a question about denied queries

Darcy Kevin (FCA) kevin.darcy at fcagroup.com
Thu Aug 4 18:16:15 UTC 2016 

Most likely, it has to do with recursion settings, yes, but indirectly. When recursion is not honored for a client, the next thing that named does is check whether the answer, or anything relevant to the answer, is in cache. But access to the cache, these days, defaults to being as restrictive as allow-recursion, so that permissions check fails too, and the end result is a "query (cached) denied" message in the logs.

The defaults are rather convoluted, but, according to the ARM:

	allow-recursion. Specifies which hosts are allowed to make recursive queries through this server. If allow-recursion is not set then allow-query-cache is used if set, otherwise allow-query is used if set, otherwise the default (localnets; localhost;) is used.

	allow-query-cache. Specifies which hosts are allowed to get answers from the cache. If allow-query-cache is not set then allow-recursion is used if set, otherwise allow-query is used if set unless recursion no; is set in which case none; is used, otherwise the default (localnets; localhost;) is used.

											- Kevin



-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Andreas Meyer
Sent: Thursday, August 04, 2016 1:04 PM
To: bind-users at lists.isc.org
Subject: a question about denied queries

Hello!

When I see this in the log, does this mean it is because the server does not allow recursion?

Aug  4 18:52:19 bitmachine1 named[26142]: client 127.0.0.1#52733 (c303.cloudmark.com): query (cache) 'c303.cloudmark.com/A/IN' denied Aug  4 18:56:08 bitmachine1 named[26142]: client 127.0.0.1#32773 (113.36.207.103.in-addr.arpa): query (cache) '113.36.207.103.in-addr.arpa/PTR/IN' denied Aug  4 18:57:29 bitmachine1 named[26142]: client 127.0.0.1#41550 (229.109.212.81.in-addr.arpa): query (cache) '229.109.212.81.in-addr.arpa/PTR/IN' denied Aug  4 18:57:29 bitmachine1 named[26142]: client 127.0.0.1#45968 (81.212.109.229.static.turktelekom.com.tr): query (cache) '81.212.109.229.static.turktelekom.com.tr/A/IN' denied Aug  4 18:57:30 bitmachine1 named[26142]: client 127.0.0.1#46290 (229.109.212.81.in-addr.arpa): query (cache) '229.109.212.81.in-addr.arpa/PTR/IN' denied Aug  4 18:57:30 bitmachine1 named[26142]: client 127.0.0.1#34166 (81.212.109.229.static.turktelekom.com.tr): query (cache) '81.212.109.229.static.turktelekom.com.tr/A/IN' denied

Sorry, but it is a long time gone I have dealt with named.

  Andreas
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list