6

inadvertedly, a bind9 server I ran was an open resolver. Whoops.

Now it's been months and the recursive queries for isc.org are still incoming. I would not mind if my /var/log/syslog did not look like this:

Jul  6 01:10:23 servername last message repeated 6 times
Jul  6 01:10:23 servername named[2580]: client YYY.YY.YYY.YYY#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername named[2580]: client ZZZ.ZZ.ZZZ.ZZ#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername last message repeated 7 times
Jul  6 01:10:23 servername named[2580]: client AAA.AAA.A.AAA#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername named[2580]: client BBB.BB.BB.BBB#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername last message repeated 6 times

(One might find it funny that the above messages all appear within one second... I no longer don't.)

This really, REALLY makes it hard to catch any real errors that another service on the system may report.

I'd like to make bind9 no longer log these messages. And I'm crossing my fingers that it is possible to make only these messages disappear from the logs.

In what way can I disable messages that recursion is disallowed from appearing in the syslog (or other logs)?

servername:/etc/bind9# named -V
BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.1c 10 May 2012
using libxml2 version: 2.8.0

servernane:/etc/bind9# uname -a
Linux servername 3.2.0-4-686-pae #1 SMP Debian 3.2.35-2 i686 GNU/Linux

To clarify:

I'm interested in more detailed example on how to silence just the 'recursion denied'-type messages.

Ivan Vučica
  • 224
  • 1
  • 4
  • 13
  • What distribution are you running? If you are using rsyslog, and named is logging to rsyslog, you may be able to use a regexp pattern to exclude it? – fukawi2 Jul 05 '13 at 23:49
  • @fukawi2 My distribution is Debian, as visible from `uname -a`. If you need more information than that, I'll check in greater detail. – Ivan Vučica Jul 05 '13 at 23:59
  • Those queries are attempts to use you as an amplification attack relay (`ANY?` is always your first hint, and `isc.org` is the classic query). You've made it into a list of known open recursors that bots are using. While this isn't the answer that you're looking for, you might want to change the IP address of these DNS servers and give the IPs to something where you can safely drop port 53. You'd probably want to change the glue record naming scheme as well. – Andrew B Jul 06 '13 at 00:45
  • @AndrewB I'm aware of what's going on :-) and I've thought of changing the IP. I'll probably do it. I'm however interested in what exactly you mean by 'changing the glue record naming scheme'? – Ivan Vučica Jul 06 '13 at 15:18
  • 1
    @Ivan If someone is referring to your nameserver by `ns1.foobar.com`, changing the IP doesn't help if `ns1.foobar.com` still gets someone to your nameserver. Changing the scheme (example: `ns1.east.foobar.com`) breaks the robots but doesn't break your actual clients, since the servers that are behaving correctly are tracing their way to your domains from the root nameservers. – Andrew B Jul 07 '13 at 15:12

4 Answers4

6

Regarding disabling all the bind error logging for recursive queries such as "query (cache) 'theswat.net/ANY/IN' denied"

The below in /etc/named.conf redirect these to /var/named/data/named.security with a total size limit of 15mbytes of rolling over logs. Note that category security is only “Approval and denial of requests.”

logging {
        channel default_debug {
                    file "data/named.run";
                severity dynamic;
        };
        // Redirect all of those 'denied' logs for non-existing domains or external ones (we are 'recursion no;')
        //   logs to /var/named/data/named.security, up to 3 files of 5mbytes each
        //   independent hack_detect processes can then scan for flooders and known abusers and block their IPs
        channel hd_security {
                file "data/named.security" versions 3 size 5m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category security { hd_security; };
};
Lynn Slater
  • 76
  • 1
  • 1
    Thanks! On Debian, I did `mkdir /var/log/named`, `chown bind /var/log/named` and changed the path to an absolute one, `/var/log/named/named.security`. I also skipped `channel default_debug` section. On a side note, I seem to be getting no requests logged, though, except when explicitly requesting a test. So the server must have went off some lists! Hooray! ;) – Ivan Vučica Jul 22 '13 at 19:15
4

See the BIND Administrator's Reference Manual (aka "the ARM", which is included with your source distribution, or consult the link tables in the ISC Knowledge Base to find the version specific to your BIND version) and go to section 6.2.10, which covers logging.

BIND error messages are emitted in various categories and you can specify their destination based on category. While I don't know offhand and would have to check the source to know exactly in which category is the error message you want to suppress, once you have identified the category (either by checking the source or by trial and error) you can suppress error messages for that category using the sample syntax shown in the ARM, i.e.:

To discard all messages in a category, specify the null channel:
category xfer-out { null; };
category notify { null; };

I would start with the "resolver" category, although because it's a denial message it might belong to "security" -- actually the area you have described kind of sits between several possible categories (which is why I can't say off the top of my head which is correct..) "resolver" sounds like messages you don't expect to find useful anyway, if you are not trying to perform recursion for clients.

Michael McNally
  • 1,500
  • 9
  • 14
1

Yes, it is possible to silence bind. Check your configuration for category and channel definitions. If this is showing up in your syslog, then find the channel(s) mentioning syslog. There is also a default_syslog channel built in. Then find the categories logging to these channels. Comment out the category or redirect it to a different channel. You may want to redirect to a log while you test.

More detail can be found here: http://www.zytrax.com/books/dns/ch7/logging.html

BillThor
  • 27,737
  • 3
  • 37
  • 69
  • Thanks. I silenced bind entirely by redirecting everything to null. I'm however unsure how to go about disabling just this error about recursion? This server will never be a recursive one, so these errors are not important for me; but others might be. So, any tips? – Ivan Vučica Jul 06 '13 at 00:19
  • @IvanVučica Don't send all errors to null, only those types you don't want. Alternatively, send them to their own log with a small size and limited rotation. – BillThor Jul 23 '13 at 00:07
  • That's why I accepted Lynn Slater's answer. :-) – Ivan Vučica Jul 23 '13 at 22:43
0

For those using syslog and don't want to discard everything. Technically you don't want to send everything to NULL. Here WARNING's and CRITICAL's are still being logged.

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
        channel syslog {
                syslog;
                severity warning;
                print-severity yes;
                print-category yes;
        };
        category default{
                syslog;
        };
};
charlesrg
  • 1