Denied recursive query messages from named

Tue Jan 9 01:25:39 UTC 2001

Damon Brownd wrote:

> Would the "crappy DNS implementation" be on our end or the remote resolver
> making the queries?

The remote resolver.

> Why would other name servers be making recursive queries?  I thought they
> were supposed to query iteratively.

One would expect so, but my experience is that some DNS implementations
*always* use recursive queries, even when resolving names by following
referrals, i.e. in an iterative fashion. Seems rather anti-social to me, like
they're hoping opportunistically that other nameservers will shoulder the
recursive burden so they don't have to. They're *mooches*, in other words. Next
to the moronic Win2k update-denied messages, denied recursion is the second
most common log message I usually get on my Internet nameservers.

- Kevin

> "Kevin Darcy" <kcd at daimlerchrysler.com> wrote in message
> news:<930k5a$duj at pub3.rc.vix.com>...
> >
> > The only thing I can think of is a crappy DNS implementation that gets
> confused
> > about delegations when following CNAMEs to PTRs, with the result that it
> thinks
> > your servers are authoritative for 100.80.190.208.in-addr.arpa.
> >
> > One way to deal with this is just to go with the flow: set yourself up as
> a
> > slave for 100.80.190.208.in-addr.arpa. This won't stop the queries, but it
> > should stop the log messages, since in that case there won't be any
> recursion
> > necessary (and therefore none to deny). As an additional benefit, being a
> slave
> > for the zone will enable you to reverse-resolve your own addresses even if
> you
> > lose connectivity to the Internet.
> >
> >
> > - Kevin
> >
> > Damon Brownd wrote:
> >
> > > Our ISP recently delegated our in-addr.arpa subdomain for our /27
> address
> > > block to our name server as specified in RFC 2317.  Since then, I've
> been
> > > getting bursts of messages like the following at semi-regular intervals.
> > > They tend to be from the same IP addresses but the addresses do change
> over
> > > time.  The thing that got my attention is that requests come from so
> many
> > > different IP numbers within a second or two with pauses of an hour or
> more
> > > between bursts.  Our name server is currently configured to allow
> recursive
> > > queries from internal addresses and reject them from elsewhere.  The
> name
> > > server is BIND 8.2.3.
> > >
> > > Are these messages safe to ignore or do they indicate a problem I need
> to do
> > > something about?
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.43  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [216.52.85.194].3409 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.81  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [216.52.125.38].8857 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.81  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [64.94.206.66].1428 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.84  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [216.52.153.130].3591 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.85  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [216.52.44.194].1066 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.86  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [64.94.163.226].3319 for
> > > 100.80.190.208.in-addr.arpa
> > >
> > > %%%%%%%%%%%  OPCOM   3-JAN-2001 10:20:03.88  %%%%%%%%%%%
> > > Message from user SYSTEM on IRIS
> > > named: denied recursion for query from [63.251.235.226].2051 for
> > > 100.80.190.208.in-addr.arpa
> >
> >
> >
> >
> >
> >