BIND refuses queries... stumped as to why
Greetings all, you will excuse my newbie account as it seems I can't get the forum to recover my account password.
At any rate, I am currently running the latest version of Bind, and for some completely unknown reason I can NOT get queries to work for PTR records. All queries to the servers for reverse name lookup get query denied: Using domain server: Name: 66.150.173.1 Address: 66.150.173.1#53 Aliases: Host 27.173.150.66.in-addr.arpa not found: 5(REFUSED) And it shows in my logs: Feb 15 15:49:03 mail1 named[19789]: client 98.232.45.87#58902: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied Feb 15 15:49:03 mail1 named[19789]: client 98.232.45.87#42598: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied Feb 15 15:52:59 mail1 named[19789]: client 173.160.151.225#65200: query (cache) '1.173.150.66.in-addr.arpa/PTR/IN' denied Feb 15 15:52:59 mail1 named[19789]: client 173.160.151.225#52885: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied I am at my wits ends with the piece of crap. Can anyone shine some light on why this damn Bind install won't respond to these queries?? For reference here is my named.conf: Code:
# cat named.caching-nameserver.conf |
You might be running into this issue, have a read:
Quote:
|
well I appear to have stuck my foot in my mouth just a bit. It appears that I am tracking the latest version of Bind that CentOS bundles and that is the 9.3 branch. So while that article gave me some ideas, it didn't result in a repair.
What I did discover is that in my config file if I open the option that restricts people from doing recursive queries, the reverse zone starts working: from Code:
options { Code:
options { |
I think you want views/match-clients etc http://www.zytrax.com/books/dns/ch7/view.html
|
...
|
Admittedly, I have limited experience setting up DNS servers overall. I know enough to be dangerous I suppose.
I recently set up the most basic config for a bind caching DNS server: root@mars:/etc# named -v BIND 9.6.1-P3 root@mars:/etc# Granted, this is a different version than yours, but I think the basic issue with which you are dealing is common between them. I was looking at the rejections you were seeing in your logs, and then checked the 'allow-query' option you have set. It looks like you're limiting queries from public address space to those contained within 66.150.173.0/26. I thought I'd run a test on my DNS server to see how it would react to altering the 'allow-query' option. I fired up the laptop where the DNS server is installed, and issued this command: jcwx@haley:/tmp$ host google.com 10.xx.xx.117 Using domain server: Name: 10.xx.xx.117 Address: 10.xx.xx.117#53 Aliases: google.com has address 209.85.225.99 google.com has address 209.85.225.105 google.com has address 209.85.225.147 google.com has address 209.85.225.106 google.com has address 209.85.225.103 google.com has address 209.85.225.104 google.com mail is handled by 400 google.com.s9b2.psmtp.com. google.com mail is handled by 200 google.com.s9a2.psmtp.com. google.com mail is handled by 100 google.com.s9a1.psmtp.com. google.com mail is handled by 300 google.com.s9b1.psmtp.com. jcwx@haley:/tmp$ I then edited my named.conf file and added this to the options file: allow-query {192.168.3.0/24;}; That effectively negates any of my systems here as I don't use that network. I could have used 'none' and achieved the same thing. I then ran a query against that server again: jcwx@haley:/tmp$ host google.com 10.xx.xx.117 Using domain server: Name: 10.xx.xx.117 Address: 10.xx.xx.117#53 Aliases: Host google.com.lan not found: 5(REFUSED) This is what I found in /var/log/messages: Feb 16 23:29:09 mars named[16978]: client 10.xx.xx.103#51048: query (cache) 'google.com/A/IN' denied Feb 16 23:29:09 mars named[16978]: client 10.xx.xx.103#33745: query (cache) 'google.com.lan/A/IN' denied I did a reverse lookup and of course the same response was received, and the rejection was logged in a similar manner. You're receiving requests from 98.232.45.87#42598 and 173.160.151.225#65200, and they're being rejected because they aren't within the 66.150.173.0/26 subnet. Hope that helps. -- I'm reading on the zone definitions now. Dunno, perhaps those override the first allow-query option. |
Quote:
Apparently I wasn't reading for content earlier. Crap. I see what you mean about your DNS servers being open for use for any queries at that point. Time to do some reading. Has to be a way to accomplish that, and a relatively common one at that. |
I set up a test, where I added a zone to a named.conf I crafted from the one you posted in your OP.
Code:
root@mars:/var/log# cat /etc/named.conf Code:
root@mars:/var/log# cat /var/named/caching-example/example.com.zone I then forwarded port 53 from the public interface on my firewall to the laptop where that DNS server is installed. Logged into a router on another network, and ran these queries: Code:
myatta:~# host example.com 71.xx.xx.xx I then ran this query to see if it would resolve a domain not hosted on that server: Code:
myatta:~# host -a google.com 71.xx.xx.xx Feb 17 01:25:48 mars named[21750]: client 24.xx.xx.xx#41357: query (cache) 'google.com/ANY/IN' denied In the configuration I have set up, my DNS server will not answer for any domain for which it does not have a record defined when queried from an external host. It resolves names properly from the lan. I tried to emulate your config as best I could. I really can't explain why your config doesn't work. |
Smartpatrol had a good point. You are working with an address in the range of 66.150.173.0/26, which will if I am reading my CIDR notation correct, will allow you to have 15 hosts ranging from 66.150.173.1 to 66.160.173.15. There is a problem with this range: it is already owned, allocated and handled by a name server. It is PUBLIC! If this public address range isn't yours, i.e, if you are not leasing it from Internap Network Services Corporation, you will run into problems with conflicts.
The other posts in this thread, where attempts to duplicate your problem have failed are with private address ranges. Perhaps this is your problem. |
Quote:
As to someone else owning the IP range that the OP is working with -- I would imagine this is hardly uncommon. ISPs own blocks of public IP space. Those blocks are then split up into smaller blocks and used by clients. I thought I tested the OP's DNS server (66.150.173.1) earlier this morning, to find it not accepting connections. Anyhow, it is now and I see exactly the issue. If anyone has actually done any testing on the OP's domains they would have seen that the DNS server being used presently is none other than the one at 66.150.173.1. I was thrown a bit when I started getting reverse resolution, but realized that wasn't the case, for I was running name queries first, then a reverse query. My local name servers are caching, so when I request a reverse lookup, the request isn't going back to 66.150.173.1. It is merely being answered by my local DNS server. I could see via traffic dumps that there wasn't any traffic to/from 66.150.173.1 on the reverse requests. Here is an example of the query I send: Code:
jcwx@haley:~$ host -a 66.150.173.20 66.150.173.1 To the OP: could we see the contents of the 0-59.173.150.66.in-addr.arpa file? I imagine that is where the PTR records are defined. |
I got reverse lookups to work. The reverse on the MX record doesn't work for some reason, but that's some sort of a syntax issue.
Code:
myatta:~# host ftp.example.com 71.xx.xx.66 I changed the IP addresses to public, as bind was complaining about serving up private IP via the public interface. The two zones look like this: Code:
include "/etc/rndc.key"; Code:
root@mars:/var/named/caching-example# cat 254.1.192.in-addr.arpa |
All times are GMT -5. The time now is 08:19 AM. |