Bind 9.1 Question

Mon Jan 29 22:50:28 UTC 2001

Greetings,

I have Bind 9.1 up and running successfully, but I have one small problem.
I can perform an nslookup query remotely (i.e. not on the smae machine
that Bind is running on), and it works just fine.  However on the same
machine that is running Bind 9.1, when I do a nslookup, I get a "refused"
messages.  I'm sure this is probably something _really_ that I'm missing,
but I've been stuck for a few hours, so here I am.

Sample nslookup on machine running bind 9.1:

[root at news /root]# nslookup
Note:  nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead.  Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> news.bldr.rtone.com
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find news.bldr.rtone.com.: REFUSED
>

Messages from the log files:

Jan 29 22:45:13.983 security: client 127.0.0.1#2030: query denied

Here is my named.conf:

acl "internals" { 127.0.0.1; 172.16.0.0/20; 172.16.16.0/24; 172.16.5.0/24;
192.168.253.0/24;  };

controls {
        inet 127.0.0.1 allow { localhost; } keys { namedkey; };
};

key namedkey {
        algorithm "hmac-md5";
        secret "tP6O603HGrPW6bV59JV4vw==";
};

options {
        auth-nxdomain no;
        directory "/";
        pid-file "named.pid";
        allow-query { "internals"; };
        allow-recursion { "internals"; };
        allow-transfer { "internals"; };
};

logging {
        channel namedlog {
                file "var/log/named.log" versions 5 size 2m;
                print-time yes;
                print-category yes;
                };
        category xfer-out { namedlog; };
        category panic { namedlog; };
        category security { namedlog; };
        category insist { namedlog; };
        category response-checks { namedlog; };
};

//
// a caching only nameserver config
//
zone "." {
        type hint;
        file "named.ca";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        file "named.local";
};

zone "rtone.com" {
        type master;
        file "db.rtone.com";
};

zone "bldr.rtone.com" {
        type master;
        file "db.bldr.rtone.com";
};

zone "dnvr.rtone.com" {
        type master;
        file "db.dnvr.rtone.com";
};

zone "smartpoint.com" {
        type master;
        file "db.smartpoint.com";
};

.... more reverse zones, etc...

I know the logging section needs work.

Rndc is working just fine on the nameserver box, if that matters, and
named starts and runs fine.

Again, any help is appreciated.  This is the last step before I convert
from Bind 8.2.2_P7 to Bind 9.1.  I'd like to never again worry about a
Bind 8.x buffer overflow, or root exploit.

Thanks,
Will Sarka

-- 
---------------------------------------------
Those, who would give up essential liberty to
purchase a little temporary safety, deserve
neither liberty nor safety.

-Ben Franklin
Historical Review of Constitution and
Government of Pennsylvania
---------------------------------------------