query restricted on sub domain

Thu Aug 7 21:29:55 UTC 2003

ChrisC wrote:

> Kevin Darcy <kcd at daimlerchrysler.com> wrote in message news:<bgs2h2$2ukq$1 at sf1.isc.org>...
> > ChrisC wrote:
> >
> > > I have set up Bind 8.2.4 on solaris 9, as a secondary server. I
> > > restrict resolving queries on the server with the line at the top
> > >
> > > allow-query { "access-list"; };
> > >
> > > Then for each of the authoritative domains I have
> > >
> > > allow-query { "any"; };
> > >
> > > which works ok.
> > >
> > > For one of the domains we have a sub domain for it -- which is served
> > > off 2 other servers e.g. usa.domain.com and ie they have different ns
> > > records but for some reason I am seeing queries for it in the messages
> > > file on the main server which serves domain.com.
> > >
> > > denied query from [151.164.1.15].15876 for "www.usa.domain.com"
> > >
> > > My question is
> > >
> > > - why am I getting queries for usa.domain.com when it is served off 2
> > > different servers elsewhere ?
> >
> > I'm presuming it's because your slave is a *delegated* slave for the zone
> > (you didn't mention whether it was a delegated slave or not). Delegated
> > slaves can and will get queries for any names that are in the *domain*,
> > regardless of whether those names are in descendant zones or not. That's
> > just the way the standard resolver algorithm works: just keep throwing
> > queries and following referrals down the hierarchy until you get a
> > "terminal" response like an answerful response, a NODATA (NOERROR with
> > either an SOA or no NS records in the Authority Section) response, or an
> > NXDOMAIN response.
> >
> > > The server does however give the locations of the ns and soa servers
> > > for the sub domains. This makes sense as if they did not then nobody
> > > would get answers from there.
> >
> > Is "www.usa.domain.com" itself defined as a query-restricted zone in your
> > named.conf? That's the only way I could reproduce the behavior you
> > describe. If I just define "domain.com" with "allow-query { any; };",
> > with no other zone definitions underneath that, then all queries for all
> > names underneath "domain.com" are answered and none are denied. Could you
> > post or at least describe the contents of your named.conf?
> >
> >
> > - Kevin
>
> Hi Kevin, here is the named.conf file for the secondary server. Just
> to point
> out this 'is' a delegated slave for domain.com, so maybe this is
> normal as you said - it will recieve queries for anything for
> *domain.com, although the usa.domain.com is served off different name
> servers. I am seeing lots of queries being made for usa.domain.com and
> being deined. I am a bit worried what happens to queries being denied
> and if it affects the client, or if it does not affect the client ie
> they just get the answer of the other servers.
>
> acl "access-list" {
>                 { 193.129.122/24; 195.182.96.28; 195.182.96.29;
> 195.182.96.60; 195.182.96.61; };
> };
> options{
>         directory       "/var/named";
>         allow-transfer { "None"; };
>         allow-query { "access-list"; };
> };
> zone "."in {
>         type hint;
>         file "named.root";
> };
> zone "0.0.127.in-addr.arpa" in {
>         type master;
>         file "loopback-domain-info";
>         allow-query { "any"; };
> };
> zone "domain.com" in {
>         type slave;
>         file "domain.com.back";
>         masters {
>         193.129.122.21;
>         };
>         allow-query { "any"; };
> };

I can't seem to reproduce your problem. I have a named.conf that's structurally identical to
yours, and yet I can resolve names two levels below my "domain.com"-equivalent (where my
"usa.domain.com"-equivalent is a subzone delegated to other nameservers) without any
REFUSED responses or "denied query" messages in the logs.

Is there anything special about usa.domain.com or www.usa.domain.com that I should know
about? Is www.usa.domain.com a zone, for instance, or an alias?

- Kevin