REFUSED but no log entry

Jason Mitchell jm at hcn.com.au
Wed Oct 10 06:24:19 UTC 2007


Hi Mark,

Actually, that is how the example Bind 9.3.3 config (/usr/share/doc/bind-
9.3.3/sample/etc/named.conf) is shipping with CentOS 5 (and I suspect with a 
prominent North American linux vendor's also..).

I was having grief with a new CentOS 5 install, the local_resolver and 
internal views were working, but the external view was returning REFUSED to 
all. 

I removed the match-destination cluses and was still seeing "REFUSED" 
responses on the external view.

I replaced "match-clients { !localnets; !localhost; };" with
"match-clients { ANY; };" and now I'm seeing the expected behavior.

Cheers,

Jason

On Thu, 04 Oct 2007 17:44:27 +1000, Mark Andrews wrote
> > I'm running bind-9.3.3 on CentOS5 and trying to figure out why I can't 
> > transfer my zone to an outside slave. All queries seem to be met with a 
> > REFUSED response, but I see nothing reported in *any* of the log 
> > categories (most running at debug level, some at info), nor do I see 
> > anything in /var/log/messages. Where should I be looking for diagnostic 
> > info to track this down?
> > 
> > I suspect it might be a view permission issue. I have 3 views configured 
> > per CentOS5 "standard", like this:
> 
> 	I seriously doubt that this is the 'CentOS5 "standard"'
> 	because what you have below is illogical.  I suggest that
> 	you actually read the description of match-destinations,
> 	then ask youself if any packet will ever match
> 
> 		match-destinations      { !localnets; !localhost; };
> 
> 	unless you are actually intercepting packets in a firewall and
> 	processing them locally.
> 
> 	You get REFUSED because the queries don't match any view.
> 
> 	Remove the match-destinations clauses they really are not needed.
> 
> 	Mark
> 
> > view "localhost_resolver"
> > {
> >         match-clients           { localhost; };
> >         match-destinations      { localhost; };
> > };
> > view "internal"
> > {
> >         match-clients           { localnets; };
> >         match-destinations      { localnets; };
> > };
> > view    "external"
> > {
> >         match-clients           { !localnets; !localhost; };
> >         match-destinations      { !localnets; !localhost; };
> > };
> > 
> > The zone is defined in all 3 views. I'm getting refused from 2 external 
> > clients on different networks.
> > 
> > [ken at newred tmp]$ dig microprecisionautomation.com @69.17.55.102
> > 
> > ; <<>> DiG 9.2.3 <<>> microprecisionautomation.com @69.17.55.102
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20075
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > 
> > ;; QUESTION SECTION:
> > ;microprecisionautomation.com.  IN      A
> > 
> > ;; Query time: 27 msec
> > ;; SERVER: 69.17.55.102#53(69.17.55.102)
> > ;; WHEN: Tue Oct  2 15:26:50 2007
> > ;; MSG SIZE  rcvd: 46
> > 
> > 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org




More information about the bind-users mailing list