Bind 9.1 Question

Willis L. Sarka wlsarka at the-republic.org
Tue Jan 30 00:13:16 UTC 2001 

With dig, it gives the same type of responses.  Although 9.1 might not
support it, I was under the impression that nslookup use is decprecated,
not
completely removed all together.  I'm not too terribly familiar with dig,
but just typing "dig" at the prompt produces this:


[root at news doc]# dig

; <<>> DiG 9.1.0 <<>>
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28309
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;.				IN	NS

;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan 30 00:11:57 2001
;; MSG SIZE  rcvd: 17


Notice the "REFUSED" part still?  This is what I'm having trouble with...
Again, it's probably really braindead what I'm missing, but I'm not seeing
it.

If anyone has a look at the named.conf snippet I sent earlier, please tell
me what option I'm missing or need to axe.

W

On Mon, 29 Jan 2001, Nguyen, Andy wrote:

> nslookup is not supported in Bind 9.1.  Use dig instead.
>
> -----Original Message-----
> From: Willis L. Sarka [mailto:wlsarka at the-republic.org]
> Sent: Monday, January 29, 2001 5:50 PM
> To: bind-users at isc.org
> Subject: Bind 9.1 Question
>
>
>
> Greetings,
>
> I have Bind 9.1 up and running successfully, but I have one small problem.
> I can perform an nslookup query remotely (i.e. not on the smae machine
> that Bind is running on), and it works just fine.  However on the same
> machine that is running Bind 9.1, when I do a nslookup, I get a "refused"
> messages.  I'm sure this is probably something _really_ that I'm missing,
> but I've been stuck for a few hours, so here I am.
>
> Sample nslookup on machine running bind 9.1:
>
> [root at news /root]# nslookup
> Note:  nslookup is deprecated and may be removed from future releases.
> Consider using the `dig' or `host' programs instead.  Run nslookup with
> the `-sil[ent]' option to prevent this message from appearing.
> > news.bldr.rtone.com
> Server:		127.0.0.1
> Address:	127.0.0.1#53
>
> ** server can't find news.bldr.rtone.com.: REFUSED
> >
>
>
> Messages from the log files:
>
> Jan 29 22:45:13.983 security: client 127.0.0.1#2030: query denied
>
> Here is my named.conf:
>
> acl "internals" { 127.0.0.1; 172.16.0.0/20; 172.16.16.0/24; 172.16.5.0/24;
> 192.168.253.0/24;  };
>
> controls {
>         inet 127.0.0.1 allow { localhost; } keys { namedkey; };
> };
>
> key namedkey {
>         algorithm "hmac-md5";
>         secret "tP6O603HGrPW6bV59JV4vw==";
> };
>
> options {
>         auth-nxdomain no;
>         directory "/";
>         pid-file "named.pid";
>         allow-query { "internals"; };
>         allow-recursion { "internals"; };
>         allow-transfer { "internals"; };
> };
>
> logging {
>         channel namedlog {
>                 file "var/log/named.log" versions 5 size 2m;
>                 print-time yes;
>                 print-category yes;
>                 };
>         category xfer-out { namedlog; };
>         category panic { namedlog; };
>         category security { namedlog; };
>         category insist { namedlog; };
>         category response-checks { namedlog; };
> };
>
> //
> // a caching only nameserver config
> //
> zone "." {
>         type hint;
>         file "named.ca";
> };
>
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "named.local";
> };
>
> zone "rtone.com" {
>         type master;
>         file "db.rtone.com";
> };
>
> zone "bldr.rtone.com" {
>         type master;
>         file "db.bldr.rtone.com";
> };
>
> zone "dnvr.rtone.com" {
>         type master;
>         file "db.dnvr.rtone.com";
> };
>
> zone "smartpoint.com" {
>         type master;
>         file "db.smartpoint.com";
> };
>
> .... more reverse zones, etc...
>
>
>
> I know the logging section needs work.
>
>
> Rndc is working just fine on the nameserver box, if that matters, and
> named starts and runs fine.
>
>
> Again, any help is appreciated.  This is the last step before I convert
> from Bind 8.2.2_P7 to Bind 9.1.  I'd like to never again worry about a
> Bind 8.x buffer overflow, or root exploit.
>
> Thanks,
> Will Sarka
>
>
>
>

-- 
---------------------------------------------
Those, who would give up essential liberty to
purchase a little temporary safety, deserve
neither liberty nor safety.

-Ben Franklin
Historical Review of Constitution and
Government of Pennsylvania
---------------------------------------------

More information about the bind-users mailing list