Thanks to David Forest, I realize now that the query IS being refused, however nothing in the bind log shows the refusal. Is there anyway to see that in the log?
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 http://www.ox.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 > -----Original Message----- > From: David Forrest [mailto:d...@maplepark.com] > Sent: Wednesday, February 11, 2009 10:11 AM > To: Matthew Huff > Cc: 'bind-users@lists.isc.org' > Subject: RE: loads of Query denied... is it an attack or a > misconfiguration ? > > On Wed, 11 Feb 2009, Matthew Huff wrote: > > > I've been aware of this problem since it first came up on this and > nanog's > > list, but I'm having some configuration issues trying to make the > upward > > referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing > the NS > > queries being answered in the log: > > > > 11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view > > external-in: query: . IN NS + > > 11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view > > external-in: query: ox.com IN NS -EDC > > 11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view > > external-in: query: . IN NS + > > 11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view > > external-in: query: ox.com IN NS -EDC > > 11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view > > external-in: query: . IN NS + > > 11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view > > external-in: query: . IN NS + > > 11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view > > external-in: query: . IN NS + > > > > My config follows, any suggestion? > > > > options { > > directory "/var/named"; > > pid-file "/var/named/named.pid"; > > statistics-file "/var/named/named.stats"; > > memstatistics-file "/var/named/named.memstats"; > > dump-file "/var/adm/named.dump"; > > zone-statistics yes; > > > > notify no; > > > > transfer-format many-answers; > > max-transfer-time-in 60; > > interface-interval 0; > > > > recursion no; > > > > allow-transfer { xfer; }; > > allow-query { none; }; > > allow-recursion { none; }; > > > > additional-from-auth no; > > additional-from-cache no; > > }; > > > > view "internal-in" in { > > match-clients { trusted; }; > > recursion yes; > > additional-from-auth yes; > > additional-from-cache yes; > > allow-query { trusted; }; > > allow-recursion { trusted; }; > > allow-query-cache { trusted; }; > > > > zone "." in { > > type hint; > > file "db.cache"; > > }; > > > > zone "0.0.127.in-addr.arpa" in { > > type master; > > file "master/db.127.0.0"; > > allow-query { > > any; > > }; > > allow-transfer { none; }; > > }; > > > > zone "foo.com" in { > > type master; > > file "master/db.foo"; > > }; > > > > ... > > ... > > ... > > > > }; > > > > view "external-in" in { > > match-clients { any; }; > > recursion no; > > > > allow-transfer { xfer; }; > > allow-query { none; }; > > allow-recursion { none; }; > > > > additional-from-auth no; > > additional-from-cache no; > > > > zone "." in { > > type hint; > > file "db.cache"; > > }; > > > > zone "foo.com" in { > > type master; > > file "master/db.foo"; > > allow-query { any; }; > > }; > > > > ... > > ... > > ... > > }; > > > Matthew, the querylog shows what was queried. To see what is answered > try > digging your external interface. > > Here is my external view: > > view "external" { // Primary nameserver for maplepark.com. > match-clients { any; }; > recursion no; > additional-from-cache no; > // https://www.dns-oarc.net/oarc/articles/upward-referrals-considered- > harmful > > zone "maplepark.com"{ > type master; > notify yes; > allow-transfer { slave-name-servers; }; > file "/var/named/drf/external/maplepark.com.external."; > }; > > zone "." { type hint; file "named.ca"; }; // Update this hint by: > /usr/local/sbin/update-root-cache > }; > > And the result of the external query: > > [...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS > > ; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;. IN NS > > ;; Query time: 0 msec > ;; SERVER: 64.216.205.121#53(64.216.205.121) > ;; WHEN: Wed Feb 11 08:53:04 2009 > ;; MSG SIZE rcvd: 28 > > [...@maplepark ~]$ > > Note that the status is "REFUSED" and MSG SIZE is 28 bytes > > And the querylog has this: > 11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: > view external: query: . IN NS +E > > Try digging. AFAICT your conf should return REFUSED > > Dave > > -- > David Forrest e-mail d...@maplepark.com > Maple Park Development Corporation http://www.maplepark.com > St. Louis, Missouri
Matthew Huff.vcf
Description: Binary data
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users