bind9: Disabling error logging for recursive queries

Solution 1:

Regarding disabling all the bind error logging for recursive queries such as "query (cache) 'theswat.net/ANY/IN' denied"

The below in /etc/named.conf redirect these to /var/named/data/named.security with a total size limit of 15mbytes of rolling over logs. Note that category security is only “Approval and denial of requests.”

logging {
        channel default_debug {
                    file "data/named.run";
                severity dynamic;
        };
        // Redirect all of those 'denied' logs for non-existing domains or external ones (we are 'recursion no;')
        //   logs to /var/named/data/named.security, up to 3 files of 5mbytes each
        //   independent hack_detect processes can then scan for flooders and known abusers and block their IPs
        channel hd_security {
                file "data/named.security" versions 3 size 5m;
                print-time yes;
                print-severity yes;
                print-category yes;
        };
        category security { hd_security; };
};

Solution 2:

See the BIND Administrator's Reference Manual (aka "the ARM", which is included with your source distribution, or consult the link tables in the ISC Knowledge Base to find the version specific to your BIND version) and go to section 6.2.10, which covers logging.

BIND error messages are emitted in various categories and you can specify their destination based on category. While I don't know offhand and would have to check the source to know exactly in which category is the error message you want to suppress, once you have identified the category (either by checking the source or by trial and error) you can suppress error messages for that category using the sample syntax shown in the ARM, i.e.:

To discard all messages in a category, specify the null channel:
category xfer-out { null; };
category notify { null; };

I would start with the "resolver" category, although because it's a denial message it might belong to "security" -- actually the area you have described kind of sits between several possible categories (which is why I can't say off the top of my head which is correct..) "resolver" sounds like messages you don't expect to find useful anyway, if you are not trying to perform recursion for clients.

Solution 3:

Yes, it is possible to silence bind. Check your configuration for category and channel definitions. If this is showing up in your syslog, then find the channel(s) mentioning syslog. There is also a default_syslog channel built in. Then find the categories logging to these channels. Comment out the category or redirect it to a different channel. You may want to redirect to a log while you test.

More detail can be found here: http://www.zytrax.com/books/dns/ch7/logging.html