why named logging query cache denied to /var/log/messages?

hekri

Well-Known Member
Oct 14, 2003
147
2
168
why named logging query cache denied to /var/log/messages?

I see many lines in /var/log/messages
Code:
Oct 23 12:57:14 server named[2503]: client 62.179.1.xxx#54378: query (cache) 'www.doman.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 123.19.8.xxx#42069: query (cache) 'www.example.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 90.27.7.xxx#18255: query (cache) 'www.example.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 45.146.143.xxx#27191: query (cache) 'www.example.net/A/IN' denied
Why named logging thise?

I have alow recursion only to my trusted hosts.

I haved many lame servers in /var/log/messsages, i fix it by adding category lame-servers { null; }; do named.conf, maybe is the option to add to not logging query cache denied?
 
Last edited by a moderator:

salubrium

Member
Jun 11, 2003
14
0
151
Sydney
cPanel Access Level
Root Administrator
Adding the following to your /etc/named.conf will stop logging the cache denied messages:

Code:
    category security { null; };
So it ends up looking like this in the logging section:
Code:
logging {
    category security { null; };
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};
 
Last edited:

vectro

Member
Sep 2, 2008
8
0
51
I recently had this problem and figured something out. All of the domains in the log entries where from canceled web hosting accounts. The domains were still pointed to my DNS servers even though the sites went out of business or went offline. In other words, they no longer have a DNS or HTTP entry here, but the domains still exists and have their DNS records pointed here. That accounted for every domain in the logs that I checked manually when I was trying to figure out what was going on.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
I am having the same exact problem, in spades, especially on one server which is seeing about 20 log entries per second of this sort, and including the fact that the domains being queried are no longer have DNS established on the server, etc.

And yes, I've found that this logging can be switched off using "category security { null; };", but I would rather not switch off general security logging for named. Does anyone know of a way to switch off just and only the "query (cache)" logging?
 

electric

Well-Known Member
Nov 5, 2001
742
5
318
Did you figure out how to do this?
 

gryzli

Well-Known Member
Jul 23, 2012
47
6
8
cPanel Access Level
Root Administrator
Twitter
As stated in BIND documentation, category "security" is concerned only with approved/denied queries, so I suppose it won't be such a miss to send them in /dev/null. You could always re-enable the logging if you need to debug some problems.

You could use the following steps to stop DNS logging of denied queries :

1. Edit /etc/named.conf
Make the logging section look like this (as salubrium suggested)
Code:
logging {
    category security { null; };
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};
2. Regenerate named.conf and restart named
Code:
/usr/local/cpanel/scripts/rebuilddnsconfig
or
Code:
/usr/local/cpanel/scripts/rebuilddnsconfig
3. Check if everything is okay
- First issue bad query for non-existing domain (you can execute this outside the server )
dig @your.server.com non-existing-domain.com

- Then go and check the messages log
grep named /var/log/messages | tail -n 100
 
  • Like
Reactions: postcd