Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
query (cache) 'domain.com/AAAA/IN' denied
4,285 views
Skip to first unread message
kalin
Oct 10, 2012, 9:01:35 PM10/10/12
to bind-...@lists.isc.org
hi all...
# uname -a
NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
# named -v
BIND 9.5.2-P2
i get these in the log:
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
(cache) 'domain.net/AAAA/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
(cache) 'domain.net/AAAA/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
(cache) 'domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
(cache) 'domain.org/A/IN' denied
.........................................
all the domain.net, .org, .com above exist. if i do a dig off a local
machine they resolve fine. if the dig is out of this network i get a log
entry as above.
at this point the named.conf has:
options {
version "ha-ha-ha";
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query-cache { any; };
allow-query { any; };
recursion no;
allow-transfer {
127.0.0.1;
};
};
i'm not sure where to look next.... this machine is on a verizon fios
if that really makes any difference...
where should i look?
thanks....
Lyle Giese
Oct 10, 2012, 9:17:17 PM10/10/12
to bind-...@lists.isc.org
If you don't want a publicly abused dns server, turn recursion on and
restrict recursion to your LAN addresses(Allow-recursion).
Lyle Giese
LCR Computer Services, Inc.
kalin
Oct 10, 2012, 9:34:24 PM10/10/12
to Lyle Giese, bind-...@lists.isc.org
now i have:
allow-query-cache { any; };
allow-query { any; };
allow-recursion { any; }
and still those logs. a dig from the outside gets "refused"...
> Lyle Giese
> LCR Computer Services, Inc.
>
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Árni Birgisson
Oct 10, 2012, 9:41:57 PM10/10/12
to kalin, bind-...@lists.isc.org
You have all those allow-*, but in your previous email you have
"recursion no;" which you would have to change to "recursion yes;".
When you have done this, make sure to restrict it with the allow-recursion
so you do not have an open resolver.
-- Arni
"recursion no;" which you would have to change to "recursion yes;".
When you have done this, make sure to restrict it with the allow-recursion
so you do not have an open resolver.
-- Arni
kalin
Oct 10, 2012, 9:52:34 PM10/10/12
to Árni Birgisson, bind-...@lists.isc.org
On 10/10/12 9:41 PM, Árni Birgisson wrote:
> You have all those allow-*, but in your previous email you have
> "recursion no;" which you would have to change to "recursion yes;".
>
> When you have done this, make sure to restrict it with the allow-recursion
> so you do not have an open resolver.
options {
version "";
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query-cache { any; };
allow-query { any; };
recursion yes;
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query-cache { any; };
allow-query { any; };
// allow-recursion { any; }
allow-transfer {
127.0.0.1;
};
};
# dig @ns2..... domain.com
; <<>> DiG 9.4.2 <<>> @ns2.... domain.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;domain.com. IN A
;; Query t........
i actually have another machine that has bind 9.4.2 and it works as
desired without all this options. both machines a meant to be
authoritative for domain.com...
anything else i can try?
thanks...
Lyle Giese
Oct 10, 2012, 10:17:04 PM10/10/12
to bind-...@lists.isc.org
restart named?
Are there any other named.conf on your system? (your named may be
reading a different named.conf other than the one you are editing.)
Mark Andrews
Oct 10, 2012, 10:19:02 PM10/10/12
to kalin, bind-...@isc.org
Make sure you are editing the named.conf named is using. Change
the version string, reload the server and check that the version
reported matches what is in named.conf.
If that doesn't identify/fix the problem post, to the list, the
complete named.conf along with any included files (x out the tsig
secrets) and a list of the zones the server is supposed to serve.
Problems like this are almost always the result of something simple
that is hidden because people are scared to post the full named.conf
so they post a overly redacted version. The only thing that really
needs to be redacted are the shared secrets.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
kalin
Oct 10, 2012, 10:22:09 PM10/10/12
to Lyle Giese, bind-...@lists.isc.org
running.
> Are there any other named.conf on your system? (your named may be
> reading a different named.conf other than the one you are editing.)
locally i get it fine:
$ dig @ns2..... domain.com
; <<>> DiG 9.8.1-P1 <<>> @ns2..... domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
.....................
Chris Buxton
Oct 10, 2012, 11:26:31 PM10/10/12
to kalin, bind-...@lists.isc.org
On Oct 10, 2012, at 7:22 PM, kalin wrote:
> if i add a zone record to the named.conf i'm editing and do a dig on it, locally i get it fine:
>
> $ dig @ns2..... domain.com
>
> ; <<>> DiG 9.8.1-P1 <<>> @ns2..... domain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
No you don't. You're getting it from the other computer. No 'aa' flag.
> if i add a zone record to the named.conf i'm editing and do a dig on it, locally i get it fine:
>
> $ dig @ns2..... domain.com
>
> ; <<>> DiG 9.8.1-P1 <<>> @ns2..... domain.com
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
Your zone is not loading for some reason.
The reason it works locally and not remotely is, the local query is in the default allow-recursion ACL, but the remote host is not.
The recursion settings are a red herring. Solve the missing 'aa' flag.
Chris Buxton
BlueCat Networks
0 new messages