Denied Query

phn at phn at
Wed Jan 22 19:07:32 UTC 2003

Alex Tang <cchytang at> wrote:

> phn at wrote in message news:<b0hesd$eg78$1 at isrv4.isc=
>> Alex Tang <cchytang at> wrote:
>> > Dear All
>> =20
>> > I keep getting the following logs which shows that the dns server is
>> > being queried his ip address ptr record from different IP. However,
>> > the ptr is hosting by other name server. They should not query my
>> > server. Do any one know why they (applications) query the ptr from m=
>> > server instead of the authoritative server which is hosting the ptr
>> > record.
>> =20
>> > eg.
>> =20
>> > 20-Jan-2003 17:25:49.285 security: notice: denied query from
>> > [].11853
>> > for "" PTR/IN
>> =20
>> > (dns1) is a new dns server and hosting some domains.
>> > the ptr of is hosting by the other server ns1.
>> =20
>> > Therefore, all request for querying the ptr of should g=
>> > to ns1 nor dns1(
>> The client will ask the dns-servers listed in /etc/resolv.conf ( or
>> simular) for everything.
>> The client is not ( shall not) be smart and attempt to locate=3D20
>> which servers are doing what domains, that's a nameserver task. Thus
>> the client asks your nameserver all queries.=3D20
>> --=3D20
>> Peter H=3DE5kanson        =3D20
>>         IPSec  Sverige      ( At Gothenburg Riverside )
>>            Sorry about my e-mail address, but i'm trying to keep spam =
>> ,
>> 	   remove "icke-reklam" if you feel for mailing me. Thanx.

> Thanks you help.
> Would you tell me that what is locate=3D20 and all queries.=3D20 ? Why =
> client ask /etc/resov.conf ? The file should be use by the name server
> only.
> Would you explain more so I can solve the problem.
> Thanks very much

Sorry about my New-reader munging with extraneous MIME-stuff.

Let's try again :=20
Your client computers uses /etc/resolv.conf ( or equivalent for their env=
to list "which nameservers to use".

Applications on ( running on ) these clients will normally consult this=20
information ( via the resolver library ).=20

The resolver is not ( and shall not be ) smart enough to choose servers=20
depending on question, it will simply pich the first working one and
send all queries to that one.

DNS is designed on the paradigm that all nameservers "sees" the same view=
is located in the same Universe. Breaking that will create lots of proble=
Unfortently firewalls and firewalled net's often break that, thats why
whole chapters in "Managing DNS and Bind" deals with these issues.

Peter H=E5kanson        =20
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out=
	   remove "icke-reklam" if you feel for mailing me. Thanx.

More information about the bind-users mailing list