date:20220307

Re: Access denied Bind9

2022-03-07 Thread Matus UHLAR - fantomas


On 08.03.22 04:44, Ritah Mulinde wrote:

Just got my primary and secondary name servers  running.


primary and secondary for your domains, or primary and secondary to provide 
DNS service for your  clients?


if the latter, you must allow  recursion for your IP ranges (and ONLY for 
your IP ranges)



However, when i reload rdnc and tail the syslogs all i get is "(.xx.com):
query (cache) '.xx.com/A/IN' denied"


does your server provide domain xx.com?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Greg Choules via bind-users

Hi Ritah.

I think rndc is a red herring. Whether you can control your server using
rndc or not is a different topic to "why am I seeing  'denied'" in the
logs.

I think a couple of questions you need to ask yourself are:

   Should these servers be receiving recursive queries from anywhere?
  If no, then named.conf should contain "recursion no;" and settings
such as "allow-query-cache" should be set to "none;".
  If yes, then define the set of clients you expect them to receive
queries from, create some ACLs, set "recursion yes;" and
"allow-query-cache" (at a minimum) to use the ACLs.

   What zones are these servers authoritative for?
  If the server are not supposed to be receiving recursive queries and
the queries you see in your log are not ones for which you are
authoritative then take notes about which clients are sending these queries
and go on a hunt. Perhaps the clients are misconfigured, or just being
'playful'!

Some useful reading might be these articles and others in the KB.
https://kb.isc.org/docs/bind-best-practices-authoritative
https://kb.isc.org/docs/bind-best-practices-recursive

and of course the ARM.
I hope that helps.

Cheers, Greg

On Tue, 8 Mar 2022 at 01:45, Ritah Mulinde  wrote:

> Hi Guys
> Just got my primary and secondary name servers  running.
>
> However, when i reload rdnc and tail the syslogs all i get is "(
> .xx.com): query (cache) '.xx.com/A/IN' denied"
>
> Not sure why.
>
> kindly asking for some pointers on where to start looking
>
>
> Thank you
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Reindl Harald




Am 08.03.22 um 02:44 schrieb Ritah Mulinde:

Hi Guys
Just got my primary and secondary name servers  running.

However, when i reload rdnc and tail the syslogs all i get is 
"(.xx.com ): query (cache) '.xx.com/A/IN 
' denied"


because on a authoritative server it#s the right thing to do deny any 
queries for zones your are not responsible for


but hat has *nothing to do* with "when i reload rdnc and tail the syslog"
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Gregory Sloop

You might search the list archives, as I think this came up recently...
But I think the general consensus is that you shouldn't have a server that is 
both authoritative AND that allows recursive queries. (Security reasons)
And if you do allow both, to limit recursive queries to internal 
(semi-trusted/controlled) hosts only.

The options you'll be wanting to look at are:

allow-query
allow-recursion
allow-query-cache

See the docs.

something like;
allow-recursion { local-nets; }; 

Where local-nets are the local subnets you want to allow recursion for - 
meaning you trust those hosts on those subnets more than the open internet.

> Just to be clear, the servers are authoritative

> On Tue, Mar 8, 2022 at 5:27 AM Ritah Mulinde  wrote:

>> Thank you Mark

>> Iam abit new to this. How do i fix that??

>> On Tue, Mar 8, 2022 at 5:19 AM Mark Andrews  wrote:

>>> Presumably you are making recursive queries and you are denying them.

 On 8 Mar 2022, at 12:44, Ritah Mulinde  wrote:

 Hi Guys
 Just got my primary and secondary name servers  running.

 However, when i reload rdnc and tail the syslogs all i get is 
 "(.xx.com): query (cache) '.xx.com/A/IN' denied"

 Not sure why.

 kindly asking for some pointers on where to start looking

 Thank you
 -- 
 Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 ISC funds the development of this software with paid support 
 subscriptions. Contact us at https://www.isc.org/contact/ for more 
 information.

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Ritah Mulinde

Just to be clear, the servers are authoritative

On Tue, Mar 8, 2022 at 5:27 AM Ritah Mulinde  wrote:

> Thank you Mark
>
> Iam abit new to this. How do i fix that??
>
> On Tue, Mar 8, 2022 at 5:19 AM Mark Andrews  wrote:
>
>> Presumably you are making recursive queries and you are denying them.
>>
>> > On 8 Mar 2022, at 12:44, Ritah Mulinde  wrote:
>> >
>> > Hi Guys
>> > Just got my primary and secondary name servers  running.
>> >
>> > However, when i reload rdnc and tail the syslogs all i get is "(
>> .xx.com): query (cache) '.xx.com/A/IN' denied"
>> >
>> > Not sure why.
>> >
>> > kindly asking for some pointers on where to start looking
>> >
>> >
>> > Thank you
>> > --
>> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>> >
>> > ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>> >
>> >
>> > bind-users mailing list
>> > bind-users@lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/bind-users
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>>
>>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Ritah Mulinde

Thank you Mark

Iam abit new to this. How do i fix that??

On Tue, Mar 8, 2022 at 5:19 AM Mark Andrews  wrote:

> Presumably you are making recursive queries and you are denying them.
>
> > On 8 Mar 2022, at 12:44, Ritah Mulinde  wrote:
> >
> > Hi Guys
> > Just got my primary and secondary name servers  running.
> >
> > However, when i reload rdnc and tail the syslogs all i get is "(
> .xx.com): query (cache) '.xx.com/A/IN' denied"
> >
> > Not sure why.
> >
> > kindly asking for some pointers on where to start looking
> >
> >
> > Thank you
> > --
> > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> >
> > ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
> >
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org
>
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

2022-03-07 Thread Mark Andrews

Presumably you are making recursive queries and you are denying them.

> On 8 Mar 2022, at 12:44, Ritah Mulinde  wrote:
> 
> Hi Guys
> Just got my primary and secondary name servers  running.
> 
> However, when i reload rdnc and tail the syslogs all i get is "(.xx.com): 
> query (cache) '.xx.com/A/IN' denied"
> 
> Not sure why.
> 
> kindly asking for some pointers on where to start looking
> 
> 
> Thank you
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Access denied Bind9

2022-03-07 Thread Ritah Mulinde

Hi Guys
Just got my primary and secondary name servers  running.

However, when i reload rdnc and tail the syslogs all i get is "(.xx.com):
query (cache) '.xx.com/A/IN' denied"

Not sure why.

kindly asking for some pointers on where to start looking


Thank you
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Access denied Bind9

Re: Access denied Bind9

Re: Access denied Bind9

Re: Access denied Bind9

Re: Access denied Bind9

Re: Access denied Bind9

Re: Access denied Bind9

Access denied Bind9

8 matches

Site Navigation

Mail list logo

Footer information