inadvertedly, a bind9 server I ran was an open resolver. Whoops.
Now it's been months and the recursive queries for isc.org are still incoming. I would not mind if my /var/log/syslog did not look like this:
Jul 6 01:10:23 servername last message repeated 6 times
Jul 6 01:10:23 servername named[2580]: client YYY.YY.YYY.YYY#25345: query (cache) 'isc.org/ANY/IN' denied
Jul 6 01:10:23 servername named[2580]: client ZZZ.ZZ.ZZZ.ZZ#25345: query (cache) 'isc.org/ANY/IN' denied
Jul 6 01:10:23 servername last message repeated 7 times
Jul 6 01:10:23 servername named[2580]: client AAA.AAA.A.AAA#25345: query (cache) 'isc.org/ANY/IN' denied
Jul 6 01:10:23 servername named[2580]: client BBB.BB.BB.BBB#25345: query (cache) 'isc.org/ANY/IN' denied
Jul 6 01:10:23 servername last message repeated 6 times
(One might find it funny that the above messages all appear within one second... I no longer don't.)
This really, REALLY makes it hard to catch any real errors that another service on the system may report.
I'd like to make bind9 no longer log these messages. And I'm crossing my fingers that it is possible to make only these messages disappear from the logs.
In what way can I disable messages that recursion is disallowed from appearing in the syslog (or other logs)?
servername:/etc/bind9# named -V
BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.1c 10 May 2012
using libxml2 version: 2.8.0
servernane:/etc/bind9# uname -a
Linux servername 3.2.0-4-686-pae #1 SMP Debian 3.2.35-2 i686 GNU/Linux
To clarify:
I'm interested in more detailed example on how to silence just the 'recursion denied'-type messages.
Regarding disabling all the bind error logging for recursive queries such as "query (cache) 'theswat.net/ANY/IN' denied"
The below in /etc/named.conf redirect these to /var/named/data/named.security with a total size limit of 15mbytes of rolling over logs. Note that category security is only “Approval and denial of requests.”
See the BIND Administrator's Reference Manual (aka "the ARM", which is included with your source distribution, or consult the link tables in the ISC Knowledge Base to find the version specific to your BIND version) and go to section 6.2.10, which covers logging.
BIND error messages are emitted in various categories and you can specify their destination based on category. While I don't know offhand and would have to check the source to know exactly in which category is the error message you want to suppress, once you have identified the category (either by checking the source or by trial and error) you can suppress error messages for that category using the sample syntax shown in the ARM, i.e.:
I would start with the "resolver" category, although because it's a denial message it might belong to "security" -- actually the area you have described kind of sits between several possible categories (which is why I can't say off the top of my head which is correct..) "resolver" sounds like messages you don't expect to find useful anyway, if you are not trying to perform recursion for clients.
Yes, it is possible to silence bind. Check your configuration for category and channel definitions. If this is showing up in your syslog, then find the channel(s) mentioning syslog. There is also a default_syslog channel built in. Then find the categories logging to these channels. Comment out the category or redirect it to a different channel. You may want to redirect to a log while you test.
More detail can be found here: http://www.zytrax.com/books/dns/ch7/logging.html
For those using syslog and don't want to discard everything. Technically you don't want to send everything to NULL. Here WARNING's and CRITICAL's are still being logged.