Access denied Bind9
Greg Choules
gregchoules+bindusers at googlemail.com
Tue Mar 8 06:58:22 UTC 2022
Hi Ritah.
I think rndc is a red herring. Whether you can control your server using
rndc or not is a different topic to "why am I seeing xxxx 'denied'" in the
logs.
I think a couple of questions you need to ask yourself are:
Should these servers be receiving recursive queries from anywhere?
If no, then named.conf should contain "recursion no;" and settings
such as "allow-query-cache" should be set to "none;".
If yes, then define the set of clients you expect them to receive
queries from, create some ACLs, set "recursion yes;" and
"allow-query-cache" (at a minimum) to use the ACLs.
What zones are these servers authoritative for?
If the server are not supposed to be receiving recursive queries and
the queries you see in your log are not ones for which you are
authoritative then take notes about which clients are sending these queries
and go on a hunt. Perhaps the clients are misconfigured, or just being
'playful'!
Some useful reading might be these articles and others in the KB.
https://kb.isc.org/docs/bind-best-practices-authoritative
https://kb.isc.org/docs/bind-best-practices-recursive
and of course the ARM.
I hope that helps.
Cheers, Greg
On Tue, 8 Mar 2022 at 01:45, Ritah Mulinde <rytaluv at gmail.com> wrote:
> Hi Guys
> Just got my primary and secondary name servers running.
>
> However, when i reload rdnc and tail the syslogs all i get is "(
> xxxx.xx.com): query (cache) 'cccc.xx.com/A/IN' denied"
>
> Not sure why.
>
> kindly asking for some pointers on where to start looking
>
>
> Thank you
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220308/9a12744e/attachment.htm>
More information about the bind-users
mailing list