BIND refuses queries... stumped as to why
 

Greetings all, you will excuse my newbie account as it seems I can't get the forum to recover my account password.

At any rate, I am currently running the latest version of Bind, and for some completely unknown reason I can NOT get queries to work for PTR records. All queries to the servers for reverse name lookup get query denied:

Using domain server:
Name: 66.150.173.1
Address: 66.150.173.1#53
Aliases:

Host 27.173.150.66.in-addr.arpa not found: 5(REFUSED)

And it shows in my logs:

Feb 15 15:49:03 mail1 named[19789]: client 98.232.45.87#58902: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 15 15:49:03 mail1 named[19789]: client 98.232.45.87#42598: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 15 15:52:59 mail1 named[19789]: client 173.160.151.225#65200: query (cache) '1.173.150.66.in-addr.arpa/PTR/IN' denied
Feb 15 15:52:59 mail1 named[19789]: client 173.160.151.225#52885: query (cache) '27.173.150.66.in-addr.arpa/PTR/IN' denied


I am at my wits ends with the piece of crap. Can anyone shine some light on why this damn Bind install won't respond to these queries??

For reference here is my named.conf:

You might be running into this issue, have a read:

hth

well I appear to have stuck my foot in my mouth just a bit. It appears that I am tracking the latest version of Bind that CentOS bundles and that is the 9.3 branch. So while that article gave me some ideas, it didn't result in a repair.

What I did discover is that in my config file if I open the option that restricts people from doing recursive queries, the reverse zone starts working:

from
to
However that allows anyone then to do DNS queries against my machines for any zone and that isn't something that I want. Any ideas?

I think you want views/match-clients etc http://www.zytrax.com/books/dns/ch7/view.html

...

Admittedly, I have limited experience setting up DNS servers overall. I know enough to be dangerous I suppose.

I recently set up the most basic config for a bind caching DNS server:

root@mars:/etc# named -v
BIND 9.6.1-P3
root@mars:/etc#

Granted, this is a different version than yours, but I think the basic issue with which you are dealing is common between them.

I was looking at the rejections you were seeing in your logs, and then checked the 'allow-query' option you have set. It looks like you're limiting queries from public address space to those contained within 66.150.173.0/26. I thought I'd run a test on my DNS server to see how it would react to altering the 'allow-query' option.

I fired up the laptop where the DNS server is installed, and issued this command:

jcwx@haley:/tmp$ host google.com 10.xx.xx.117
Using domain server:
Name: 10.xx.xx.117
Address: 10.xx.xx.117#53
Aliases:

google.com has address 209.85.225.99
google.com has address 209.85.225.105
google.com has address 209.85.225.147
google.com has address 209.85.225.106
google.com has address 209.85.225.103
google.com has address 209.85.225.104
google.com mail is handled by 400 google.com.s9b2.psmtp.com.
google.com mail is handled by 200 google.com.s9a2.psmtp.com.
google.com mail is handled by 100 google.com.s9a1.psmtp.com.
google.com mail is handled by 300 google.com.s9b1.psmtp.com.
jcwx@haley:/tmp$

I then edited my named.conf file and added this to the options file:

allow-query {192.168.3.0/24;};

That effectively negates any of my systems here as I don't use that network. I could have used 'none' and achieved the same thing.

I then ran a query against that server again:

jcwx@haley:/tmp$ host google.com 10.xx.xx.117
Using domain server:
Name: 10.xx.xx.117
Address: 10.xx.xx.117#53
Aliases:

Host google.com.lan not found: 5(REFUSED)

This is what I found in /var/log/messages:

Feb 16 23:29:09 mars named[16978]: client 10.xx.xx.103#51048: query (cache) 'google.com/A/IN' denied
Feb 16 23:29:09 mars named[16978]: client 10.xx.xx.103#33745: query (cache) 'google.com.lan/A/IN' denied

I did a reverse lookup and of course the same response was received, and the rejection was logged in a similar manner.

You're receiving requests from 98.232.45.87#42598 and 173.160.151.225#65200, and they're being rejected because they aren't within the 66.150.173.0/26 subnet.

Hope that helps.

-- I'm reading on the zone definitions now. Dunno, perhaps those override the first allow-query option.

Hmmnn...well, it seems that pretty much knocks out my first post.

Apparently I wasn't reading for content earlier. Crap.

I see what you mean about your DNS servers being open for use for any queries at that point. Time to do some reading. Has to be a way to accomplish that, and a relatively common one at that.

I set up a test, where I added a zone to a named.conf I crafted from the one you posted in your OP.
I added the example.com.zone file, of which the contents were found in an example file I found online:

I wasn't too worried about the contents of the file itself, as long as they would return something on a query, which worked well enough. I got a response when running a query from within my lan.

I then forwarded port 53 from the public interface on my firewall to the laptop where that DNS server is installed. Logged into a router on another network, and ran these queries:

The DNS server was doing what it was supposed to at that point.

I then ran this query to see if it would resolve a domain not hosted on that server:

And I found this in the logs:

Feb 17 01:25:48 mars named[21750]: client 24.xx.xx.xx#41357: query (cache) 'google.com/ANY/IN' denied

In the configuration I have set up, my DNS server will not answer for any domain for which it does not have a record defined when queried from an external host. It resolves names properly from the lan.

I tried to emulate your config as best I could. I really can't explain why your config doesn't work.

Smartpatrol had a good point. You are working with an address in the range of 66.150.173.0/26, which will if I am reading my CIDR notation correct, will allow you to have 15 hosts ranging from 66.150.173.1 to 66.160.173.15. There is a problem with this range: it is already owned, allocated and handled by a name server. It is PUBLIC! If this public address range isn't yours, i.e, if you are not leasing it from Internap Network Services Corporation, you will run into problems with conflicts.

The other posts in this thread, where attempts to duplicate your problem have failed are with private address ranges. Perhaps this is your problem.

Well, the test I set up was indeed done via public space -- I didn't set up a PTR record for my little test, but I'm doing that now. The data being returned in the little testing environment is irrelevant, due to the fact I'm only looking for what I defined as the IP addresses or domain names in the zone I created.

As to someone else owning the IP range that the OP is working with -- I would imagine this is hardly uncommon. ISPs own blocks of public IP space. Those blocks are then split up into smaller blocks and used by clients.

I thought I tested the OP's DNS server (66.150.173.1) earlier this morning, to find it not accepting connections. Anyhow, it is now and I see exactly the issue. If anyone has actually done any testing on the OP's domains they would have seen that the DNS server being used presently is none other than the one at 66.150.173.1.

I was thrown a bit when I started getting reverse resolution, but realized that wasn't the case, for I was running name queries first, then a reverse query. My local name servers are caching, so when I request a reverse lookup, the request isn't going back to 66.150.173.1. It is merely being answered by my local DNS server. I could see via traffic dumps that there wasn't any traffic to/from 66.150.173.1 on the reverse requests.

Here is an example of the query I send:

No need to post the traffic capture on it. Needless to say it's bidirectional and reflects the refusal show.

To the OP: could we see the contents of the 0-59.173.150.66.in-addr.arpa file? I imagine that is where the PTR records are defined.

I got reverse lookups to work. The reverse on the MX record doesn't work for some reason, but that's some sort of a syntax issue.

It works for only some of the addresses, and even the example above isn't quite right, as that should return ftp.example.com for the reverse lookup. Still, it's semi-functional and not refusing the reverse lookups.

I changed the IP addresses to public, as bind was complaining about serving up private IP via the public interface.

The two zones look like this:

and my screwed up reverse lookup file:

I'm sure what I've got wrong is pretty basic, and probably rather obvious too, but I've been messing around with it enough that it is time to get away from bind for a little while. I'll take a look at it again sometime later.