query (cache) denied messages

[blrmaani]

I upgraded to BIND 9.3.2 from BIND 9.2 recently and started seeing
these messages in syslog. These message are filling up my syslog.

client A.B.C.D#yyyy : query (cache) 'blahblah/A/IN' denied

My DNS server is configured as Authoritative Name Server with
recursion=no.

I can't afford to change my named.conf now. Can I fix using some
logging
category?

thanks a lot
Blr

[Kirk]

Changing your BIND logging characteristics requires modification to your
named.conf.

Below is the URL to the BIND 9.3 ARM (Administrator Reference Manual) section
on "logging Statement Definition and Usage"

http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#id2553269

regards,
Kirk

[blrmaani]

Sorry, I meant to say I cannot change named.conf which impacts queries
to my name server.
Any changes involving logging is acceptable.

I will check the URL .

[JINMEI Tatuya / 神明達哉]

At Thu, 24 Apr 2008 18:55:27 -0700 (PDT),
blrmaani <blrm...@gmail.com> wrote:

> I upgraded to BIND 9.3.2 from BIND 9.2 recently and started seeing
> these messages in syslog. These message are filling up my syslog.
>
> client A.B.C.D#yyyy : query (cache) 'blahblah/A/IN' denied
>
> My DNS server is configured as Authoritative Name Server with
> recursion=no.
>
> I can't afford to change my named.conf now. Can I fix using some
> logging
> category?

Can you show your named.conf (not obfuscating specific details such as
IP addresses and zone names as much as possible)?

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.

[blrmaani]

I have two name servers - Lets call it NS1 and NS2. NS1 is
authoritative and NS2 is cache-only.
The logs are seen on NS1's syslog.

I also tried using category lame-servers {null; }; to suppress the
messages with NO luck.

NS1's named.conf is something like this:

options {
recursion no;
};

zone "supportedzone1" {
allow-query {blah; };
};

// Root zone is commented out as per response requirement. db.root is
unused
// zone "." { ... }

NS2's named.conf is something like this:

options {
recursion yes;
};

zone "." {
file "db.root";
};

// Contents of db.root on NS2 is as follows

<SOA BLOCK for . zone> (
)
NS NS1
NS1 A 1.2.3.4

On Apr 25, 1:00 pm, JINMEI Tatuya / 神明達哉 <Jinmei_Tat...@isc.org>
wrote:

> At Thu, 24 Apr 2008 18:55:27 -0700 (PDT),
>

[Barry Margolin]

In article <fv2cc6$v5r$1...@sf1.isc.org>, blrmaani <blrm...@gmail.com>
wrote:

> I have two name servers - Lets call it NS1 and NS2. NS1 is
> authoritative and NS2 is cache-only.
> The logs are seen on NS1's syslog.
>
> I also tried using category lame-servers {null; }; to suppress the
> messages with NO luck.

Why did you think lame servers would have anything to do with this?
These log messages are due to people trying to use your authoritative
server as a caching server, for some reason. You should probably try to
find out why.

Anyway, to suppress the log messages, try changing either the client or
security category.

--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***

[JINMEI Tatuya / 神明達哉]

At Sun, 27 Apr 2008 10:07:48 -0700 (PDT),
blrmaani <blrm...@gmail.com> wrote:

> I have two name servers - Lets call it NS1 and NS2. NS1 is
> authoritative and NS2 is cache-only.
> The logs are seen on NS1's syslog.
>
> I also tried using category lame-servers {null; }; to suppress the
> messages with NO luck.

> NS1's named.conf is something like this:

>
> options {
> recursion no;
> };
>
> zone "supportedzone1" {
> allow-query {blah; };
> };
>
> // Root zone is commented out as per response requirement. db.root is
> unused
> // zone "." { ... }

Please show all other parts of the named.conf. Please also don't
hide/obfuscate specific information such as zone name and ACL
configuration unless it's absolutely necessary.