query (cache) 'domain.com/AAAA/IN' denied

kalin kalin at el.net
Thu Oct 11 02:22:09 UTC 2012





On 10/10/12 10:17 PM, Lyle Giese wrote:
> On 10/10/12 20:52, kalin wrote:
>>
>>
>>
>>
>>
>> On 10/10/12 9:41 PM, Árni Birgisson wrote:
>>> You have all those allow-*, but in your previous email you have
>>> "recursion no;" which you would have to change to "recursion yes;".
>>>
>>> When you have done this, make sure to restrict it with the
>>> allow-recursion
>>> so you do not have an open resolver.
>>
>> thanks to you too....  but same result.
>>
>>
>> options {
>>         version         "";
>>         directory       "/etc/namedb";
>>         pid-file        "/var/run/named/pid";
>>         dump-file       "/var/dump/named_dump.db";
>>         statistics-file "/var/stats/named.stats";
>>
>>         allow-query-cache { any; };
>>         allow-query { any; };
>>         recursion yes;
>>         // allow-recursion { any; }
>>
>>
>>         allow-transfer  {
>>                                 127.0.0.1;
>>                         };
>>
>>         };
>>
>>
>> # dig @ns2.....  domain.com
>>
>> ; <<>> DiG 9.4.2 <<>> @ns2....  domain.com
>> ; (1 server found)
>> ;; global options:  printcmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55754
>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;domain.com.        IN    A
>>
>> ;; Query t........
>>
>> i actually have another machine that has bind 9.4.2 and it works as
>> desired without all this options. both machines a meant to be
>> authoritative for domain.com...
>>
>>
>> anything else i can try?
>>
>>
>>
>>
>> thanks...
>>
>>
>>
>>>
>>> -- Arni
>>>
>>>
>>> ----- Original Message -----
>>> From: "kalin" <kalin at el.net>
>>> To: "Lyle Giese" <lyle at lcrcomputer.net>
>>> Cc: bind-users at lists.isc.org
>>> Sent: Thursday, October 11, 2012 1:34:24 AM
>>> Subject: Re: query (cache) 'domain.com/AAAA/IN' denied
>>>
>>>
>>>
>>> On 10/10/12 9:17 PM, Lyle Giese wrote:
>>>> On 10/10/12 20:01, kalin wrote:
>>>>>
>>>>> hi all...
>>>>>
>>>>> # uname -a
>>>>> NetBSD ns2..... 5.1 NetBSD 5.1 .... ...
>>>>>
>>>>> # named -v
>>>>> BIND 9.5.2-P2
>>>>>
>>>>> i get these in the log:
>>>>>
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query
>>>>> (cache) 'domain.net/AAAA/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query
>>>>> (cache) 'domain.net/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query
>>>>> (cache) 'www.domain.org/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query
>>>>> (cache) 'domain.net/AAAA/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query
>>>>> (cache) 'domain.net/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query
>>>>> (cache) 'www.domain.org/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query
>>>>> (cache) 'www.domain.org/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query
>>>>> (cache) 'domain.org/A/IN' denied
>>>>> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query
>>>>> (cache) 'domain.org/A/IN' denied
>>>>>
>>>>> .........................................
>>>>>
>>>>>
>>>>> all the domain.net, .org, .com above exist. if i do a dig off a local
>>>>> machine they resolve fine. if the dig is out of this network i get a
>>>>> log entry as above.
>>>>>
>>>>> at this point the named.conf has:
>>>>>
>>>>> options {
>>>>>          version         "ha-ha-ha";
>>>>>          directory       "/etc/namedb";
>>>>>          pid-file        "/var/run/named/pid";
>>>>>          dump-file       "/var/dump/named_dump.db";
>>>>>          statistics-file "/var/stats/named.stats";
>>>>>
>>>>>
>>>>>          allow-query-cache { any; };
>>>>>          allow-query { any; };
>>>>>          recursion no;
>>>>>
>>>>>
>>>>>          allow-transfer  {
>>>>>                                  127.0.0.1;
>>>>>                          };
>>>>>
>>>>>        };
>>>>>
>>>>>
>>>>> i'm not sure where to look next....   this machine is on a verizon
>>>>> fios if that really makes any difference...
>>>>>
>>>>>
>>>>> where should i look?
>>>>>
>>>>>
>>>>> thanks....
>>>> These are queries that require recursion and you have that turned off.
>>>> If you don't want a publicly abused dns server, turn recursion on and
>>>> restrict recursion to your LAN addresses(Allow-recursion).
>>>
>>> thanks..  but not good.
>>>
>>> now i have:
>>>
>>>          allow-query-cache { any; };
>>>           allow-query { any; };
>>>           allow-recursion { any; }
>>>
>>> and still those logs. a dig from the outside gets "refused"...
>>>
>>>
>>>
>>>
>>>
>>>
>>>> Lyle Giese
>>>> LCR Computer Services, Inc.
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> Maybe silly question, but after you changed your named.conf, did you
> restart named?

yea. via /etc/rc.d/named stop|start checked with ps that is not really 
running.


> Are there any other named.conf on your system?  (your named may be
> reading a different named.conf other than the one you are editing.)

if i add a zone record to the named.conf i'm editing and do a dig on it, 
locally i get it fine:

$ dig @ns2..... domain.com

; <<>> DiG 9.8.1-P1 <<>> @ns2..... domain.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52275
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
.....................



> Lyle Giese
> LCR Computer Services, Inc.
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users



More information about the bind-users mailing list