Query Refused problem

Matus UHLAR - fantomas uhlar at fantomas.sk
Thu Oct 1 21:21:25 UTC 2009 

On 01.10.09 19:10, Sven Eschenberg wrote:
> Funny enough, I did not have any allow-query at all, but adding  
> allow-query {any;} did indeed change the behavior. But allow-query-cache  
> obviously defaults to localhost, localnets and was triggering the  
> behavior that confused me.

OK, again: did you have any other allows ?
Which means allow-recursion, allow-query-cache ....

> Inbetween I overhauled the config, setting all the options explicitly  
> where needed, instead of building on default behavior and everything  
> works as expected now. Lessen learned: Ignore defaults, always set  
> things as YOU want them to be :-).

Could you post your config (and optional includes) somewhere?

I still thinkthe real problem lied elsewhere...
 

> Matus UHLAR - fantomas schrieb:
>> On 30.09.09 15:59, Sven Eschenberg wrote:
>>> When I had no allow-query statement at all in my config, everything   
>>> worked find (includign recursion) for all clients, that were in 
>>> subnets  directly attached to the server. The external view 
>>> (authoriative, non  recursive) did work for every client as supposed 
>>> to.
>>> Now a client on a not directly attached subnet, with it's own view,   
>>> could not resolve anything, except local zones on the server. (Though 
>>>  recursion was turned on for the view).
>>> External view's clients could nto recurse, though recursion was 
>>> turned  on, obviously to realyl recurse I'd need an allow-query 
>>> statement.
>>>
>>> Adding an allow-query statement to the general config, limitied to 
>>> the  campus network made all local views work, but with the result, 
>>> that no  client matching the external view could looks up the 
>>> authoriative zones.
>>>
>>> Now, I am wondering if I did set uop everything right afterall, 
>>> here's  what I did do:
>>>
>>> External view, no recursion, allow-query {any;}
>>> Not directly attached client with internal view: match on client's 
>>> ip,  allow recursion, allow query for the client's ip.
>>> all other internal views, matched by locally attached netowrks, no   
>>> allow-query statement, allow recursion.
>>>
>>> This seems to work.
>>>
>>> I am wondering: Would it be harmfull to allow queries by any host   
>>> (globally) as long as external clients (in their view) are not 
>>> allowed  any recursion? Would that be more feasible?
>>
>> allow-query { any; }; is default. Do you have any other allows's ?
>>
>> the first error message indicated that you didn't allow query-cache or recursion
>> for some clients. Apparently you cloned a view but forget to allow either
>> one in the new view...

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm

More information about the bind-users mailing list