On 10/10/12 9:41 PM, Árni Birgisson wrote:
You have all those allow-*, but in your previous email you have
"recursion no;" which you would have to change to "recursion yes;".

When you have done this, make sure to restrict it with the allow-recursion
so you do not have an open resolver.

thanks to you too....  but same result.

options {
        version         "";
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        allow-query-cache { any; };
        allow-query { any; };
        recursion yes;
        // allow-recursion { any; }

        allow-transfer  {


# dig @ns2.....  domain.com

; <<>> DiG 9.4.2 <<>> @ns2....  domain.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55754
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;domain.com.            IN      A

;; Query t........

i actually have another machine that has bind 9.4.2 and it works as desired without all this options. both machines a meant to be authoritative for domain.com...

anything else i can try?


-- Arni

----- Original Message -----
From: "kalin" <ka...@el.net>
To: "Lyle Giese" <l...@lcrcomputer.net>
Cc: bind-users@lists.isc.org
Sent: Thursday, October 11, 2012 1:34:24 AM
Subject: Re: query (cache) 'domain.com/AAAA/IN' denied

On 10/10/12 9:17 PM, Lyle Giese wrote:
On 10/10/12 20:01, kalin wrote:

hi all...

# uname -a
NetBSD ns2..... 5.1 NetBSD 5.1 .... ...

# named -v
BIND 9.5.2-P2

i get these in the log:

Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.net/AAAA/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.net/AAAA/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.net/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'www.domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.org/A/IN' denied
Oct 10 16:15:09 ns2 named[29914]: client query
(cache) 'domain.org/A/IN' denied


all the domain.net, .org, .com above exist. if i do a dig off a local
machine they resolve fine. if the dig is out of this network i get a
log entry as above.

at this point the named.conf has:

options {
         version         "ha-ha-ha";
         directory       "/etc/namedb";
         pid-file        "/var/run/named/pid";
         dump-file       "/var/dump/named_dump.db";
         statistics-file "/var/stats/named.stats";

         allow-query-cache { any; };
         allow-query { any; };
         recursion no;

         allow-transfer  {


i'm not sure where to look next....   this machine is on a verizon
fios if that really makes any difference...

where should i look?

These are queries that require recursion and you have that turned off.
If you don't want a publicly abused dns server, turn recursion on and
restrict recursion to your LAN addresses(Allow-recursion).

thanks..  but not good.

now i have:

         allow-query-cache { any; };
          allow-query { any; };
          allow-recursion { any; }

and still those logs. a dig from the outside gets "refused"...

Lyle Giese
LCR Computer Services, Inc.

Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list

Reply via email to