why named logging query cache denied to /var/log/messages?

[hekri]

why named logging query cache denied to /var/log/messages?

I see many lines in /var/log/messages

Oct 23 12:57:14 server named[2503]: client 62.179.1.xxx#54378: query (cache) 'www.doman.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 123.19.8.xxx#42069: query (cache) 'www.example.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 90.27.7.xxx#18255: query (cache) 'www.example.com/A/IN' denied
Oct 23 12:57:14 server named[2503]: client 45.146.143.xxx#27191: query (cache) 'www.example.net/A/IN' denied

Why named logging thise?

I have alow recursion only to my trusted hosts.

I haved many lame servers in /var/log/messsages, i fix it by adding category lame-servers { null; }; do named.conf, maybe is the option to add to not logging query cache denied?

 

[salubrium]

Adding the following to your /etc/named.conf will stop logging the cache denied messages:

    category security { null; };

So it ends up looking like this in the logging section:

logging {
    category security { null; };
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

 

[vectro]

I recently had this problem and figured something out. All of the domains in the log entries where from canceled web hosting accounts. The domains were still pointed to my DNS servers even though the sites went out of business or went offline. In other words, they no longer have a DNS or HTTP entry here, but the domains still exists and have their DNS records pointed here. That accounted for every domain in the logs that I checked manually when I was trying to figure out what was going on.

 

[jols]

I am having the same exact problem, in spades, especially on one server which is seeing about 20 log entries per second of this sort, and including the fact that the domains being queried are no longer have DNS established on the server, etc.

And yes, I've found that this logging can be switched off using "category security { null; };", but I would rather not switch off general security logging for named. Does anyone know of a way to switch off just and only the "query (cache)" logging?

 

[electric]

Did you figure out how to do this?

 

[gryzli]

As stated in BIND documentation, category "security" is concerned only with approved/denied queries, so I suppose it won't be such a miss to send them in /dev/null. You could always re-enable the logging if you need to debug some problems.

You could use the following steps to stop DNS logging of denied queries :

1. Edit /etc/named.conf
Make the logging section look like this (as salubrium suggested)

logging {
    category security { null; };
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

2. Regenerate named.conf and restart named

/usr/local/cpanel/scripts/rebuilddnsconfig

or

/usr/local/cpanel/scripts/rebuilddnsconfig

3. Check if everything is okay
- First issue bad query for non-existing domain (you can execute this outside the server )
dig @your.server.com non-existing-domain.com

- Then go and check the messages log
grep named /var/log/messages | tail -n 100