query (cache) 'domain.com/AAAA/IN' denied
Árni Birgisson
arnib at menandmice.com
Thu Oct 11 01:41:57 UTC 2012
You have all those allow-*, but in your previous email you have
"recursion no;" which you would have to change to "recursion yes;".
When you have done this, make sure to restrict it with the allow-recursion
so you do not have an open resolver.
-- Arni
----- Original Message -----
From: "kalin" <kalin at el.net>
To: "Lyle Giese" <lyle at lcrcomputer.net>
Cc: bind-users at lists.isc.org
Sent: Thursday, October 11, 2012 1:34:24 AM
Subject: Re: query (cache) 'domain.com/AAAA/IN' denied
On 10/10/12 9:17 PM, Lyle Giese wrote:
> On 10/10/12 20:01, kalin wrote:
>>
>> hi all...
>>
>> # uname -a
>> NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
>>
>> # named -v
>> BIND 9.5.2-P2
>>
>> i get these in the log:
>>
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
>> (cache) 'domain.net/AAAA/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
>> (cache) 'domain.net/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
>> (cache) 'www.domain.org/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
>> (cache) 'domain.net/AAAA/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
>> (cache) 'domain.net/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
>> (cache) 'www.domain.org/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
>> (cache) 'www.domain.org/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
>> (cache) 'domain.org/A/IN' denied
>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
>> (cache) 'domain.org/A/IN' denied
>>
>> .........................................
>>
>>
>> all the domain.net, .org, .com above exist. if i do a dig off a local
>> machine they resolve fine. if the dig is out of this network i get a
>> log entry as above.
>>
>> at this point the named.conf has:
>>
>> options {
>> version "ha-ha-ha";
>> directory "/etc/namedb";
>> pid-file "/var/run/named/pid";
>> dump-file "/var/dump/named_dump.db";
>> statistics-file "/var/stats/named.stats";
>>
>>
>> allow-query-cache { any; };
>> allow-query { any; };
>> recursion no;
>>
>>
>> allow-transfer {
>> 127.0.0.1;
>> };
>>
>> };
>>
>>
>> i'm not sure where to look next.... this machine is on a verizon
>> fios if that really makes any difference...
>>
>>
>> where should i look?
>>
>>
>> thanks....
> These are queries that require recursion and you have that turned off.
> If you don't want a publicly abused dns server, turn recursion on and
> restrict recursion to your LAN addresses(Allow-recursion).
thanks.. but not good.
now i have:
allow-query-cache { any; };
allow-query { any; };
allow-recursion { any; }
and still those logs. a dig from the outside gets "refused"...
> Lyle Giese
> LCR Computer Services, Inc.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list