[nsd-users] NSD incorrectly logging DNAME as refused?
Willem Toorop
willem at nlnetlabs.nl
Wed Jul 3 09:10:52 UTC 2024
B.t.w. I've created a PR for it that resolves it (see
https://github.com/NLnetLabs/nsd/pull/346 ), but we may need to discuss
if and how to resolve it first. First I'd like to know if your
configuration is similar in that the CNAME or DNAME target does contain
an allow-query list.
Op 03-07-2024 om 10:52 schreef Willem Toorop via nsd-users:
> Hi Jamie,
>
> I can reproduce, but only if the target zone of the DNAME (or CNAME
> which behaves the same) matches a zone with an allow-query option that
> doesn't match the querier.
>
> For example with the following config in nsd.conf:
>
> zone:
> name: "."
> allow-query: 0::/128 NOKEY
>
> zone:
> name: "example"
> zonefile: "example"
>
> and an example zone that contains `nsdtest.example. CNAME
> hello.example.com.`, then indeed a query for `nsdtest.example.` gives
> the correct CNAME answer, but a "info: query nsdtest.example. from
> 127.0.0.1 refused, no acl matches" message is logged. NSD logs the
> error trying to add more records while following the CNAME, but the
> checked target CNAME domain has an acl forbidding this for the querier.
>
> Do you have a similar situation?
>
> Should an error be logged when CNAME targets match a zone with an
> allow-query list that doesn't match?
>
> -- Willem
>
> Op 03-07-2024 om 04:12 schreef Jamie Landeg-Jones via nsd-users:
>> I just noticed this with NSD 4.10.0 (and earlier versions - it's not a
>> new regression))
>>
>> I have nsd set to log refused requests to syslog.
>>
>> After adding a DNAME type into my dns for one sub-zone that is being
>> moved,
>> I noticed that legitimate requests for hosts under that subdomain are
>> working
>> as expected, howerver they are being logged as refused.
>>
>> As a quick replicable test, I just did this to demostrate the issue.
>>
>> Firatlt, add edthis to my dyslexicfish.net domain:
>>
>> nsdtest IN DNAME hello.example.com.
>>
>> Then, update serial, reload, watch it propagate to secondaries etc.,
>> then
>> from a machine with no specific acls (i.e. not from one of the primaries
>> or secondaries:
>>
>> | # dig sjsjqju2qu.nsdtest.dyslexicfish.net.
>> |
>> | ; <<>> DiG 9.18.27 <<>> sjsjqju2qu.nsdtest.dyslexicfish.net.
>> | ;; global options: +cmd
>> | ;; Got answer:
>> | ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53148
>> | ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 1,
>> ADDITIONAL: 1
>> |
>> | ;; OPT PSEUDOSECTION:
>> | ; EDNS: version: 0, flags:; udp: 1232
>> | ; COOKIE: eef66b9e45770f3e010000006684ada8ca27d2ccb2d7c25f (good)
>> | ;; QUESTION SECTION:
>> | ;sjsjqju2qu.nsdtest.dyslexicfish.net. IN A
>> |
>> | ;; ANSWER SECTION:
>> | nsdtest.dyslexicfish.net. 86363 IN DNAME hello.example.com.
>> | sjsjqju2qu.nsdtest.dyslexicfish.net. 86363 IN CNAME
>> sjsjqju2qu.hello.example.com.
>> |
>> | ;; AUTHORITY SECTION:
>> | example.com. 3600 IN SOA ns.icann.org.
>> noc.dns.icann.org. 2024041842 7200 3600 1209600 3600
>> |
>> | ;; Query time: 30 msec
>> | ;; SERVER: 205.166.94.24#53(205.166.94.24) (UDP)
>> | ;; WHEN: Wed Jul 03 01:47:17 UTC 2024
>> | ;; MSG SIZE rcvd: 213
>>
>> This produces this via syslog on the nsd serversx:
>>
>> | Jul 3 02:46:43 <daemon.info> catnip nsd[3620]: query
>> sjsjqju2qu.nsdtest.dyslexicfish.net. from 205.166.94.24 refused, no
>> acl matches .
>>
>> As can be seen from "dig", the result is valid, and everything works as
>> suspected, I'm just getting rather a lot of those "refused" messages, as
>> the domain gets a lot of traffic!
>>
>> I know I can disable the logging of such messages, but I do want to log
>> then when they are legitimate!
>>
>> (Obviously I first noticed this on a valid DNAME target zone of mine
>> I just used 'hello.example.com' in the above demonstration to show that
>> it's nothing weird going on with my setup - delegating to any domain
>> that
>> the nsd server itself doesn't serve causes the issue)
>>
>> Any ideas? And apologies for any late-night incoherencies in this
>> message!
>>
>> Cheers, Jamie
>> _______________________________________________
>> nsd-users mailing list
>> nsd-users at lists.nlnetlabs.nl
>> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc
Type: application/pgp-keys
Size: 7749 bytes
Desc: OpenPGP public key
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/3cb73b83/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20240703/3cb73b83/attachment-0003.bin>
More information about the nsd-users
mailing list