query restricted on sub domain
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Fri Aug 8 00:09:00 UTC 2003
The query most probably has class ANY not class IN.
BIND 8.2.4 is ancient. Upgrade.
From 8.3.0-T2A:
1261. [func] treat class ANY as class IN for access control for
non-xfr queries.
> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<bgs2h2$2ukq$1 at sf
> 1.isc.org>...
> > ChrisC wrote:
> >
> > > I have set up Bind 8.2.4 on solaris 9, as a secondary server. I
> > > restrict resolving queries on the server with the line at the top
> > >
> > > allow-query { "access-list"; };
> > >
> > > Then for each of the authoritative domains I have
> > >
> > > allow-query { "any"; };
> > >
> > > which works ok.
> > >
> > > For one of the domains we have a sub domain for it -- which is served
> > > off 2 other servers e.g. usa.domain.com and ie they have different ns
> > > records but for some reason I am seeing queries for it in the messages
> > > file on the main server which serves domain.com.
> > >
> > > denied query from [151.164.1.15].15876 for "www.usa.domain.com"
> > >
> > > My question is
> > >
> > > - why am I getting queries for usa.domain.com when it is served off 2
> > > different servers elsewhere ?
> >
> > I'm presuming it's because your slave is a *delegated* slave for the zone
> > (you didn't mention whether it was a delegated slave or not). Delegated
> > slaves can and will get queries for any names that are in the *domain*,
> > regardless of whether those names are in descendant zones or not. That's
> > just the way the standard resolver algorithm works: just keep throwing
> > queries and following referrals down the hierarchy until you get a
> > "terminal" response like an answerful response, a NODATA (NOERROR with
> > either an SOA or no NS records in the Authority Section) response, or an
> > NXDOMAIN response.
> >
> > > The server does however give the locations of the ns and soa servers
> > > for the sub domains. This makes sense as if they did not then nobody
> > > would get answers from there.
> >
> > Is "www.usa.domain.com" itself defined as a query-restricted zone in your
> > named.conf? That's the only way I could reproduce the behavior you
> > describe. If I just define "domain.com" with "allow-query { any; };",
> > with no other zone definitions underneath that, then all queries for all
> > names underneath "domain.com" are answered and none are denied. Could you
> > post or at least describe the contents of your named.conf?
> >
> >
> > - Kevin
>
> Hi Kevin, here is the named.conf file for the secondary server. Just
> to point
> out this 'is' a delegated slave for domain.com, so maybe this is
> normal as you said - it will recieve queries for anything for
> *domain.com, although the usa.domain.com is served off different name
> servers. I am seeing lots of queries being made for usa.domain.com and
> being deined. I am a bit worried what happens to queries being denied
> and if it affects the client, or if it does not affect the client ie
> they just get the answer of the other servers.
>
>
>
> acl "access-list" {
> { 193.129.122/24; 195.182.96.28; 195.182.96.29;
> 195.182.96.60; 195.182.96.61; };
> };
> options{
> directory "/var/named";
> allow-transfer { "None"; };
> allow-query { "access-list"; };
> };
> zone "."in {
> type hint;
> file "named.root";
> };
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "loopback-domain-info";
allow-query { "any"; };
> };
> zone "domain.com" in {
> type slave;
> file "domain.com.back";
> masters {
> 193.129.122.21;
> };
> allow-query { "any"; };
> };
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list