recursive query

Jim Reid jim at rfc1035.com
Tue Sep 26 15:40:01 UTC 2000 

>>>>> "Deepak" == Deepak Shrestha <deepak at mos.com.np> writes:

    Deepak> I presume that all BIND servers send iterative queries to
    Deepak> other BIND name servers to resolve domain names.

Yes. All name servers - not just BIND - do this. Though I think that a
name server that's been configured as a forwarding-only server will
make recursive rather than iterative requests. I've not bothered
checking the BIND source code to confirm this.

    Deepak> Sep 26 10:12:01 shikhar named[29712]: unapproved recursive query from [210.191.209.185].1027 for nh2.jiyu.net.np 
    Deepak> Sep 26 10:12:24 shikhar named[29712]: unapproved recursive query from [202.231.128.10].54534 for nh2.jiyu.net.np

    Deepak> Why do I then get "unapproved recursive query"?

Because you have presumably configured your server to refuse recursive
queries from these addresses. This doesn't prevent those unwanted
hosts from sending unwanted queries to your name server. It only stops
your server from processing them. Both of the IP addresses above
appear to be running name servers. However, you've no easy way of
telling if those queries came from the name server or from other
applications that are running on those systems. [If the queries had
the RA - recursion available - bit set, it would probably mean the
queries came from a name server.] Perhaps the hosts have badly
misconfigured resolvers that query your server instead of the local
ones? Perhaps they have name servers that forward queries to your
server? Maybe someone is running "dig @your-server nh2.jiyu.net.np" on
these systems? Who knows?

    Deepak> I have allowed recursive queries to the IP-space within my
    Deepak> network in the configuration file. I get a lot of these in
    Deepak> the logfile so it cannot be from stub resolvers only.

I wouldn't be so sure about that. There are lots of misconfigured
resolvers in the world: all it takes is a broken /etc/resolv.conf. If
all the queries sent from a given IP address always came from the same
port number, then it would tend to suggest that something - probably a
long-running application - was using the same socket to make the
requests. This might be a forwarding name server. If the queries use
different port numbers, it would indicate the system has a
misconfigured resolv.conf and each application is sending DNS queries
from essentially random port numbers to your server.

You'll need to talk to the administrators of 210.191.209.185 and
202.231.128.10 to find out what is going on.

More information about the bind-users mailing list