Unapproved recursive queries

Jim Reid jim at rfc1035.com
Fri Sep 29 12:40:52 UTC 2000 

>>>>> "John" == John Horne <J.Horne at plymouth.ac.uk> writes:

    >>> John Horne <J.Horne at plymouth.ac.uk> writes:
    >> 29-Sep-2000 05:07:39.055 security: notice: unapproved recursive query from [198.83.19.247].53 for area51.termisoc.org
    >> 29-Sep-2000 07:25:10.385 security: notice: unapproved recursive query from [163.121.199.3].53 for www.termisoc.org

    >>  Ask the operators of the name servers that appear to be
    >> running at the above IP addresses. Perhaps their servers are
    >> misconfigured and forward queries to your server, either by
    >> accident or by design.
    >> 
    John> Well I could, but they are coming from all over the place -
    John> the above were just 2 examples.

You should have said that! Your previous message suggested only the
two hosts above were involved. If the queries are "coming from all
over the place", the problem is probably with your name server
configuration, perhaps an over-restrictive ACL. Post your named.conf
so someone can have a look at it. What has changed recently, your
application of an ACL or the NS records for this zone in .org or the
zone's NS records in termisoc.org? It also seems odd that you've made
your server refuse to answer recursive queries for termisoc.org when
it's authoritative for that zone. Why not just let it answer? Yes, in
theory the only requests dns0.plymouth.ac.uk should get for names in
termisoc.org whill be from other name servers, and these requests
should not have the RD bit set, but....

BTW, it your name server is misbehaving. Sometimes it answers my
non-recursive queries for www.termisoc.org, sometimes it doesn't:

% dig @141.163.1.250 www.termisoc.org  any +qr
 
; <<>> DiG 8.2 <<>> @141.163.1.250 www.termisoc.org any
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44102
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.termisoc.org, type = ANY, class = IN

;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUERY SECTION:
;;      www.termisoc.org, type = ANY, class = IN
 
;; ANSWER SECTION:
www.termisoc.org.       1D IN CNAME     area51.termisoc.org.
 
;; AUTHORITY SECTION:
termisoc.org.           1D IN NS        esra.termisoc.org.
termisoc.org.           1D IN NS        prot.termisoc.org.
termisoc.org.           1D IN NS        mrbounce.compsoc.man.ac.uk.
termisoc.org.           1D IN NS        dns0.plymouth.ac.uk.
 
;; ADDITIONAL SECTION:
esra.termisoc.org.      1D IN A         141.163.200.11
prot.termisoc.org.      1D IN A         141.163.200.2
mrbounce.compsoc.man.ac.uk.  18m24s IN A  192.84.78.5
dns0.plymouth.ac.uk.    1D IN A         141.163.1.250
 
;; Total query time: 287 msec
;; FROM: gromit.rfc1035.com to SERVER: 141.163.1.250
;; WHEN: Fri Sep 29 13:34:36 2000
;; MSG SIZE  sent: 34  rcvd: 237
 
% dig @141.163.1.250 www.termisoc.org any
 
; <<>> DiG 8.2 <<>> @141.163.1.250 www.termisoc.org any +qr
; (1 server found)
;; res options: init recurs defnam dnsrch
;; res_send()
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51965
;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUERY SECTION:
;;      www.termisoc.org, type = ANY, class = IN
 
;; res_nsend[signed] to server 141.163.1.250: Operation timed out

More information about the bind-users mailing list