query (cache) 'domain.com/AAAA/IN' denied

Lyle Giese lyle at lcrcomputer.net
Thu Oct 11 02:17:04 UTC 2012


On 10/10/12 20:52, kalin wrote:
>
>
>
>
>
> On 10/10/12 9:41 PM, Árni Birgisson wrote:
>> You have all those allow-*, but in your previous email you have
>> "recursion no;" which you would have to change to "recursion yes;".
>>
>> When you have done this, make sure to restrict it with the 
>> allow-recursion
>> so you do not have an open resolver.
>
> thanks to you too....  but same result.
>
>
> options {
>         version         "";
>         directory       "/etc/namedb";
>         pid-file        "/var/run/named/pid";
>         dump-file       "/var/dump/named_dump.db";
>         statistics-file "/var/stats/named.stats";
>
>         allow-query-cache { any; };
>         allow-query { any; };
>         recursion yes;
>         // allow-recursion { any; }
>
>
>         allow-transfer  {
>                                 127.0.0.1;
>                         };
>
>         };
>
>
> # dig @ns2.....  domain.com
>
> ; <<>> DiG 9.4.2 <<>> @ns2....  domain.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55754
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;domain.com.        IN    A
>
> ;; Query t........
>
> i actually have another machine that has bind 9.4.2 and it works as 
> desired without all this options. both machines a meant to be 
> authoritative for domain.com...
>
>
> anything else i can try?
>
>
>
>
> thanks...
>
>
>
>>
>> -- Arni
>>
>>
>> ----- Original Message -----
>> From: "kalin" <kalin at el.net>
>> To: "Lyle Giese" <lyle at lcrcomputer.net>
>> Cc: bind-users at lists.isc.org
>> Sent: Thursday, October 11, 2012 1:34:24 AM
>> Subject: Re: query (cache) 'domain.com/AAAA/IN' denied
>>
>>
>>
>> On 10/10/12 9:17 PM, Lyle Giese wrote:
>>> On 10/10/12 20:01, kalin wrote:
>>>>
>>>> hi all...
>>>>
>>>> # uname -a
>>>> NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
>>>>
>>>> # named -v
>>>> BIND 9.5.2-P2
>>>>
>>>> i get these in the log:
>>>>
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
>>>> (cache) 'domain.net/AAAA/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
>>>> (cache) 'domain.net/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
>>>> (cache) 'www.domain.org/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
>>>> (cache) 'domain.net/AAAA/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
>>>> (cache) 'domain.net/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
>>>> (cache) 'www.domain.org/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
>>>> (cache) 'www.domain.org/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
>>>> (cache) 'domain.org/A/IN' denied
>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
>>>> (cache) 'domain.org/A/IN' denied
>>>>
>>>> .........................................
>>>>
>>>>
>>>> all the domain.net, .org, .com above exist. if i do a dig off a local
>>>> machine they resolve fine. if the dig is out of this network i get a
>>>> log entry as above.
>>>>
>>>> at this point the named.conf has:
>>>>
>>>> options {
>>>>          version         "ha-ha-ha";
>>>>          directory       "/etc/namedb";
>>>>          pid-file        "/var/run/named/pid";
>>>>          dump-file       "/var/dump/named_dump.db";
>>>>          statistics-file "/var/stats/named.stats";
>>>>
>>>>
>>>>          allow-query-cache { any; };
>>>>          allow-query { any; };
>>>>          recursion no;
>>>>
>>>>
>>>>          allow-transfer  {
>>>>                                  127.0.0.1;
>>>>                          };
>>>>
>>>>        };
>>>>
>>>>
>>>> i'm not sure where to look next....   this machine is on a verizon
>>>> fios if that really makes any difference...
>>>>
>>>>
>>>> where should i look?
>>>>
>>>>
>>>> thanks....
>>> These are queries that require recursion and you have that turned off.
>>> If you don't want a publicly abused dns server, turn recursion on and
>>> restrict recursion to your LAN addresses(Allow-recursion).
>>
>> thanks..  but not good.
>>
>> now i have:
>>
>>          allow-query-cache { any; };
>>           allow-query { any; };
>>           allow-recursion { any; }
>>
>> and still those logs. a dig from the outside gets "refused"...
>>
>>
>>
>>
>>
>>
>>> Lyle Giese
>>> LCR Computer Services, Inc.
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Maybe silly question, but after you changed your named.conf, did you 
restart named?

Are there any other named.conf on your system?  (your named may be 
reading a different named.conf other than the one you are editing.)

Lyle Giese
LCR Computer Services, Inc.




More information about the bind-users mailing list