problem: with "allow-query {all}" some querys are denied

Fri Feb 11 22:28:55 UTC 2000

I believe there is a bug in the ACL code whereby class=ANY queries can get
erroneously rejected. Such queries are relatively rare, which is consistent
with the low numbers you're seeing.

- Kevin

Christopher McCrory wrote:

> Hello...
>
>         <note> I am sending this again, I think the first try didn't make it
> through the usenet gatway</note>
>
>         After being a relay for a aol MX DoS attack, I put in some acl
> restrictions.
> something like this:
>
> acl AS6592 { 127.0.0.1; 209.95.192.0/19 };
>
> options {
>         ...
>         allow-query {AS6592};
>         ...
>         };
>
> zone "example.com" {
>         type master;
>         file "db.example.com";
>         allow-query { any};
>         };
>
> ...other domains done the same...
>
> In 13 hours I got 62 "unapproved query" messages for domains that I host
> with the "allow-query { any};" tag.  Overall I average about 2 requests
> per second.
>
> So out of about 100,000 requests in 13 hours I rejected 62 valid
> requests.  This seems "statistically insignificant".  But, I should not
> be seeing these rejects at all.
>
> Does anyone else see this activity?  Is this normal?
>
> The server is running bind 8.2.2 Patch5, has plenty of horepower, dual
> PII350, ram 512Meg, running RH linux.  The current mem usage is 47 megs
> for the named process.
>
> --
>
> Christopher McCrory
> Lead Bithead, Netus Inc.
> chrismcc at netus.com
> admin at netus.com
>
> "Linux: Because rebooting is for adding new hardware"