Query denied errors on PTR records for delegated zone

Geoff Sweet geoff.sweet at wemadeusa.com
Tue Feb 23 00:26:04 UTC 2010


Greetings all, 
I have an on-going problem that has totally stumped me.  I have a CentOS 5.3 server that I am using the builtin Bind (9.3) to serve our zones.  Our ISP has provisioned us a block of IP's and has delegated our name servers as authoritative for the reverse zone info for that block.  Name resolution for A records works perfect.  What has me totally baffled at this point is that I can not get PTR records to work. All queries to my reverse zone are answered with denied errors:

Feb 22 04:10:14 ns1 named[19789]: client 72.247.123.69#52683: query (cache) '14.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 05:15:26 ns1 named[19789]: client 72.247.123.69#61264: query (cache) '50.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 10:12:03 ns1 named[19789]: client 72.246.192.167#52219: query (cache) '39.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 11:05:11 ns1 named[19789]: client 96.17.73.207#61038: query (cache) '24.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 11:33:23 ns1 named[19789]: client 72.247.123.69#61049: query (cache) '55.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 22 13:41:45 ns1 named[19789]: client 96.17.166.181#60054: query (cache) '31.173.150.66.in-addr.arpa/PTR/IN' denied

Ect...

I have tried several different attempts to make this work, and the only change that works is to set in the options allow-query{any;};.  However the problem with that is that it then permits anyone to make any query against my nameservers and I don't want that.  Can anyone here offer me some advice as to what I am doing wrong?  For reference here is my config file:

acl wemadenets { 66.150.173.0/26; };

options {
        directory               "/var/named";
        dump-file               "/var/named/data/cache_dump.db";
        statistics-file         "/var/named/data/named_stats.txt";
        memstatistics-file      "/var/named/data/named_mem_stats.txt";
        allow-query             { localhost; localnets; wemadenets; };
        allow-recursion         { wemadenets; };
};

include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";

zone "chaps.co.kr" {
        type master;
        file "masters/chaps.co.kr.zone";
        allow-transfer { 66.150.173.2; };
        allow-query { any; };
        allow-update { none; };
};

zone "digimonbattle.com" {
        type master;
        file "masters/digimonbattle.com.zone";
        allow-transfer { 66.150.173.2; };
        allow-query { any; };
        allow-update { none; };
};

zone "wemade.net" {
        type master;
        file "masters/wemade.net.zone";
        allow-transfer { 66.150.173.2; };
        allow-query { any; };
        allow-update { none; };
};

zone "wemadeusa.com" {
        type master;
        file "masters/wemadeusa.com.zone";
        allow-transfer { 66.150.173.2; };
        allow-query { any; };
        allow-update { none; };
};

zone "0-59.173.150.66.in-addr.arpa" {
        type master;
        file "masters/0-59.173.150.66.in-addr.arpa.zone";
        allow-transfer { 66.150.173.2; };
        allow-query { any; };
        allow-update { none; };
};


And here is the 0-59.173.150.66.in-addr.arpa.zone file (I have deleted some of the name information for security):


$TTL 3600
@                       IN      SOA     ns1.wemadeusa.com.      hostmaster.wemadeusa.com. (
                                        2010021501 ; serial
                                        600             ; refresh after 10 minutes
                                        3600            ; retry after 1 hour
                                        604800          ; expire after 1 week
                                        86400 )         ; minimum TTL of 1 day

                        IN      NS      ns1.wemadeusa.com
                        IN      NS      ns2.wemadeusa.com

1                       IN      PTR     mail1.wemadeusa.com.
2                       IN      PTR     mail2.wemadeusa.com.
3                       IN      PTR     www.wemadeusa.com.
4                       IN      PTR     download.wemadeusa.com.
5                       IN      PTR     lostparadise.wemadeusa.com.
{snip}
59                      IN      PTR     66.150.173.59.wemadeusa.com.

Thank you!
Geoff Sweet



More information about the bind-users mailing list