Query Refused problem
Mark Andrews
marka at isc.org
Wed Sep 30 23:31:16 UTC 2009
Have you read the documentation that describes what allow-query does?
<varlistentry>
<term><command>allow-query</command></term>
<listitem>
<para>
Specifies which hosts are allowed to ask ordinary
DNS questions. <command>allow-query</command> may
also be specified in the <command>zone</command>
statement, in which case it overrides the
<command>options allow-query</command> statement.
If not specified, the default is to allow queries
from all hosts.
</para>
<note>
<para>
<command>allow-query-cache</command> is now
used to specify access to the cache.
</para>
</note>
</listitem>
</varlistentry>
<varlistentry>
<term><command>allow-query-cache</command></term>
<listitem>
<para>
Specifies which hosts are allowed to get answers
from the cache. If <command>allow-query-cache</command>
is not set then <command>allow-recursion</command>
is used if set, otherwise <command>allow-query</command>
is used if set unless <command>recursion no;</command> is
set in which case <command>none;</command> is used,
otherwise the default (<command>localnets;</command>
<command>localhost;</command>) is used.
</para>
</listitem>
</varlistentry>
Mark
In message <4AC36444.9000204 at whgl.uni-frankfurt.de>, Sven Eschenberg writes:
> Dear list,
>
> This seems more tricky, then I thought.
>
> When I had no allow-query statement at all in my config, everything
> worked find (includign recursion) for all clients, that were in subnets
> directly attached to the server. The external view (authoriative, non
> recursive) did work for every client as supposed to.
> Now a client on a not directly attached subnet, with it's own view,
> could not resolve anything, except local zones on the server. (Though
> recursion was turned on for the view).
> External view's clients could nto recurse, though recursion was turned
> on, obviously to realyl recurse I'd need an allow-query statement.
>
> Adding an allow-query statement to the general config, limitied to the
> campus network made all local views work, but with the result, that no
> client matching the external view could looks up the authoriative zones.
>
> Now, I am wondering if I did set uop everything right afterall, here's
> what I did do:
>
> External view, no recursion, allow-query {any;}
> Not directly attached client with internal view: match on client's ip,
> allow recursion, allow query for the client's ip.
> all other internal views, matched by locally attached netowrks, no
> allow-query statement, allow recursion.
>
> This seems to work.
>
> I am wondering: Would it be harmfull to allow queries by any host
> (globally) as long as external clients (in their view) are not allowed
> any recursion? Would that be more feasible?
>
> Regards
>
> -Sven
>
>
> Sven Eschenberg schrieb:
> > I got it fixxed with an allow-query statement.
> >
> > But this arises another question: Does bind implicitly add allow-queries
> > for locally attached interfaces and the networks configured for these?
> >
> > I am asking, because it used to work for all the subnets directly
> > attached to the machine.
> >
> > Regards
> >
> > -Sven
> >
> > Sven Eschenberg schrieb:
> >> Dear list,
> >>
> >> I have one client with a specific zone. When the client does a query
> >> for localhost on the nameserver, or a reverse lookup for 127.0.0.1,
> >> everything seems perfectly okay. As soon, as the client tries to
> >> lookup i.e. google.de or any external ip, I am getting query refused
> >> errors.
> >>
> >> Sep 30 14:21:40 gw named[28715]: client <ip of matched client>#1039:
> >> view watchdog: query (cache) 'www.google.de/A/IN' denied
> >> Sep 30 14:21:40 gw named[28715]: client <ip of matched client>#1040:
> >> view watchdog: query (cache) 'www.google.de/A/IN' denied
> >>
> >> The DNS-Server works as a recursor for the client.
> >>
> >> What puzzles me most is: I cloned another internal view, which works
> >> perfectly well for the clients matched by it.
> >>
> >> What might I be missing here, what can trigger a query refused answer
> >> like this?
> >>
> >> Regards
> >>
> >> -Sven
> >>
> >>
> >> _______________________________________________
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list