Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<bgs2h2$2ukq$1 at sf1.isc.org>...
> ChrisC wrote:
>
> > I have set up Bind 8.2.4 on solaris 9, as a secondary server. I
> > restrict resolving queries on the server with the line at the top
> >
> > allow-query { "access-list"; };
> >
> > Then for each of the authoritative domains I have
> >
> > allow-query { "any"; };
> >
> > which works ok.
> >
> > For one of the domains we have a sub domain for it -- which is served
> > off 2 other servers e.g. usa.domain.com and ie they have different ns
> > records but for some reason I am seeing queries for it in the messages
> > file on the main server which serves domain.com.
> >
> > denied query from [151.164.1.15].15876 for "www.usa.domain.com"
> >
> > My question is
> >
> > - why am I getting queries for usa.domain.com when it is served off 2
> > different servers elsewhere ?
>
> I'm presuming it's because your slave is a *delegated* slave for the zone
> (you didn't mention whether it was a delegated slave or not). Delegated
> slaves can and will get queries for any names that are in the *domain*,
> regardless of whether those names are in descendant zones or not. That's
> just the way the standard resolver algorithm works: just keep throwing
> queries and following referrals down the hierarchy until you get a
> "terminal" response like an answerful response, a NODATA (NOERROR with
> either an SOA or no NS records in the Authority Section) response, or an
> NXDOMAIN response.
>
> > The server does however give the locations of the ns and soa servers
> > for the sub domains. This makes sense as if they did not then nobody
> > would get answers from there.
>
> Is "www.usa.domain.com" itself defined as a query-restricted zone in your
> named.conf? That's the only way I could reproduce the behavior you
> describe. If I just define "domain.com" with "allow-query { any; };",
> with no other zone definitions underneath that, then all queries for all
> names underneath "domain.com" are answered and none are denied. Could you
> post or at least describe the contents of your named.conf?
>
>
> - Kevin
Hi Kevin, here is the named.conf file for the secondary server. Just
to point
out this 'is' a delegated slave for domain.com, so maybe this is
normal as you said - it will recieve queries for anything for
*domain.com, although the usa.domain.com is served off different name
servers. I am seeing lots of queries being made for usa.domain.com and
being deined. I am a bit worried what happens to queries being denied
and if it affects the client, or if it does not affect the client ie
they just get the answer of the other servers.
acl "access-list" {
{ 193.129.122/24; 195.182.96.28; 195.182.96.29;
195.182.96.60; 195.182.96.61; };
};
options{
directory "/var/named";
allow-transfer { "None"; };
allow-query { "access-list"; };
};
zone "."in {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "loopback-domain-info";
allow-query { "any"; };
};
zone "domain.com" in {
type slave;
file "domain.com.back";
masters {
193.129.122.21;
};
allow-query { "any"; };
};