upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 03:42:06 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'pspacek/log-no-recursion-reason' into 'main'

Browse source 
Log reasons why ACL denied recursion or cache peek

See merge request isc-projects/bind9!6669
This commit is contained in:
Petr Špaček 2022-09-15 07:40:17 +00:00
commit 0b7f082060
4 changed files with 70 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGES
View file

@ -1,3 +1,5 @@
5970. [func] Log the reason why a query was refused. [GL !6669]
5969. [bug] DNSSEC signing statistics failed to identify the
algorithm involved. The key names have been changed
to be the algorithm number followed by "+" followed

7
bin/tests/system/allow-query/tests.sh
View file

@ -95,6 +95,7 @@ $DIG $DIGOPTS @10.53.0.2 -b 10.53.0.2 a.normal.example a > dig.out.ns2.$n || ret
grep 'status: REFUSED' dig.out.ns2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns2.$n > /dev/null || ret=1
grep '^a.normal.example' dig.out.ns2.$n > /dev/null && ret=1
nextpart ns2/named.run | grep 'recursion not enabled for view' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@ -636,11 +637,13 @@ status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "test $n: default allow-recursion configuration"
ret=0
nextpart ns3/named.run > /dev/null
$DIG -p ${PORT} @10.53.0.3 -b 127.0.0.1 a.normal.example a > dig.out.ns3.1.$n
grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 a.normal.example a > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@ -653,6 +656,7 @@ grep 'status: NOERROR' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 -b 10.53.0.1 ns . > dig.out.ns3.2.$n
grep 'status: REFUSED' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion did not match' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@ -671,6 +675,7 @@ grep 'ANSWER: 1' dig.out.ns3.1.$n > /dev/null || ret=1
$DIG -p ${PORT} @10.53.0.3 b.normal.example a > dig.out.ns3.2.$n
grep 'recursion requested but not available' dig.out.ns3.2.$n > /dev/null || ret=1
grep 'ANSWER: 0' dig.out.ns3.2.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@ -697,6 +702,7 @@ $DIG -p ${PORT} @10.53.1.2 d.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
@ -723,6 +729,7 @@ $DIG -p ${PORT} @10.53.1.2 f.normal.example a > dig.out.ns3.4.$n
grep 'recursion requested but not available' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'status: REFUSED' dig.out.ns3.4.$n > /dev/null || ret=1
grep 'EDE: 18 (Prohibited)' dig.out.ns3.4.$n > /dev/null || ret=1
nextpart ns3/named.run | grep 'allow-recursion-on did not match' > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`

64
lib/ns/client.c
View file

@ -1713,6 +1713,24 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
#ifdef HAVE_DNSTAP
dns_dtmsgtype_t dtmsgtype;
#endif /* ifdef HAVE_DNSTAP */
static const char *ra_reasons[] = {
"ACLs not processed yet",
"no resolver in view",
"recursion not enabled for view",
"allow-recursion did not match",
"allow-query-cache did not match",
"allow-recursion-on did not match",
"allow-query-cache-on did not match",
};
enum refusal_reasons {
INVALID,
NO_RESOLVER,
RECURSION_DISABLED,
ALLOW_RECURSION,
ALLOW_QUERY_CACHE,
ALLOW_RECURSION_ON,
ALLOW_QUERY_CACHE_ON
} ra_refusal_reason = INVALID;
if (eresult != ISC_R_SUCCESS) {
return;
@ -2152,28 +2170,42 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
* cache there is no point in setting RA.
*/
ra = false;
if (client->view->resolver != NULL && client->view->recursion &&
ns_client_checkaclsilent(client, NULL, client->view->recursionacl,
true) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, NULL, client->view->cacheacl,
true) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->destaddr,
client->view->recursiononacl,
true) == ISC_R_SUCCESS &&
ns_client_checkaclsilent(client, &client->destaddr,
client->view->cacheonacl,
true) == ISC_R_SUCCESS)
{
ra = true;
}
if (ra) {
/* must be initialized before ns_client_log uses it as index */
if (client->view->resolver == NULL) {
ra_refusal_reason = NO_RESOLVER;
} else if (!client->view->recursion) {
ra_refusal_reason = RECURSION_DISABLED;
} else if (ns_client_checkaclsilent(client, NULL,
client->view->recursionacl,
true) != ISC_R_SUCCESS)
{
ra_refusal_reason = ALLOW_RECURSION;
} else if (ns_client_checkaclsilent(client, NULL,
client->view->cacheacl,
true) != ISC_R_SUCCESS)
{
ra_refusal_reason = ALLOW_QUERY_CACHE;
} else if (ns_client_checkaclsilent(client, &client->destaddr,
client->view->recursiononacl,
true) != ISC_R_SUCCESS)
{
ra_refusal_reason = ALLOW_RECURSION_ON;
} else if (ns_client_checkaclsilent(client, &client->destaddr,
client->view->cacheonacl,
true) != ISC_R_SUCCESS)
{
ra_refusal_reason = ALLOW_QUERY_CACHE_ON;
} else {
ra = true;
client->attributes |= NS_CLIENTATTR_RA;
}
ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT,
ISC_LOG_DEBUG(3),
ra ? "recursion available" : "recursion not available");
ra ? "recursion available"
: "recursion not available (%s)",
ra_reasons[ra_refusal_reason]);
/*
* Adjust maximum UDP response size for this client.

14
lib/ns/query.c
View file

@ -844,6 +844,15 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name,
isc_result_t result;
if ((client->query.attributes & NS_QUERYATTR_CACHEACLOKVALID) == 0) {
enum refusal_reasons {
ALLOW_QUERY_CACHE,
ALLOW_QUERY_CACHE_ON
};
static const char *acl_desc[] = {
"allow-query-cache did not match",
"allow-query-cache-on did not match",
};
/*
* The view's cache ACLs have not yet been evaluated.
* Do it now. Both allow-query-cache and
@ -852,9 +861,11 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name,
bool log = ((options & DNS_GETDB_NOLOG) == 0);
char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
enum refusal_reasons refusal_reason = ALLOW_QUERY_CACHE;
result = ns_client_checkaclsilent(client, NULL,
client->view->cacheacl, true);
if (result == ISC_R_SUCCESS) {
refusal_reason = ALLOW_QUERY_CACHE_ON;
result = ns_client_checkaclsilent(
client, &client->destaddr,
client->view->cacheonacl, true);
@ -890,7 +901,8 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name,
sizeof(msg));
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_QUERY, ISC_LOG_INFO,
"%s denied", msg);
"%s denied (%s)", msg,
acl_desc[refusal_reason]);
}
}