Query denied errors on PTR records for delegated zone
Geoff Sweet
geoff.sweet at wemadeusa.com
Tue Feb 23 00:26:04 UTC 2010
Greetings all,
I have an on-going problem that has totally stumped me. I have a CentOS 5.3 server that I am using the builtin Bind (9.3) to serve our zones. Our ISP has provisioned us a block of IP's and has delegated our name servers as authoritative for the reverse zone info for that block. Name resolution for A records works perfect. What has me totally baffled at this point is that I can not get PTR records to work. All queries to my reverse zone are answered with denied errors:
Feb 22 04:10:14 ns1 named[19789]: client 72.247.123.69#52683: query (cache) '14.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 05:15:26 ns1 named[19789]: client 72.247.123.69#61264: query (cache) '50.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 10:12:03 ns1 named[19789]: client 72.246.192.167#52219: query (cache) '39.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 11:05:11 ns1 named[19789]: client 96.17.73.207#61038: query (cache) '24.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 11:33:23 ns1 named[19789]: client 72.247.123.69#61049: query (cache) '55.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 13:41:45 ns1 named[19789]: client 96.17.166.181#60054: query (cache) '31.173.150.66.in-addr.arpa/PTR/IN' denied
Ect...
I have tried several different attempts to make this work, and the only change that works is to set in the options allow-query{any;};. However the problem with that is that it then permits anyone to make any query against my nameservers and I don't want that. Can anyone here offer me some advice as to what I am doing wrong? For reference here is my config file:
acl wemadenets { 66.150.173.0/26; };
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; localnets; wemadenets; };
allow-recursion { wemadenets; };
};
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
zone "chaps.co.kr" {
type master;
file "masters/chaps.co.kr.zone";
allow-transfer { 66.150.173.2; };
allow-query { any; };
allow-update { none; };
};
zone "digimonbattle.com" {
type master;
file "masters/digimonbattle.com.zone";
allow-transfer { 66.150.173.2; };
allow-query { any; };
allow-update { none; };
};
zone "wemade.net" {
type master;
file "masters/wemade.net.zone";
allow-transfer { 66.150.173.2; };
allow-query { any; };
allow-update { none; };
};
zone "wemadeusa.com" {
type master;
file "masters/wemadeusa.com.zone";
allow-transfer { 66.150.173.2; };
allow-query { any; };
allow-update { none; };
};
zone "0-59.173.150.66.in-addr.arpa" {
type master;
file "masters/0-59.173.150.66.in-addr.arpa.zone";
allow-transfer { 66.150.173.2; };
allow-query { any; };
allow-update { none; };
};
And here is the 0-59.173.150.66.in-addr.arpa.zone file (I have deleted some of the name information for security):
$TTL 3600
@ IN SOA ns1.wemadeusa.com. hostmaster.wemadeusa.com. (
2010021501 ; serial
600 ; refresh after 10 minutes
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
IN NS ns1.wemadeusa.com
IN NS ns2.wemadeusa.com
1 IN PTR mail1.wemadeusa.com.
2 IN PTR mail2.wemadeusa.com.
3 IN PTR www.wemadeusa.com.
4 IN PTR download.wemadeusa.com.
5 IN PTR lostparadise.wemadeusa.com.
{snip}
59 IN PTR 66.150.173.59.wemadeusa.com.
Thank you!
Geoff Sweet
More information about the bind-users
mailing list