On Wed, 11 Feb 2009, Matthew Huff wrote:
I've been aware of this problem since it first came up on this and nanog's
list, but I'm having some configuration issues trying to make the upward
referrel be refused. I'm running bind-9.6.0P1, but I'm still seeing the NS
queries being answered in the log:
11-Feb-2009 09:34:25.489 queries: client 195.68.176.4#53715: view
external-in: query: . IN NS +
11-Feb-2009 09:35:04.525 queries: client 195.40.1.15#58313: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:35:28.121 queries: client 195.68.176.4#48472: view
external-in: query: . IN NS +
11-Feb-2009 09:35:44.138 queries: client 195.40.1.11#59164: view
external-in: query: ox.com IN NS -EDC
11-Feb-2009 09:36:30.755 queries: client 195.68.176.4#39942: view
external-in: query: . IN NS +
11-Feb-2009 09:37:33.388 queries: client 195.68.176.4#11158: view
external-in: query: . IN NS +
11-Feb-2009 09:38:36.022 queries: client 195.68.176.4#16095: view
external-in: query: . IN NS +
My config follows, any suggestion?
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
};
view "internal-in" in {
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
allow-query { trusted; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "master/db.127.0.0";
allow-query {
any;
};
allow-transfer { none; };
};
zone "foo.com" in {
type master;
file "master/db.foo";
};
...
...
...
};
view "external-in" in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
allow-query { none; };
allow-recursion { none; };
additional-from-auth no;
additional-from-cache no;
zone "." in {
type hint;
file "db.cache";
};
zone "foo.com" in {
type master;
file "master/db.foo";
allow-query { any; };
};
...
...
...
};
Matthew, the querylog shows what was queried. To see what is answered try
digging your external interface.
Here is my external view:
view "external" { // Primary nameserver for maplepark.com.
match-clients { any; };
recursion no;
additional-from-cache no;
// https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful
zone "maplepark.com"{
type master;
notify yes;
allow-transfer { slave-name-servers; };
file "/var/named/drf/external/maplepark.com.external.";
};
zone "." { type hint; file "named.ca"; }; // Update this hint by:
/usr/local/sbin/update-root-cache
};
And the result of the external query:
[...@maplepark ~]$ dig +bufsize=4096 @64.216.205.121 . NS
; <<>> DiG 9.6.0-P1 <<>> +bufsize=4096 @64.216.205.121 . NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24703
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; Query time: 0 msec
;; SERVER: 64.216.205.121#53(64.216.205.121)
;; WHEN: Wed Feb 11 08:53:04 2009
;; MSG SIZE rcvd: 28
[...@maplepark ~]$
Note that the status is "REFUSED" and MSG SIZE is 28 bytes
And the querylog has this:
11-Feb-2009 08:53:04.195 queries: info: client 64.216.205.121#58714: view
external: query: . IN NS +E
Try digging. AFAICT your conf should return REFUSED
Dave
--
David Forrest e-mail d...@maplepark.com
Maple Park Development Corporation http://www.maplepark.com
St. Louis, Missouri
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
