Discussion:
No logging of failed queries
Sachchidanand Upadhyay via bind-users
2021-04-13 12:40:31 UTC
Permalink
Hi,

I am using bind's geoip feature, created one ACL to allow country IN. I am not getting logs of a failed query if the client IP is other than than country IN.
Rest all is working fine, getting logs of successful queries. Below find the config details:

BIND 9.16.13 (Stable Release) <id:072e758>
running on Linux x86_64 3.10.0-1160.24.1.el7.x86_64 #1 SMP Thu Apr 8 19:51:47 UTC 2021
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--with-libtool=/usr/lib64' '--disable-static' '--with-maxminddb'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
threads support is enabled

default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP


acl "test" {
geoip country IN;
};

options {
geoip-directory "path to geo db";

view "local" {
match-clients { test; };
recursion yes;

channel queries {
file "/var/log/queries";
print-time yes;
print-category yes;
print-severity yes;
};
category queries {
queries;
};
channel security {
file "/var/log/security";
print-time yes;
print-category yes;
print-severity yes;
};
category security {
queries;
};
channel query-errors {
file "/var/log/query-errors";
print-time yes;
print-category yes;
print-severity yes;
};
category query-errors {
query-errors;
};


BR,
Sachchidanand
Mark Andrews
2021-04-13 20:18:51 UTC
Permalink
Real world configurations would have a catch all view after the more specific views. Add one.
--
Mark Andrews
Post by Sachchidanand Upadhyay via bind-users

Hi,
I am using bind's geoip feature, created one ACL to allow country IN. I am not getting logs of a failed query if the client IP is other than than country IN.
BIND 9.16.13 (Stable Release) <id:072e758>
running on Linux x86_64 3.10.0-1160.24.1.el7.x86_64 #1 SMP Thu Apr 8 19:51:47 UTC 2021
built by make with '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=/usr/share/man' '--with-libtool=/usr/lib64' '--disable-static' '--with-maxminddb'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
threads support is enabled
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lock
geoip-directory: /usr/share/GeoIP
acl "test" {
geoip country IN;
};
options {
geoip-directory "path to geo db";
view "local" {
match-clients { test; };
recursion yes;
channel queries {
file "/var/log/queries";
print-time yes;
print-category yes;
print-severity yes;
};
category queries {
queries;
};
channel security {
file "/var/log/security";
print-time yes;
print-category yes;
print-severity yes;
};
category security {
queries;
};
channel query-errors {
file "/var/log/query-errors";
print-time yes;
print-category yes;
print-severity yes;
};
category query-errors {
query-errors;
};
BR,
Sachchidanand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Gaurav Kansal
2021-04-14 09:38:47 UTC
Permalink
Hi Mark,

Is there a way, by which we can log denied statement w.r.t. view
somewhere in logging ?

Regards,
Gaurav
Post by Mark Andrews
Real world configurations would have a catch all view after the more
specific views. Add one.
--
Mark Andrews
On 13 Apr 2021, at 22:41, Sachchidanand Upadhyay via bind-users

Hi,
   I am using bind's geoip feature, created one ACL to allow country
IN. I am not getting logs of a failed query if the client IP is other
than than country IN.
   Rest all is working fine, getting logs of successful queries.
BIND 9.16.13 (Stable Release) <id:072e758>
running on Linux x86_64 3.10.0-1160.24.1.el7.x86_64 #1 SMP Thu Apr 8 19:51:47 UTC 2021
built by make with '--prefix=/usr' '--sysconfdir=/etc'
'--localstatedir=/var' '--mandir=/usr/share/man'
'--with-libtool=/usr/lib64' '--disable-static' '--with-maxminddb'
compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-44)
compiled with OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
linked to OpenSSL version: OpenSSL 1.0.2k-fips  26 Jan 2017
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with zlib version: 1.2.7
linked to zlib version: 1.2.7
linked to maxminddb version: 1.2.0
threads support is enabled
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock
  geoip-directory:      /usr/share/GeoIP
acl "test" {
     geoip country IN;
};
options {
  geoip-directory  "path to geo db";
view "local" {
                match-clients {  test; };
                recursion yes;
channel queries {
                file "/var/log/queries";
                print-time yes;
                print-category yes;
                print-severity yes;
                };
        category queries {
                queries;
                };
channel security {
                file "/var/log/security";
                print-time yes;
                print-category yes;
                print-severity yes;
                };
        category security {
                queries;
                };
channel query-errors {
                file "/var/log/query-errors";
                print-time yes;
                print-category yes;
                print-severity yes;
                };
        category query-errors {
                query-errors;
                };
BR,
Sachchidanand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Thanks and Regards,
Gaurav Kansal
+91-9910118448





Disclaimer:

This e-mail and its attachments may contain official Indian Government information. If you are not the intended recipient, please notify the sender immediately and delete this e-mail. Any dissemination or use of this information by a person other than the intended recipient is unauthorized. The responsibility lies with the recipient to check this email and any attachment for the presence of viruses.
Chuck Aurora
2021-04-14 18:11:57 UTC
Permalink
Post by Gaurav Kansal
Is there a way, by which we can log denied statement w.r.t. view
somewhere in logging ?
The thing is, your view did not deny anything. Your non-.IN client
simply does not match the match-clients list for that view.
Post by Gaurav Kansal
Post by Mark Andrews
Real world configurations would have a catch all view after the
more specific views. Add one.
And that's what Mark is suggesting here. If you follow your view
with another view:

view "any" {
match-clients { any; };
allow-recursion no;
allow-query { none; };
};

... then you get your denied query.
Post by Gaurav Kansal
Post by Mark Andrews
On 13 Apr 2021, at 22:41, Sachchidanand Upadhyay via bind-users
snip
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Loading...