Unapproved recursive queries
John Horne
J.Horne at plymouth.ac.uk
Fri Sep 29 13:40:04 UTC 2000
On 29-Sep-00 at 12:40:52 Jim Reid wrote:
> John Horne <J.Horne at plymouth.ac.uk> writes:
>>> Ask the operators of the name servers that appear to be
>>> running at the above IP addresses. Perhaps their servers are
>>> misconfigured and forward queries to your server, either by
>>> accident or by design.
>>
>> Well I could, but they are coming from all over the place -
>> the above were just 2 examples.
>
> You should have said that! Your previous message suggested only the
> two hosts above were involved.
>
Sorry :-)
> If the queries are "coming from all over the place", the problem is
> probably with your name server configuration, perhaps an over-restrictive
> ACL. Post your named.conf so someone can have a look at it.
>
The name servers don't allow recursive queries except for those on the
141.163. subnet. Nobody else should need to use recursive queries.
> What has changed recently, your application of an ACL or the NS records
> for this zone in .org or the zone's NS records in termisoc.org?
>
Nope, nothing changed (honest!).
> It also seems odd that you've made your server refuse to answer recursive
> queries for termisoc.org when it's authoritative for that zone. Why not
> just let it answer? Yes, in theory the only requests dns0.plymouth.ac.uk
> should get for names in termisoc.org whill be from other name servers,
> and these requests should not have the RD bit set, but....
>
You answered that yourself. We have taken the view/option that the name
servers can be used by external (to 141.163.) users/name servers to answer
queries for which we are authoritative, but no others - hence no recursion.
Anything internal to 141.163. can use recursion.
Which brings me back to the original question - dns1 is not authoritative
for termisoc.org, so no queries from anywhere for it should be going to
dns1. But they are. Agreed, if it was a misconfigured server then that would
show with the IP address being the same all the time. But it isn't.
> BTW, it your name server is misbehaving. Sometimes it answers my
> non-recursive queries for www.termisoc.org, sometimes it doesn't:
>
Nope, that's the appalling network we have here! :-( Imagine trying to work
amongst timeouts, etc when using the web, ftp'ing, mailing ,etc, etc. I
overheard from the network people that they hope to install some
new/different equipment in a week or two that should help relieve the
problem. Needless to say with the start of term, then new students (and the
old staff!) are not happy at all.
I've attached the named.conf from dns1 in case anyone does want a look. The
only main difference with dns0 is that dns0 is a slave for termisoc.org, so
it has the added entry:
zone "termisoc.org" in {
type slave;
file "secondary/termisoc/TERMISOC.ZONE";
masters { 141.163.200.11; };
};
John.
------------------------------------------------------------------------
John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914
E-mail: jhorne at plymouth.ac.uk
PGP key available from public key servers
-- Attached file included as plaintext by Listar --
-- File: named.conf1
-- Desc: dns1.plymouth.ac.uk named.conf
#
# Boot file for our DNS cache.
#
# Created: September 1997
#
acl uop { 141.163.0.0/16; localhost; };
acl spoofs { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
acl local-secondary { 141.163.17.40; };
acl secondaries { none; };
options {
directory "/var/named";
allow-transfer { none; };
allow-recursion { uop; };
blackhole { spoofs; };
notify no;
cleaning-interval 480;
use-id-pool yes;
rfc2308-type1 yes;
};
server 141.163.17.40 {
transfer-format many-answers;
};
logging {
channel our_default {
file "logs/misc";
severity notice;
print-category yes;
print-time yes;
};
channel panic {
file "logs/panic";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
channel zones {
file "logs/zones";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
channel security {
file "logs/security";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
channel our_transfers {
file "logs/transfers";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
channel stats {
file "logs/stats";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel queries {
file "logs/queries";
severity debug;
print-category yes;
print-severity yes;
print-time yes;
};
category panic { panic; };
category os { panic; };
category insist { panic; };
category config { panic; };
category parser { panic; };
category security { security; };
category db { zones; };
category load { zones; };
category notify { zones; };
category update { zones; };
category xfer-in { our_transfers; };
category xfer-out { our_transfers; };
category lame-servers { null; };
category cname { null; };
category statistics { stats; };
# category queries { queries; };
category default { our_default; };
};
zone "bind" chaos {
type master;
file "bind";
allow-query { localhost; };
};
zone "." in {
type hint;
file "named.ca";
};
zone "localhost" in {
type master;
file "named.local";
allow-query { uop; };
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "named.local.rev";
allow-query { uop; };
};
#
# PLYMOUTH.AC.UK ZONE
#
zone "plymouth.ac.uk" in {
type slave;
file "primary/PLYMOUTH.ZONE";
masters { 141.163.1.250; };
};
zone "plym.ac.uk" in {
type slave;
file "primary/PLYM.ZONE";
masters { 141.163.1.250; };
};
zone "163.141.in-addr.arpa" in {
type slave;
file "primary/PLYMOUTH.REV";
masters { 141.163.1.250; };
};
#
# PBS ZONE
#
zone "pbs.plym.ac.uk" in {
type slave;
file "secondary/pbs/PBS.ZONE";
masters { 141.163.20.1; };
};
zone "pbs.plymouth.ac.uk" in {
type slave;
file "secondary/pbs/PBS-LONG.ZONE";
masters { 141.163.20.1; };
};
zone "20.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-20.REV";
masters { 141.163.20.1; };
};
zone "21.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-21.REV";
masters { 141.163.20.1; };
};
zone "22.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-22.REV";
masters { 141.163.20.1; };
};
zone "23.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-23.REV";
masters { 141.163.20.1; };
};
zone "24.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-24.REV";
masters { 141.163.20.1; };
};
zone "25.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-25.REV";
masters { 141.163.20.1; };
};
zone "26.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-26.REV";
masters { 141.163.20.1; };
};
zone "27.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-27.REV";
masters { 141.163.20.1; };
};
zone "28.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-28.REV";
masters { 141.163.20.1; };
};
zone "29.163.141.in-addr.arpa" in {
type slave;
file "secondary/pbs/PBS-29.REV";
masters { 141.163.20.1; };
};
#
# PMS ZONE
#
zone "pms.ac.uk" in {
type slave;
file "primary/pms/PMS.ZONE";
masters { 141.163.1.250; };
};
#zone "88.163.141.in-addr.arpa" in {
# type slave;
# file "primary/pms/PMS.REV";
# masters { 141.163.1.250; };
#};
#
# UPSU ZONE
#
zone "upsu.plym.ac.uk" in {
type slave;
file "secondary/upsu/UPSU.ZONE";
masters { 141.163.200.11; };
};
zone "upsu.plymouth.ac.uk" in {
type slave;
file "secondary/upsu/UPSU-LONG.ZONE";
masters { 141.163.200.11; };
};
#
# PCFE ZONE
#
zone "pcfe.ac.uk" in {
type slave;
file "secondary/pcfe/PCFE.ZONE";
masters { 141.163.161.249; };
};
zone "pcfe.plymouth.ac.uk" in {
type slave;
file "secondary/pcfe/PCFE-LONG.ZONE";
masters { 141.163.161.249; };
};
zone "pcfe.plym.ac.uk" in {
type slave;
file "secondary/pcfe/PCFE-SHORT.ZONE";
masters { 141.163.161.249; };
};
zone "160.163.141.in-addr.arpa" in {
type slave;
file "secondary/pcfe/PCFE-160.REV";
masters { 141.163.161.249; };
};
zone "161.163.141.in-addr.arpa" in {
type slave;
file "secondary/pcfe/PCFE-161.REV";
masters { 141.163.161.249; };
};
zone "162.163.141.in-addr.arpa" in {
type slave;
file "secondary/pcfe/PCFE-162.REV";
masters { 141.163.161.249; };
};
zone "163.163.141.in-addr.arpa" in {
type slave;
file "secondary/pcfe/PCFE-163.REV";
masters { 141.163.161.249; };
};
#
# AMERC.AC.UK ZONE
#
zone "amerc.ac.uk" in {
type slave;
file "secondary/amerc/AMERC.ZONE";
masters { 141.163.161.249; };
};
More information about the bind-users
mailing list