REFUSED but no log entry
Jason Mitchell
jm at hcn.com.au
Wed Oct 10 06:24:19 UTC 2007
Hi Mark,
Actually, that is how the example Bind 9.3.3 config (/usr/share/doc/bind-
9.3.3/sample/etc/named.conf) is shipping with CentOS 5 (and I suspect with a
prominent North American linux vendor's also..).
I was having grief with a new CentOS 5 install, the local_resolver and
internal views were working, but the external view was returning REFUSED to
all.
I removed the match-destination cluses and was still seeing "REFUSED"
responses on the external view.
I replaced "match-clients { !localnets; !localhost; };" with
"match-clients { ANY; };" and now I'm seeing the expected behavior.
Cheers,
Jason
On Thu, 04 Oct 2007 17:44:27 +1000, Mark Andrews wrote
> > I'm running bind-9.3.3 on CentOS5 and trying to figure out why I can't
> > transfer my zone to an outside slave. All queries seem to be met with a
> > REFUSED response, but I see nothing reported in *any* of the log
> > categories (most running at debug level, some at info), nor do I see
> > anything in /var/log/messages. Where should I be looking for diagnostic
> > info to track this down?
> >
> > I suspect it might be a view permission issue. I have 3 views configured
> > per CentOS5 "standard", like this:
>
> I seriously doubt that this is the 'CentOS5 "standard"'
> because what you have below is illogical. I suggest that
> you actually read the description of match-destinations,
> then ask youself if any packet will ever match
>
> match-destinations { !localnets; !localhost; };
>
> unless you are actually intercepting packets in a firewall and
> processing them locally.
>
> You get REFUSED because the queries don't match any view.
>
> Remove the match-destinations clauses they really are not needed.
>
> Mark
>
> > view "localhost_resolver"
> > {
> > match-clients { localhost; };
> > match-destinations { localhost; };
> > };
> > view "internal"
> > {
> > match-clients { localnets; };
> > match-destinations { localnets; };
> > };
> > view "external"
> > {
> > match-clients { !localnets; !localhost; };
> > match-destinations { !localnets; !localhost; };
> > };
> >
> > The zone is defined in all 3 views. I'm getting refused from 2 external
> > clients on different networks.
> >
> > [ken at newred tmp]$ dig microprecisionautomation.com @69.17.55.102
> >
> > ; <<>> DiG 9.2.3 <<>> microprecisionautomation.com @69.17.55.102
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 20075
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;microprecisionautomation.com. IN A
> >
> > ;; Query time: 27 msec
> > ;; SERVER: 69.17.55.102#53(69.17.55.102)
> > ;; WHEN: Tue Oct 2 15:26:50 2007
> > ;; MSG SIZE rcvd: 46
> >
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list