query restricted on sub domain
ChrisC
chris at issolutions.co.uk
Fri Aug 8 10:41:27 UTC 2003
Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<bgugln$1som$1 at sf1.isc.org>...
> ChrisC wrote:
>
> > Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<bgs2h2$2ukq$1 at sf1.isc.org>...
> > > ChrisC wrote:
> > >
> > > > I have set up Bind 8.2.4 on solaris 9, as a secondary server. I
> > > > restrict resolving queries on the server with the line at the top
> > > >
> > > > allow-query { "access-list"; };
> > > >
> > > > Then for each of the authoritative domains I have
> > > >
> > > > allow-query { "any"; };
> > > >
> > > > which works ok.
> > > >
> > > > For one of the domains we have a sub domain for it -- which is served
> > > > off 2 other servers e.g. usa.domain.com and ie they have different ns
> > > > records but for some reason I am seeing queries for it in the messages
> > > > file on the main server which serves domain.com.
> > > >
> > > > denied query from [151.164.1.15].15876 for "www.usa.domain.com"
> > > >
> > > > My question is
> > > >
> > > > - why am I getting queries for usa.domain.com when it is served off 2
> > > > different servers elsewhere ?
> > >
> > > I'm presuming it's because your slave is a *delegated* slave for the zone
> > > (you didn't mention whether it was a delegated slave or not). Delegated
> > > slaves can and will get queries for any names that are in the *domain*,
> > > regardless of whether those names are in descendant zones or not. That's
> > > just the way the standard resolver algorithm works: just keep throwing
> > > queries and following referrals down the hierarchy until you get a
> > > "terminal" response like an answerful response, a NODATA (NOERROR with
> > > either an SOA or no NS records in the Authority Section) response, or an
> > > NXDOMAIN response.
> > >
> > > > The server does however give the locations of the ns and soa servers
> > > > for the sub domains. This makes sense as if they did not then nobody
> > > > would get answers from there.
> > >
> > > Is "www.usa.domain.com" itself defined as a query-restricted zone in your
> > > named.conf? That's the only way I could reproduce the behavior you
> > > describe. If I just define "domain.com" with "allow-query { any; };",
> > > with no other zone definitions underneath that, then all queries for all
> > > names underneath "domain.com" are answered and none are denied. Could you
> > > post or at least describe the contents of your named.conf?
> > >
> > >
> > > - Kevin
> >
> > Hi Kevin, here is the named.conf file for the secondary server. Just
> > to point
> > out this 'is' a delegated slave for domain.com, so maybe this is
> > normal as you said - it will recieve queries for anything for
> > *domain.com, although the usa.domain.com is served off different name
> > servers. I am seeing lots of queries being made for usa.domain.com and
> > being deined. I am a bit worried what happens to queries being denied
> > and if it affects the client, or if it does not affect the client ie
> > they just get the answer of the other servers.
> >
> > acl "access-list" {
> > { 193.129.122/24; 195.182.96.28; 195.182.96.29;
> > 195.182.96.60; 195.182.96.61; };
> > };
> > options{
> > directory "/var/named";
> > allow-transfer { "None"; };
> > allow-query { "access-list"; };
> > };
> > zone "."in {
> > type hint;
> > file "named.root";
> > };
> > zone "0.0.127.in-addr.arpa" in {
> > type master;
> > file "loopback-domain-info";
> > allow-query { "any"; };
> > };
> > zone "domain.com" in {
> > type slave;
> > file "domain.com.back";
> > masters {
> > 193.129.122.21;
> > };
> > allow-query { "any"; };
> > };
>
> I can't seem to reproduce your problem. I have a named.conf that's structurally identical to
> yours, and yet I can resolve names two levels below my "domain.com"-equivalent (where my
> "usa.domain.com"-equivalent is a subzone delegated to other nameservers) without any
> REFUSED responses or "denied query" messages in the logs.
>
> Is there anything special about usa.domain.com or www.usa.domain.com that I should know
> about? Is www.usa.domain.com a zone, for instance, or an alias?
>
>
> - Kevin
Hi Kevin,
Nothing special about that domain and I dont have any subdomains for
that specified in the named.conf file. The domain is norgren.com (as I
cant be bothered to change it all the time), its specified in the zone
file as
usa IN NS ns.usa.norgren.com.
IN NS ns2.usa.norgren.com.
Now i noticed something strange when I tested it from home, the
servers returned the response the first time, then it was refused, fyi
the primary is 193.129.122.21, scdr is 193.129.122.10. As you can see
both the primary and secondary gave answers for www.usa.norgren.com
and then refused them !!
Default Server: cache1.ntli.net
Address: 194.168.4.100
> server 193.129.122.10
Default Server: ns2.toshiba-europe.com
Address: 193.129.122.10
> www.usa.norgren.com
Server: ns2.toshiba-europe.com
Address: 193.129.122.10
Name: www.usa.norgren.com
Address: 213.161.84.74
> www.usa.norgren.com
Server: ns2.toshiba-europe.com
Address: 193.129.122.10
*** ns2.toshiba-europe.com can't find www.usa.norgren.com: Query
refused
> www.usa.norgren.com
Server: ns2.toshiba-europe.com
Address: 193.129.122.10
*** ns2.toshiba-europe.com can't find www.usa.norgren.com: Query
refused
> exit
C:\>nslookup
Default Server: cache1.ntli.net
Address: 194.168.4.100
> server 193.129.122.21
Default Server: percy.issolutions.co.uk
Address: 193.129.122.21
> www.usa.norgren.com
Server: percy.issolutions.co.uk
Address: 193.129.122.21
Name: www.usa.norgren.com
Address: 213.161.84.74
> www.usa.norgren.com
Server: percy.issolutions.co.uk
Address: 193.129.122.21
*** percy.issolutions.co.uk can't find www.usa.norgren.com: Query
refused
> www.usa.norgren.com
Server: percy.issolutions.co.uk
Address: 193.129.122.21
*** percy.issolutions.co.uk can't find www.usa.norgren.com: Query
refused
> exit
More information about the bind-users
mailing list