Re: Access denied Bind9

Mon, 07 Mar 2022 18:43:05 -0800 

You might search the list archives, as I think this came up recently...
But I think the general consensus is that you shouldn't have a server that is 
both authoritative AND that allows recursive queries. (Security reasons)
And if you do allow both, to limit recursive queries to internal 
(semi-trusted/controlled) hosts only.
 
The options you'll be wanting to look at are:
 
allow-query
allow-recursion
allow-query-cache
 
See the docs.
 
something like;
allow-recursion { local-nets; }; 
 
Where local-nets are the local subnets you want to allow recursion for - 
meaning you trust those hosts on those subnets more than the open internet.
 
 
  

> Just to be clear, the servers are authoritative


> On Tue, Mar 8, 2022 at 5:27 AM Ritah Mulinde <ryta...@gmail.com> wrote:

>> Thank you Mark

>> Iam abit new to this. How do i fix that??

>> On Tue, Mar 8, 2022 at 5:19 AM Mark Andrews <ma...@isc.org> wrote:

>>> Presumably you are making recursive queries and you are denying them.

>>>> On 8 Mar 2022, at 12:44, Ritah Mulinde <ryta...@gmail.com> wrote:
>>>> 
>>>> Hi Guys
>>>> Just got my primary and secondary name servers  running.
>>>> 
>>>> However, when i reload rdnc and tail the syslogs all i get is 
>>>> "(xxxx.xx.com): query (cache) 'cccc.xx.com/A/IN' denied"
>>>> 
>>>> Not sure why.
>>>> 
>>>> kindly asking for some pointers on where to start looking
>>>> 
>>>> 
>>>> Thank you
>>>> -- 
>>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
>>>> from this list
>>>> 
>>>> ISC funds the development of this software with paid support 
>>>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>>>> information.
>>>> 
>>>> 
>>>> bind-users mailing list
>>>> bind-users@lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to