RE: a question about denied queries

Darcy Kevin (FCA) Thu, 04 Aug 2016 11:17:38 -0700

Most likely, it has to do with recursion settings, yes, but indirectly. When 
recursion is not honored for a client, the next thing that named does is check 
whether the answer, or anything relevant to the answer, is in cache. But access 
to the cache, these days, defaults to being as restrictive as allow-recursion, 
so that permissions check fails too, and the end result is a "query (cached) 
denied" message in the logs.


The defaults are rather convoluted, but, according to the ARM:

        allow-recursion. Specifies which hosts are allowed to make recursive 
queries through this server. If allow-recursion is not set then 
allow-query-cache is used if set, otherwise allow-query is used if set, 
otherwise the default (localnets; localhost;) is used.

        allow-query-cache. Specifies which hosts are allowed to get answers 
from the cache. If allow-query-cache is not set then allow-recursion is used if 
set, otherwise allow-query is used if set unless recursion no; is set in which 
case none; is used, otherwise the default (localnets; localhost;) is used.

                                                                                
        - Kevin



-----Original Message-----
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Andreas 
Meyer
Sent: Thursday, August 04, 2016 1:04 PM
To: bind-users@lists.isc.org
Subject: a question about denied queries

Hello!

When I see this in the log, does this mean it is because the server does not 
allow recursion?

Aug  4 18:52:19 bitmachine1 named[26142]: client 127.0.0.1#52733 
(c303.cloudmark.com): query (cache) 'c303.cloudmark.com/A/IN' denied Aug  4 
18:56:08 bitmachine1 named[26142]: client 127.0.0.1#32773 
(113.36.207.103.in-addr.arpa): query (cache) 
'113.36.207.103.in-addr.arpa/PTR/IN' denied Aug  4 18:57:29 bitmachine1 
named[26142]: client 127.0.0.1#41550 (229.109.212.81.in-addr.arpa): query 
(cache) '229.109.212.81.in-addr.arpa/PTR/IN' denied Aug  4 18:57:29 bitmachine1 
named[26142]: client 127.0.0.1#45968 
(81.212.109.229.static.turktelekom.com.tr): query (cache) 
'81.212.109.229.static.turktelekom.com.tr/A/IN' denied Aug  4 18:57:30 
bitmachine1 named[26142]: client 127.0.0.1#46290 (229.109.212.81.in-addr.arpa): 
query (cache) '229.109.212.81.in-addr.arpa/PTR/IN' denied Aug  4 18:57:30 
bitmachine1 named[26142]: client 127.0.0.1#34166 
(81.212.109.229.static.turktelekom.com.tr): query (cache) 
'81.212.109.229.static.turktelekom.com.tr/A/IN' denied

Sorry, but it is a long time gone I have dealt with named.

  Andreas
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: a question about denied queries

Reply via email to