You have all those allow-*, but in your previous email you have "recursion no;" which you would have to change to "recursion yes;".
When you have done this, make sure to restrict it with the allow-recursion so you do not have an open resolver. -- Arni ----- Original Message ----- From: "kalin" <ka...@el.net> To: "Lyle Giese" <l...@lcrcomputer.net> Cc: bind-users@lists.isc.org Sent: Thursday, October 11, 2012 1:34:24 AM Subject: Re: query (cache) 'domain.com/AAAA/IN' denied On 10/10/12 9:17 PM, Lyle Giese wrote: > On 10/10/12 20:01, kalin wrote: >> >> hi all... >> >> # uname -a >> NetBSD ns2..... 5.1 NetBSD 5.1 .... ... >> >> # named -v >> BIND 9.5.2-P2 >> >> i get these in the log: >> >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query >> (cache) 'domain.net/AAAA/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query >> (cache) 'domain.net/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query >> (cache) 'www.domain.org/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query >> (cache) 'domain.net/AAAA/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query >> (cache) 'domain.net/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query >> (cache) 'www.domain.org/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query >> (cache) 'www.domain.org/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query >> (cache) 'domain.org/A/IN' denied >> Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query >> (cache) 'domain.org/A/IN' denied >> >> ......................................... >> >> >> all the domain.net, .org, .com above exist. if i do a dig off a local >> machine they resolve fine. if the dig is out of this network i get a >> log entry as above. >> >> at this point the named.conf has: >> >> options { >> version "ha-ha-ha"; >> directory "/etc/namedb"; >> pid-file "/var/run/named/pid"; >> dump-file "/var/dump/named_dump.db"; >> statistics-file "/var/stats/named.stats"; >> >> >> allow-query-cache { any; }; >> allow-query { any; }; >> recursion no; >> >> >> allow-transfer { >> 127.0.0.1; >> }; >> >> }; >> >> >> i'm not sure where to look next.... this machine is on a verizon >> fios if that really makes any difference... >> >> >> where should i look? >> >> >> thanks.... > These are queries that require recursion and you have that turned off. > If you don't want a publicly abused dns server, turn recursion on and > restrict recursion to your LAN addresses(Allow-recursion). thanks.. but not good. now i have: allow-query-cache { any; }; allow-query { any; }; allow-recursion { any; } and still those logs. a dig from the outside gets "refused"... > Lyle Giese > LCR Computer Services, Inc. > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users