You were right about the CNAME. I've reproduced this prolem with a much simpler CNAME only example:
For zone dyslexicfish.net, I've added: bbc IN CNAME www.bbc.co.uk. Then, on a third party host, I get this: | $ dig -4 bbc.dyslexicfish.net. @amnesia.dns.dyslexicfish.net. | | ; <<>> DiG 9.18.27 <<>> -4 bbc.dyslexicfish.net. @amnesia.dns.dyslexicfish.net. | ;; global options: +cmd | ;; Got answer: | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29321 | ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 | ;; WARNING: recursion requested but not available | | ;; OPT PSEUDOSECTION: | ; EDNS: version: 0, flags:; udp: 4096 | ;; QUESTION SECTION: | ;bbc.dyslexicfish.net. IN A | | ;; ANSWER SECTION: | bbc.dyslexicfish.net. 86400 IN CNAME www.bbc.co.uk. | | ;; Query time: 136 msec | ;; SERVER: 104.238.172.250#53(amnesia.dns.dyslexicfish.net.) (UDP) | ;; WHEN: Fri Jul 19 21:15:38 UTC 2024 | ;; MSG SIZE rcvd: 76 So, the answer is correct, and works fine, however, on the dns server, this is logged: Jul 19 22:15:41 <daemon.info> amnesia nsd[26483]: query bbc.dyslexicfish.net. from 205.166.94.4 refused, no acl matches . A tcpdump on the server shows no spurious requests from this host, simply: | % tcpdump -n host 205.166.94.4 | tcpdump: verbose output suppressed, use -v or -vv for full protocol decode | listening on vtnet0, link-type EN10MB (Ethernet), capture size 262144 bytes | 22:15:41.161045 IP 205.166.94.4.52640 > 104.238.172.250.53: 29321+ [1au] A? bbc.dyslexicfish.net. (61) | 22:15:41.161536 IP 104.238.172.250.53 > 205.166.94.4.52640: 29321*- 1/0/1 CNAME www.bbc.co.uk. (76) | ^C Cheers, Jamie _______________________________________________ nsd-users mailing list nsd-users@lists.nlnetlabs.nl https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
