named[1095]: error (unexpected RCODE REFUSED)
Casey Deccio
casey at deccio.net
Mon May 4 15:09:13 UTC 2015
On Mon, May 4, 2015 at 9:38 AM, Chris <cpollock at embarqmail.com> wrote:
> I've just finished setting up Bind as a local caching name server to
> work in conjunction with my Spamassassin setup. I did this because
> queries to uribl.com were getting blocked probably due to my ISPs
> reputation for spam. It seems to be working great, no more of the
> blocked queries to uribl.com however I am seeing a lot of this:
>
> error (unexpected RCODE REFUSED) resolving
> 'b4d44f4bcc9ddf0e61605920116ce915.ctyme.ixhash.net/A/IN':
> 62.75.209.50#53
> error (unexpected RCODE REFUSED) resolving 'getcreations.com/AAAA/IN':
> 192.185.149.195#53
> error (connection refused) resolving
> '185.130.201.205.dnsbl.sorbs.net/A/IN': 67.228.187.34#53
> error (connection refused) resolving
> '185.130.201.205.dnsbl.sorbs.net/A/IN': 174.36.235.174#53
>
>
> this is a query to a domain I own
>
> error (unexpected RCODE REFUSED) resolving 'toadnet.com/AAAA/IN':
> 207.218.247.135#53
>
> Do I have something in my setup incorrect?
>
Hi Chris,
The problem is not with your resolver, but with the zones/servers it is
contacting. Take toadnet.com, for example. The delegation records in the
.com zone are these:
$ dig +noall +authority @a.gtld-servers.net toadnet.com ns
toadnet.com. 172800 IN NS ns2.ev1servers.net.
toadnet.com. 172800 IN NS ns1.ev1servers.net.
toadnet.com. 172800 IN NS ns1.ecdiscounts.com.
and the authoritative records in the toadnet.com zone are these:
$ dig +noall +answer @ns1.ecdiscounts.com toadnet.com ns
toadnet.com. 86400 IN NS ns2.usdcservers.net.
toadnet.com. 86400 IN NS ns1.usdcservers.net.
But the ev1servers.net servers are not properly set up to respond for the
toadnet.com zone:
$ dig +noall +comments @ns1.ev1servers.net toadnet.com ns
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43670
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
In your case, looks like you probably need to clean up the delegation
records in the parent zone through your registrar to match the ones in your
child zone. Others would need to do similarly, depending on their
situation.
Cheers,
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150504/96501ccb/attachment.html>
More information about the bind-users
mailing list