denied query on bind
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Oct 3 00:22:41 UTC 2003
> Mark_Andrews at isc.org wrote in message news:<bladft$e25$1 at sf1.isc.org>...
> > > ChrisC <chris at issolutions.co.uk> wrote:
> > > > Hi,
> > > > Im running bind 8.2.4 on solaris 9. My messages /log files are
> > > > constantly fillling up with 'denied query' from various ip addresses
> > > > to the following
> >
> > > > denied query from [206.222.107.70].53 for
> > > > "82.80/28.192.147.12.in-addr.arpa
> > > > " IN Sep 13 08:17:54
> >
> > > > The ip address looks strange and I havnt seen it before, Im trying to
> > > > find out why Im constantly getting queries for this, could someone
> > > > give me a clue??
> >
> > > > Thanks
> > >
> > > The range _is_ assigned to :
> > > 80/28.192.147.12.in-addr.arpa. 1d23h58m8s IN NS percy.issolutions.co.uk
> .
> > > 80/28.192.147.12.in-addr.arpa. 1d23h58m8s IN NS ns2.toshiba-europe.com.
> > >
> > > which might indicate that one of your clients uses this address for outbo
> und
> > > use.
> > > Servers "out there" tries to query the nameservers ( and get's refused)
> > >
> > > If you use these addresses you are supposed to present working servers.
> >
> > And the fix for this is to add
> >
> > allow-query { any; };
> >
> > to the zone clause for 80/28.192.147.12.in-addr.arpa
> >
> > You should also allo percy.issolutions.co.uk to transfer
> > the zone as it is a slave.
> >
> > allow-transfer { 193.129.122.21; };
> >
> > >
> > > --
> > > Peter Håkanson
> > > IPSec Sverige ( At Gothenburg Riverside )
> > > Sorry about my e-mail address, but i'm trying to keep spam out
> ,
> > > remove "icke-reklam" if you feel for mailing me. Thanx.
> > >
>
>
> Hi All,
>
> Thankyou for the input, Im very confused about the address
> 80/28.192.147.12.in-addr.arpa, could someone tell me how they found
> out (ie what tool) it is allocated to percy and ns2 ? Ive looked on
> ripe and cant find it, also how can we see who assigned those
> addresses ? What is the 80/28 bit at the beginning?
>
> Thanks
80/28 indicates that the last octet of your address range
starts at octet 80 and that a 28 bit netmask applies. This
gives a range of 16 address 12.147.192.80 - 12.147.192.95.
Now to perform a reverse lookup for 12.147.192.80 to
12.147.192.95 the clients create lookups like
80.192.147.12.in-addr.arpa - 95.192.147.12.in-addr.arpa.
The problem is that this requires 16 individual delegation,
one for each individual reverse name. Rather than doing
that there is a alternate technique where the parent zones
sets up 16 CNAMES for those names and point them to some
other zone. In this case the name of the other zone is
80/28.192.147.12.in-addr.arpa.
So your zone is found by looking up 80.192.147.12.in-addr.arpa
seeing the CNAME which points to 80.80/28.192.147.12.in-addr.arpa
then looking up that name.
You really should have both the parent zone (147.12.in-addr.arpa)
and 80/28.192.147.12.in-addr.arpa on your server as this
allows local lookups to complete without having to ask other
servers.
This is all explained in RFC 2317.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list