Query Source not applicable for root queries?

Treptow, Craig Treptow.Craig at principal.com
Mon Feb 28 17:07:46 UTC 2005 

Hi.  We're running BIND 9.2.4 under a Veritas cluster on Solaris 8.  I've d=
one some searching on the list archives for this, but either I missed it, o=
r it isn't there.

This past weekend, we swapped to new firewalls and saw a bunch of denies.  =
Apparently the old FW rules were built slightly differently, and this issue=
 never came up because of it.  It appears that all the denies were queries =
to the root servers coming from the physical NIC, instead of the virtual as=
 I intended.  This surprised me, since I set the query source in my options:

options {
        directory "/usr/dns/bind/data";
        pid-file "/usr/dns/bind/etc/named.pid";
        listen-on port 53 { 162.131.38.89; };
        notify yes;
        query-source address 162.131.38.89 port *;
        transfer-source 162.131.38.89;
        notify-source 162.131.38.89;
        allow-query { any; };
        allow-transfer { localhost; };
        transfer-format many-answers;
// Ran out on 11/17/03 in the afternoon (4-5pm) and at night (9pm)
// So increasing from 5000 to 8000
        recursive-clients 8000;
        tcp-clients 100;
        provide-ixfr yes;
        zone-statistics no;
};

Did I screw up the config, or is there possibly a bug somewhere?

Thanks for any help!

Craig Treptow
IT Network Analyst - Senior
IS Network Administration - Network Management
515-247-6207


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect at principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

More information about the bind-users mailing list