Bind9: Disabling error logging for recursive queries

binddomain-name-system

inadvertedly, a bind9 server I ran was an open resolver. Whoops.

Now it's been months and the recursive queries for isc.org are still incoming. I would not mind if my /var/log/syslog did not look like this:

Jul  6 01:10:23 servername last message repeated 6 times
Jul  6 01:10:23 servername named[2580]: client YYY.YY.YYY.YYY#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername named[2580]: client ZZZ.ZZ.ZZZ.ZZ#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername last message repeated 7 times
Jul  6 01:10:23 servername named[2580]: client AAA.AAA.A.AAA#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername named[2580]: client BBB.BB.BB.BBB#25345: query (cache) 'isc.org/ANY/IN' denied
Jul  6 01:10:23 servername last message repeated 6 times

(One might find it funny that the above messages all appear within one second… I no longer don't.)

This really, REALLY makes it hard to catch any real errors that another service on the system may report.

I'd like to make bind9 no longer log these messages. And I'm crossing my fingers that it is possible to make only these messages disappear from the logs.

In what way can I disable messages that recursion is disallowed from appearing in the syslog (or other logs)?

servername:/etc/bind9# named -V
BIND 9.8.4-rpz2+rl005.12-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
using OpenSSL version: OpenSSL 1.0.1c 10 May 2012
using libxml2 version: 2.8.0

servernane:/etc/bind9# uname -a
Linux servername 3.2.0-4-686-pae #1 SMP Debian 3.2.35-2 i686 GNU/Linux

To clarify:

I'm interested in more detailed example on how to silence just the 'recursion denied'-type messages.

Best Answer

Regarding disabling all the bind error logging for recursive queries such as "query (cache) 'theswat.net/ANY/IN' denied"

The below in /etc/named.conf redirect these to /var/named/data/named.security with a total size limit of 15mbytes of rolling over logs. Note that category security is only “Approval and denial of requests.”

logging {
        channel default_debug {
                    file "data/named.run";
                severity dynamic;
        };
        // Redirect all of those 'denied' logs for non-existing domains or external ones (we are 'recursion no;')
        //   logs to /var/named/data/named.security, up to 3 files of 5mbytes each
        //   independent hack_detect processes can then scan for flooders and known abusers and block their IPs
        channel hd_security {
                file "data/named.security" versions 3 size 5m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category security { hd_security; };
};
Related Topic