DNS queries being denied

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Oct 6 14:32:59 UTC 2009


On Mon, Oct 05, 2009 at 10:55:20PM -0400, Madison Kelly wrote:
> Ok, new thread, (hopefully) less stupid.
>
> My DNS server decided to stop answering queries this evening. When I try  
> a query, ie:
>
> ------------------------------------------------------
> digimer at lework:~$ dig google.ca @192.139.81.117
>
> ; <<>> DiG 9.5.1-P2 <<>> google.ca @192.139.81.117
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55559
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;google.ca.			IN	A
>
> ;; Query time: 44 msec
> ;; SERVER: 192.139.81.117#53(192.139.81.117)
> ;; WHEN: Mon Oct  5 22:49:52 2009
> ;; MSG SIZE  rcvd: 27
> ------------------------------------------------------
>
>   I see in /var/log/syslog:
>
> ------------------------------------------------------
> named[9307]: client 206.108.5.162#49710: query (cache) 'google.ca/A/IN'  
> denied
> ------------------------------------------------------
>
>   Have I done something silly?

Well bind started to be paranoid at some version.  It no longer accepts
remote queries by default, only queries from directly connected subnets.

I run with this for /etc/bind/named.conf.options:

acl "trusted" {
        172.30.0.0/16;
        localhost;
        localnets;
};

options {
        allow-query { any; };
        allow-recursion { trusted; };
        allow-query-cache { trusted; };

        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;               # conform to RFC1035
        listen-on-v6 { any; };

};

The idea here is that 172.30.0.0/16 is not directly connected to this box
(localnets) but should be allowed to do DNS requests through this
dns server.

I believe I have it configured to allow queries for local data from
anyone, and forwarded lookups and caching for the trusted nets only.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list