denied query on bind

Mark_Andrews at isc.org Mark_Andrews at isc.org
Fri Oct 3 00:22:41 UTC 2003


> Mark_Andrews at isc.org wrote in message news:<bladft$e25$1 at sf1.isc.org>...
> > > ChrisC <chris at issolutions.co.uk> wrote:
> > > > Hi,
> > > > Im running bind 8.2.4 on solaris 9. My messages /log files are
> > > > constantly fillling up with 'denied query' from various ip addresses
> > > > to the following
> >  
> > > > denied query from [206.222.107.70].53 for
> > > > "82.80/28.192.147.12.in-addr.arpa
> > > > " IN Sep 13 08:17:54 
> >  
> > > > The ip address looks strange and I havnt seen it before, Im trying to
> > > > find out why Im constantly getting queries for this, could someone
> > > > give me a clue??
> >  
> > > > Thanks
> > > 
> > > The range _is_ assigned to :
> > > 80/28.192.147.12.in-addr.arpa.  1d23h58m8s IN NS  percy.issolutions.co.uk
> .
> > > 80/28.192.147.12.in-addr.arpa.  1d23h58m8s IN NS  ns2.toshiba-europe.com.
> > > 
> > > which might indicate that one of your clients uses this address for outbo
> und 
> > > use. 
> > > Servers "out there" tries to query the nameservers ( and get's refused)
> > > 
> > > If you use these addresses you are supposed to present working servers.
> > 
> > 	And the fix for this is to add
> > 
> > 	allow-query { any; };
> > 
> > 	to the zone clause for 80/28.192.147.12.in-addr.arpa
> > 
> > 	You should also allo percy.issolutions.co.uk to transfer
> > 	the zone as it is a slave. 
> > 
> > 	allow-transfer { 193.129.122.21; };
> >  
> > > 
> > > -- 
> > > Peter Håkanson         
> > >         IPSec  Sverige      ( At Gothenburg Riverside )
> > >            Sorry about my e-mail address, but i'm trying to keep spam out
> ,
> > > 	   remove "icke-reklam" if you feel for mailing me. Thanx.
> > >
> 
> 
> Hi All,
> 
> Thankyou for the input, Im very confused about the address
> 80/28.192.147.12.in-addr.arpa, could someone tell me how they found
> out (ie what tool) it is allocated to percy and ns2 ? Ive looked on
> ripe and cant find it, also how can we see who assigned those
> addresses ? What is the 80/28 bit at the beginning?
> 
> Thanks

	80/28 indicates that the last octet of your address range
	starts at octet 80 and that a 28 bit netmask applies.  This
	gives a range of 16 address 12.147.192.80 - 12.147.192.95.

	Now to perform a reverse lookup for 12.147.192.80 to
	12.147.192.95 the clients create lookups like
	80.192.147.12.in-addr.arpa - 95.192.147.12.in-addr.arpa.

	The problem is that this requires 16 individual delegation,
	one for each individual reverse name.  Rather than doing
	that there is a alternate technique where the parent zones
	sets up 16 CNAMES for those names and point them to some
	other zone.  In this case the name of the other zone is
	80/28.192.147.12.in-addr.arpa.
	
	So your zone is found by looking up 80.192.147.12.in-addr.arpa
	seeing the CNAME which points to 80.80/28.192.147.12.in-addr.arpa
	then looking up that name.

	You really should have both the parent zone (147.12.in-addr.arpa)
	and 80/28.192.147.12.in-addr.arpa on your server as this
	allows local lookups to complete without having to ask other
	servers.

	This is all explained in RFC 2317.

	Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org


More information about the bind-users mailing list