Query denied errors on PTR records for delegated zone

Matus UHLAR - fantomas uhlar at fantomas.sk
Tue Feb 23 14:32:56 UTC 2010


On 23.02.10 08:47, Lightner, Jeff wrote:
> I'm running 9.3 on RHEL 5.4.  
> 
> My options are:
> 
> options {
>         directory "/var/named";
>         query-source address 10.0.0.3;
>         allow-query { internaldns; externaldns; dswadnsalias; };
>         allow-recursion { internaldns; externaldns; };
>         blackhole { blackhats; };
>         version none;
> };
> 
> In each of my zones including arpa zones I have
> 
> allow-query { any; };
> 
> This works fine for blocking recursion for sites such as google from
> outside my network yet still allowing lookups of my zones from outside
> and sounds like what the OP says he is intending to do.  

bind 9.4 and later can do that all by simply allowing recursion for your
ranges. Yes, for 9.3 you may need to do this stuff for preventing others to
access your cache (it still blocked recursion!)

> I did run into some oddities in setting up arpa zones to be able to
> query them inside my network and outside my network so I have things
> like:
> 
> # Special notation required for internet delegation (e.g. dig -x ...)
> #
> zone "192/27.84.44.12.IN-ADDR.ARPA" {
>         type master;
>         file "arpa.12.44.84";
>         allow-query { any; };
> };
> 
> # Standard notation required for direct lookups (e.g. dig @dswands1 -x
> ...)
> #
> zone "84.44.12.IN-ADDR.ARPA" {
>         type master;
>         file "arpa.12.44.84";
>         allow-query { any; };
> };

you should better ask your ISP for allowing transfering of the real, public 
84.44.12.IN-ADDR.ARPA. Using the above, you can't access reverse names for
IPs witnin your /24, outside your /27.

> Note this is not the difference in views but difference in how I get to
> the server.   I later implemented views which probably obviated the
> above since I'd only see one or the other depending on where I came
> from.  However, I note it as originally I was pulling my hair out trying
> to figure out why digs directly to my DNS server via the internal facing
> interface wouldn't resolve like the ones on the external facing
> interface.

mostly because you provide fake version of 84.44.12.IN-ADDR.ARPA.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...



More information about the bind-users mailing list