query restricted on sub domain

[Kevin Darcy]

ChrisC wrote:

> I have set up Bind 8.2.4 on solaris 9, as a secondary server. I
> restrict resolving queries on the server with the line at the top
>
> allow-query { "access-list"; };
>
> Then for each of the authoritative domains I have
>
> allow-query { "any"; };
>
> which works ok.
>
> For one of the domains we have a sub domain for it -- which is served
> off 2 other servers e.g. usa.domain.com and ie they have different ns
> records but for some reason I am seeing queries for it in the messages
> file on the main server which serves domain.com.
>
> denied query from [151.164.1.15].15876 for "www.usa.domain.com"
>
> My question is
>
> - why am I getting queries for usa.domain.com when it is served off 2
> different servers elsewhere ?

I'm presuming it's because your slave is a *delegated* slave for the zone
(you didn't mention whether it was a delegated slave or not). Delegated
slaves can and will get queries for any names that are in the *domain*,
regardless of whether those names are in descendant zones or not. That's
just the way the standard resolver algorithm works: just keep throwing
queries and following referrals down the hierarchy until you get a
"terminal" response like an answerful response, a NODATA (NOERROR with
either an SOA or no NS records in the Authority Section) response, or an
NXDOMAIN response.

> The server does however give the locations of the ns and soa servers
> for the sub domains. This makes sense as if they did not then nobody
> would get answers from there.

Is "www.usa.domain.com" itself defined as a query-restricted zone in your
named.conf? That's the only way I could reproduce the behavior you
describe. If I just define "domain.com" with "allow-query { any; };",
with no other zone definitions underneath that, then all queries for all
names underneath "domain.com" are answered and none are denied. Could you
post or at least describe the contents of your named.conf?


- Kevin