that is authoritative for the zone tlh.fl.us. In that zone is a record freenet.tlh.fl.us. IN CNAME tfn.net. My server is not authoritative for tfn.net. Some external client sends a request: What is the MX for freenet.tlh.fl.us.? My server responds (this is from a snoop trace): DNS: Response ID = 61546 DNS: AA (Authoritative Answer) DNS: Response Code: 0 (OK) DNS: Reply to 1 question(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 15 (Mail Exchange) DNS: DNS: 1 answer(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 5 (Canonical Name) DNS: TTL (Time To Live): 86400 DNS: Canonical Name: tfn.net. DNS: DNS: 0 name server resource(s) DNS: 0 additional record(s) This is a correct answer. Note that there are no authority nor additional sections. But I also see in /var/adm/messages: Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info] client 217.232.216.120#1: query (cache) 'tfn.net/MX/IN' denied I assume that in the process of getting more information about tfn.net to give the authority section and the additional section (this is from an query I made to an internal BIND server, where queries are not denied): ;; AUTHORITY SECTION: tfn.net.1d23h59m59s IN NS ns92.worldnic.com. tfn.net.1d23h59m59s IN NS ns91.worldnic.com. ;; ADDITIONAL SECTION: freenet.tfn.net.2H IN A 199.44.235.10 ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46 ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46 BIND 9.6.0-P1 determines that although it may have this information about tfn.net in its cache, it cannot give the information to the requester because I have not configured BIND to allow external users to query the cache. If BIND did not have the information about tfn.net in its cache, would it go and retrieve the information and then decide that it was unable to give the cached information to the requester? Should the "query (cache) denied" message be produced? We were confused because we did not see any queries for tfn.net in the named.querylog file, where we log all DNS queries. I had to run a snoop trace to see what was happening. In this case, should BIND give the information about tfn.net in its cache back to the requester? Barry, It's not logging that message merely because it couldn't populate the Authority and/or Additional Sections. It's logging that message because freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were allowed, and the tfn.net MX record(s) were present in the cache, they would be provided in the *Answer* Section of the response. I think it's reasonable for BIND to log a "denied" message when omitting data that would otherwise be in the Answer Section of a response. After all, BIND is explicitly giving the client less information than they asked for. That's a _bona_fide_ "denial". Omitting records from the Authority or Additional Sections, which in most cases BIND is not obligated to provide anyway, probably doesn't warrant a log message, except perhaps at very detailed logging levels. I suppose one might question whether BIND should log "denied" messages for data that wouldn't have been provided anyway, because it was not in authoritative data, or in the cache, and recursion was not requested and/or not available But, as a general matter, if you're denying access to the cache, wouldn't you want to know *unsuccessful* attempts to fetch data from your cache, which might tip you off to DoS or "cache sniffing" attempts? Perhaps the denied attempts to fetch *non-existent* cache data could be logged at a different level than the denied attempts to fetch existing cache data, not sure if that would be a valuable feature or not... - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Minor "query (cache) denied" Logging Bug?
I have a name server that is authoritative for the zone tlh.fl.us. In that zone is a record freenet.tlh.fl.us. IN CNAME tfn.net. My server is not authoritative for tfn.net. Some external client sends a request: What is the MX for freenet.tlh.fl.us.? My server responds (this is from a snoop trace): DNS: Response ID = 61546 DNS: AA (Authoritative Answer) DNS: Response Code: 0 (OK) DNS: Reply to 1 question(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 15 (Mail Exchange) DNS: DNS: 1 answer(s) DNS: Domain Name: freenet.tlh.fl.us. DNS: Class: 1 (Internet) DNS: Type: 5 (Canonical Name) DNS: TTL (Time To Live): 86400 DNS: Canonical Name: tfn.net. DNS: DNS: 0 name server resource(s) DNS: 0 additional record(s) This is a correct answer. Note that there are no authority nor additional sections. But I also see in /var/adm/messages: Apr 1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info] client 217.232.216.120#1: query (cache) 'tfn.net/MX/IN' denied I assume that in the process of getting more information about tfn.net to give the authority section and the additional section (this is from an query I made to an internal BIND server, where queries are not denied): ;; AUTHORITY SECTION: tfn.net.1d23h59m59s IN NS ns92.worldnic.com. tfn.net.1d23h59m59s IN NS ns91.worldnic.com. ;; ADDITIONAL SECTION: freenet.tfn.net.2H IN A 199.44.235.10 ns91.worldnic.com. 1d6h26m5s IN A 205.178.190.46 ns92.worldnic.com. 1d6h26m5s IN A 205.178.144.46 BIND 9.6.0-P1 determines that although it may have this information about tfn.net in its cache, it cannot give the information to the requester because I have not configured BIND to allow external users to query the cache. If BIND did not have the information about tfn.net in its cache, would it go and retrieve the information and then decide that it was unable to give the cached information to the requester? Should the "query (cache) denied" message be produced? We were confused because we did not see any queries for tfn.net in the named.querylog file, where we log all DNS queries. I had to run a snoop trace to see what was happening. In this case, should BIND give the information about tfn.net in its cache back to the requester? -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
答复: How to Create a MX record for a su bdomain.
Thanks for all response. smtp2MX 10 dns.mydomine.com. Works fine. -邮件原件- 发件人: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] 代表 Ruben Laban 发送时间: 2009年4月1日 17:21 收件人: bind-users@lists.isc.org 主题: Re: How to Create a MX record for a subdomain. On Wednesday 01 April 2009 at 11:10 (CET), tzqian wrote: > I would like to add a MX record for subdomain. > > > > Such as : > > smtpMX 10.0.106.1 > > > > but this occurs an error: > > dns_rdata_fromtext: /var/named/named.domain.com:18: near '10.0.106.1': not > a valid number You missed the preference number, and a MX record should point to an A record, not an IP. E.g.: smtpMX 10 mail.example.net. -- Regards, Ruben Laban Systems and Network Administrator ISM eCompany ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Create a MX record for a subdomain.
On Wednesday 01 April 2009 at 11:10 (CET), tzqian wrote: > I would like to add a MX record for subdomain. > > > > Such as : > > smtpMX 10.0.106.1 > > > > but this occurs an error: > > dns_rdata_fromtext: /var/named/named.domain.com:18: near '10.0.106.1': not > a valid number You missed the preference number, and a MX record should point to an A record, not an IP. E.g.: smtpMX 10 mail.example.net. -- Regards, Ruben Laban Systems and Network Administrator ISM eCompany ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to Create a MX record for a subdomain.
> Original Message > Subject: How to Create a MX record for a subdomain. > From: "tzqian" > Date: Wed, April 01, 2009 2:10 am > To: > > > I would like to add a MX record for subdomain. > > > > Such as : > > smtpMX 10.0.106.1 > you need a PRI for MX record. try change it to: smtpMX 10 hostname.yourdomain.com here 10 is PRI. attention: destination hostname of MX shouldn't be ip addr but a FQDN. Jeff. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to Create a MX record for a subdomain.
I would like to add a MX record for subdomain. Such as : smtpMX 10.0.106.1 but this occurs an error: dns_rdata_fromtext: /var/named/named.domain.com:18: near '10.0.106.1': not a valid number ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users