Minor query (cache) denied Logging Bug?

2009-04-01 Thread bsfinkel
I have a name server that is authoritative for the zone


In that zone is a record

 freenet.tlh.fl.us.  IN  CNAME   tfn.net.

My server is not authoritative for tfn.net.

Some external client sends a request:

 What is the MX for freenet.tlh.fl.us.?

My server responds (this is from a snoop trace):

 DNS:  Response ID = 61546
 DNS:  AA (Authoritative Answer)
 DNS:  Response Code: 0 (OK)
 DNS:  Reply to 1 question(s)
 DNS:  Domain Name: freenet.tlh.fl.us.
 DNS:  Class: 1 (Internet)
 DNS:  Type:  15 (Mail Exchange)
 DNS:  1 answer(s)
 DNS:  Domain Name: freenet.tlh.fl.us.
 DNS:  Class: 1 (Internet)
 DNS:  Type:  5 (Canonical Name)
 DNS:  TTL (Time To Live): 86400
 DNS:  Canonical Name: tfn.net.
 DNS:  0 name server resource(s)
 DNS:  0 additional record(s)

This is a correct answer.  Note that there are no authority nor
additional sections.  But I also see in /var/adm/messages:

 Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
   query (cache) 'tfn.net/MX/IN' denied

I assume that in the process of getting more information about


to give the authority section and the additional section (this is from
an query I made to an internal BIND server, where queries are not

 tfn.net.1d23h59m59s IN NS  ns92.worldnic.com.
 tfn.net.1d23h59m59s IN NS  ns91.worldnic.com.

 freenet.tfn.net.2H IN A
 ns91.worldnic.com.  1d6h26m5s IN A
 ns92.worldnic.com.  1d6h26m5s IN A

BIND 9.6.0-P1 determines that although it may have this information
about tfn.net in its cache, it cannot give the information to the
requester because I have not configured BIND to allow external users
to query the cache.  If BIND did not have the information about tfn.net
in its cache, would it go and retrieve the information and then
decide that it was unable to give the cached information to the

Should the query (cache) denied message be produced?  We were
confused because we did not see any queries for tfn.net in the
named.querylog file, where we log all DNS queries.  I had to run a
snoop trace to see what was happening.

In this case, should BIND give the information about tfn.net in its
cache back to the requester?
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 222, Room D209  Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994
bind-users mailing list

Re: Minor query (cache) denied Logging Bug?

2009-04-01 Thread Kevin Darcy

bsfin...@anl.gov wrote:

I have a name server that is authoritative for the zone


In that zone is a record

 freenet.tlh.fl.us.  IN  CNAME   tfn.net.

My server is not authoritative for tfn.net.

Some external client sends a request:

 What is the MX for freenet.tlh.fl.us.?

My server responds (this is from a snoop trace):

 DNS:  Response ID = 61546
 DNS:  AA (Authoritative Answer)
 DNS:  Response Code: 0 (OK)
 DNS:  Reply to 1 question(s)
 DNS:  Domain Name: freenet.tlh.fl.us.
 DNS:  Class: 1 (Internet)
 DNS:  Type:  15 (Mail Exchange)
 DNS:  1 answer(s)
 DNS:  Domain Name: freenet.tlh.fl.us.
 DNS:  Class: 1 (Internet)
 DNS:  Type:  5 (Canonical Name)
 DNS:  TTL (Time To Live): 86400
 DNS:  Canonical Name: tfn.net.
 DNS:  0 name server resource(s)
 DNS:  0 additional record(s)

This is a correct answer.  Note that there are no authority nor
additional sections.  But I also see in /var/adm/messages:

 Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
   query (cache) 'tfn.net/MX/IN' denied

I assume that in the process of getting more information about


to give the authority section and the additional section (this is from
an query I made to an internal BIND server, where queries are not

 tfn.net.1d23h59m59s IN NS  ns92.worldnic.com.
 tfn.net.1d23h59m59s IN NS  ns91.worldnic.com.

 freenet.tfn.net.2H IN A
 ns91.worldnic.com.  1d6h26m5s IN A
 ns92.worldnic.com.  1d6h26m5s IN A

BIND 9.6.0-P1 determines that although it may have this information
about tfn.net in its cache, it cannot give the information to the
requester because I have not configured BIND to allow external users
to query the cache.  If BIND did not have the information about tfn.net
in its cache, would it go and retrieve the information and then
decide that it was unable to give the cached information to the

Should the query (cache) denied message be produced?  We were
confused because we did not see any queries for tfn.net in the
named.querylog file, where we log all DNS queries.  I had to run a
snoop trace to see what was happening.

In this case, should BIND give the information about tfn.net in its
cache back to the requester?

It's not logging that message merely because it couldn't populate the 
Authority and/or Additional Sections. It's logging that message because 
freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were 
allowed, and the tfn.net MX record(s) were present in the cache, they 
would be provided in the *Answer* Section of the response. I think it's 
reasonable for BIND to log a denied message when omitting data that 
would otherwise be in the Answer Section of a response. After all, BIND 
is explicitly giving the client less information than they asked for. 
That's a _bona_fide_ denial. Omitting records from the Authority or 
Additional Sections, which in most cases BIND is not obligated to 
provide anyway, probably doesn't warrant a log message, except perhaps 
at very detailed logging levels.

I suppose one might question whether BIND should log denied messages 
for data that wouldn't have been provided anyway, because it was not in 
authoritative data, or in the cache, and recursion was not requested 
and/or not available But, as a general matter, if you're denying access 
to the cache, wouldn't you want to know *unsuccessful* attempts to fetch 
data from your cache, which might tip you off to DoS or cache sniffing 

Perhaps the denied attempts to fetch *non-existent* cache data could be 
logged at a different level than the denied attempts to fetch existing 
cache data, not sure if that would be a valuable feature or not...

- Kevin

bind-users mailing list

Re: Minor query (cache) denied Logging Bug?

2009-04-01 Thread Mark Andrews

In message 49d40ca4.70...@chrysler.com, Kevin Darcy writes:
 bsfin...@anl.gov wrote:
  I have a name server that is authoritative for the zone
  In that zone is a record
   freenet.tlh.fl.us.  IN  CNAME   tfn.net.
  My server is not authoritative for tfn.net.
  Some external client sends a request:
   What is the MX for freenet.tlh.fl.us.?
  My server responds (this is from a snoop trace):
   DNS:  Response ID = 61546
   DNS:  AA (Authoritative Answer)
   DNS:  Response Code: 0 (OK)
   DNS:  Reply to 1 question(s)
   DNS:  Domain Name: freenet.tlh.fl.us.
   DNS:  Class: 1 (Internet)
   DNS:  Type:  15 (Mail Exchange)
   DNS:  1 answer(s)
   DNS:  Domain Name: freenet.tlh.fl.us.
   DNS:  Class: 1 (Internet)
   DNS:  Type:  5 (Canonical Name)
   DNS:  TTL (Time To Live): 86400
   DNS:  Canonical Name: tfn.net.
   DNS:  0 name server resource(s)
   DNS:  0 additional record(s)
  This is a correct answer.  Note that there are no authority nor
  additional sections.  But I also see in /var/adm/messages:
  Apr  1 09:09:14 thor.it.anl.gov named[171]: [ID 873579 daemon.info]
 query (cache) 'tfn.net/MX/IN' denied
  I assume that in the process of getting more information about
  to give the authority section and the additional section (this is from
  an query I made to an internal BIND server, where queries are not
   tfn.net.1d23h59m59s IN NS  ns92.worldnic.com.
   tfn.net.1d23h59m59s IN NS  ns91.worldnic.com.
   freenet.tfn.net.2H IN A
   ns91.worldnic.com.  1d6h26m5s IN A
   ns92.worldnic.com.  1d6h26m5s IN A
  BIND 9.6.0-P1 determines that although it may have this information
  about tfn.net in its cache, it cannot give the information to the
  requester because I have not configured BIND to allow external users
  to query the cache.  If BIND did not have the information about tfn.net
  in its cache, would it go and retrieve the information and then
  decide that it was unable to give the cached information to the
  Should the query (cache) denied message be produced?  We were
  confused because we did not see any queries for tfn.net in the
  named.querylog file, where we log all DNS queries.  I had to run a
  snoop trace to see what was happening.
  In this case, should BIND give the information about tfn.net in its
  cache back to the requester?

 It's not logging that message merely because it couldn't populate the 
 Authority and/or Additional Sections. It's logging that message because 
 freenet.tlh.fl.us is aliased to tfn.net. If access to the cache were 
 allowed, and the tfn.net MX record(s) were present in the cache, they 
 would be provided in the *Answer* Section of the response. I think it's 
 reasonable for BIND to log a denied message when omitting data that 
 would otherwise be in the Answer Section of a response. After all, BIND 
 is explicitly giving the client less information than they asked for. 
 That's a _bona_fide_ denial. Omitting records from the Authority or 
 Additional Sections, which in most cases BIND is not obligated to 
 provide anyway, probably doesn't warrant a log message, except perhaps 
 at very detailed logging levels.
 I suppose one might question whether BIND should log denied messages 
 for data that wouldn't have been provided anyway, because it was not in 
 authoritative data, or in the cache, and recursion was not requested 
 and/or not available But, as a general matter, if you're denying access 
 to the cache, wouldn't you want to know *unsuccessful* attempts to fetch 
 data from your cache, which might tip you off to DoS or cache sniffing 
 Perhaps the denied attempts to fetch *non-existent* cache data could be 
 logged at a different level than the denied attempts to fetch existing 
 cache data, not sure if that would be a valuable feature or not...

For the listed senario the message should only be emitted if RD=1.

The following was done on a system with the following acl's that is
also authoritative for dv.isc.org.  cname.dv.isc.org is a test
CNAME record.  Named's syslog messages are being tail -f'd while
the test was in progress.

allow-query-cache {; ::/1; };
allow-recursion {; ::/1; };

Note the first query did not elicit a log message and the second query
did.  A direct query for ftp.uu.net results in REFUSED being returned
which is independent of RD.

The test was run against BIND 9.6.1b1.


drugs# dig cname.dv.isc.org @ +norec

;  DiG 9.3.6-P1  cname.dv.isc.org @ +norec
;; global options:  printcmd
;; Got answer: