DNS queries being denied
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Oct 6 14:32:59 UTC 2009
On Mon, Oct 05, 2009 at 10:55:20PM -0400, Madison Kelly wrote:
> Ok, new thread, (hopefully) less stupid.
>
> My DNS server decided to stop answering queries this evening. When I try
> a query, ie:
>
> ------------------------------------------------------
> digimer at lework:~$ dig google.ca @192.139.81.117
>
> ; <<>> DiG 9.5.1-P2 <<>> google.ca @192.139.81.117
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55559
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;google.ca. IN A
>
> ;; Query time: 44 msec
> ;; SERVER: 192.139.81.117#53(192.139.81.117)
> ;; WHEN: Mon Oct 5 22:49:52 2009
> ;; MSG SIZE rcvd: 27
> ------------------------------------------------------
>
> I see in /var/log/syslog:
>
> ------------------------------------------------------
> named[9307]: client 206.108.5.162#49710: query (cache) 'google.ca/A/IN'
> denied
> ------------------------------------------------------
>
> Have I done something silly?
Well bind started to be paranoid at some version. It no longer accepts
remote queries by default, only queries from directly connected subnets.
I run with this for /etc/bind/named.conf.options:
acl "trusted" {
172.30.0.0/16;
localhost;
localnets;
};
options {
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
The idea here is that 172.30.0.0/16 is not directly connected to this box
(localnets) but should be allowed to do DNS requests through this
dns server.
I believe I have it configured to allow queries for local data from
anyone, and forwarded lookups and caching for the trusted nets only.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list