query (cache) 'domain.com/AAAA/IN' denied

Lyle Giese lyle at lcrcomputer.net
Thu Oct 11 01:17:17 UTC 2012


On 10/10/12 20:01, kalin wrote:
>
> hi all...
>
> # uname -a
> NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
>
> # named -v
> BIND 9.5.2-P2
>
> i get these in the log:
>
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query 
> (cache) 'domain.net/AAAA/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query 
> (cache) 'domain.net/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query 
> (cache) 'www.domain.org/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query 
> (cache) 'domain.net/AAAA/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query 
> (cache) 'domain.net/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query 
> (cache) 'www.domain.org/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query 
> (cache) 'www.domain.org/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query 
> (cache) 'domain.org/A/IN' denied
> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query 
> (cache) 'domain.org/A/IN' denied
>
> .........................................
>
>
> all the domain.net, .org, .com above exist. if i do a dig off a local 
> machine they resolve fine. if the dig is out of this network i get a 
> log entry as above.
>
> at this point the named.conf has:
>
> options {
>         version         "ha-ha-ha";
>         directory       "/etc/namedb";
>         pid-file        "/var/run/named/pid";
>         dump-file       "/var/dump/named_dump.db";
>         statistics-file "/var/stats/named.stats";
>
>
>         allow-query-cache { any; };
>         allow-query { any; };
>         recursion no;
>
>
>         allow-transfer  {
>                                 127.0.0.1;
>                         };
>
>       };
>
>
> i'm not sure where to look next....   this machine is on a verizon 
> fios if that really makes any difference...
>
>
> where should i look?
>
>
> thanks....
These are queries that require recursion and you have that turned off.  
If you don't want a publicly abused dns server, turn recursion on and 
restrict recursion to your LAN addresses(Allow-recursion).

Lyle Giese
LCR Computer Services, Inc.




More information about the bind-users mailing list