Query Refused problem

Sven Eschenberg sven at whgl.uni-frankfurt.de
Wed Sep 30 13:59:32 UTC 2009 

Dear list,

This seems more tricky, then I thought.

When I had no allow-query statement at all in my config, everything 
worked find (includign recursion) for all clients, that were in subnets 
directly attached to the server. The external view (authoriative, non 
recursive) did work for every client as supposed to.
Now a client on a not directly attached subnet, with it's own view, 
could not resolve anything, except local zones on the server. (Though 
recursion was turned on for the view).
External view's clients could nto recurse, though recursion was turned 
on, obviously to realyl recurse I'd need an allow-query statement.

Adding an allow-query statement to the general config, limitied to the 
campus network made all local views work, but with the result, that no 
client matching the external view could looks up the authoriative zones.

Now, I am wondering if I did set uop everything right afterall, here's 
what I did do:

External view, no recursion, allow-query {any;}
Not directly attached client with internal view: match on client's ip, 
allow recursion, allow query for the client's ip.
all other internal views, matched by locally attached netowrks, no 
allow-query statement, allow recursion.

This seems to work.

I am wondering: Would it be harmfull to allow queries by any host 
(globally) as long as external clients (in their view) are not allowed 
any recursion? Would that be more feasible?

Regards

-Sven


Sven Eschenberg schrieb:
> I got it fixxed with an allow-query statement.
> 
> But this arises another question: Does bind implicitly add allow-queries 
> for locally attached interfaces and the networks configured for these?
> 
> I am asking, because it used to work for all the subnets directly 
> attached to the machine.
> 
> Regards
> 
> -Sven
> 
> Sven Eschenberg schrieb:
>> Dear list,
>>
>> I have one client with a specific zone. When the client does a query 
>> for localhost on the nameserver, or a reverse lookup for 127.0.0.1, 
>> everything seems perfectly okay. As soon, as the client tries to 
>> lookup i.e. google.de or any external ip, I am getting query refused 
>> errors.
>>
>> Sep 30 14:21:40 gw named[28715]: client <ip of matched client>#1039: 
>> view watchdog: query (cache) 'www.google.de/A/IN' denied
>> Sep 30 14:21:40 gw named[28715]: client <ip of matched client>#1040: 
>> view watchdog: query (cache) 'www.google.de/A/IN' denied
>>
>> The DNS-Server works as a recursor for the client.
>>
>> What puzzles me most is: I cloned another internal view, which works 
>> perfectly well for the clients matched by it.
>>
>> What might I be missing here, what can trigger a query refused answer 
>> like this?
>>
>> Regards
>>
>> -Sven
>>
>>
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list