query (cache) 'domain.com/AAAA/IN' denied
kalin
kalin at el.net
Thu Oct 11 01:52:34 UTC 2012
On 10/10/12 9:41 PM, Árni Birgisson wrote:
> You have all those allow-*, but in your previous email you have
> "recursion no;" which you would have to change to "recursion yes;".
>
> When you have done this, make sure to restrict it with the allow-recursion
> so you do not have an open resolver.
thanks to you too.... but same result.
options {
version "";
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
allow-query-cache { any; };
allow-query { any; };
recursion yes;
// allow-recursion { any; }
allow-transfer {
127.0.0.1;
};
};
# dig @ns2..... domain.com
; <<>> DiG 9.4.2 <<>> @ns2.... domain.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;domain.com. IN A
;; Query t........
i actually have another machine that has bind 9.4.2 and it works as
desired without all this options. both machines a meant to be
authoritative for domain.com...
anything else i can try?
thanks...
>
> -- Arni
>
>
> ----- Original Message -----
> From: "kalin" <kalin at el.net>
> To: "Lyle Giese" <lyle at lcrcomputer.net>
> Cc: bind-users at lists.isc.org
> Sent: Thursday, October 11, 2012 1:34:24 AM
> Subject: Re: query (cache) 'domain.com/AAAA/IN' denied
>
>
>
> On 10/10/12 9:17 PM, Lyle Giese wrote:
>> On 10/10/12 20:01, kalin wrote:
>>>
>>> hi all...
>>>
>>> # uname -a
>>> NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
>>>
>>> # named -v
>>> BIND 9.5.2-P2
>>>
>>> i get these in the log:
>>>
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
>>> (cache) 'domain.net/AAAA/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
>>> (cache) 'domain.net/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
>>> (cache) 'www.domain.org/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
>>> (cache) 'domain.net/AAAA/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
>>> (cache) 'domain.net/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
>>> (cache) 'www.domain.org/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
>>> (cache) 'www.domain.org/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
>>> (cache) 'domain.org/A/IN' denied
>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
>>> (cache) 'domain.org/A/IN' denied
>>>
>>> .........................................
>>>
>>>
>>> all the domain.net, .org, .com above exist. if i do a dig off a local
>>> machine they resolve fine. if the dig is out of this network i get a
>>> log entry as above.
>>>
>>> at this point the named.conf has:
>>>
>>> options {
>>> version "ha-ha-ha";
>>> directory "/etc/namedb";
>>> pid-file "/var/run/named/pid";
>>> dump-file "/var/dump/named_dump.db";
>>> statistics-file "/var/stats/named.stats";
>>>
>>>
>>> allow-query-cache { any; };
>>> allow-query { any; };
>>> recursion no;
>>>
>>>
>>> allow-transfer {
>>> 127.0.0.1;
>>> };
>>>
>>> };
>>>
>>>
>>> i'm not sure where to look next.... this machine is on a verizon
>>> fios if that really makes any difference...
>>>
>>>
>>> where should i look?
>>>
>>>
>>> thanks....
>> These are queries that require recursion and you have that turned off.
>> If you don't want a publicly abused dns server, turn recursion on and
>> restrict recursion to your LAN addresses(Allow-recursion).
>
> thanks.. but not good.
>
> now i have:
>
> allow-query-cache { any; };
> allow-query { any; };
> allow-recursion { any; }
>
> and still those logs. a dig from the outside gets "refused"...
>
>
>
>
>
>
>> Lyle Giese
>> LCR Computer Services, Inc.
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
More information about the bind-users
mailing list