Re: query cache denied in vew statement
On 09/26/2010 10:57 PM, David S. wrote: I've removed additional-from-cache and restart bind, below part of named.conf Ok, bad guess on my part :o( Not sure I'm afraid. I don't really understand your config; do you mean to have recursion off in both views? What is sending the queries? They're coming from 127.0.0.1 (localhost) so something on the system is trying to use bind as a (recursive) nameserver. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query cache denied in vew statement
On 27/09/10 09:45, David S. wrote: Hi Pil, In that case, don't you want recursion on in view mynetwork? I won't recursion in my network, so recursion is no. Sorry, I don't understand. Perhaps someone else can help you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query cache denied in vew statement
Hopefully you understand that when you turn recursion off, that means you can only answer from zones that you actually *host* (i.e. for which you are master or slave). But you have no master or slave zones defined in the mynetwork view. Therefore it is not possible for that view to do anything useful, the way that it is currently configured. - Kevin On 9/27/2010 4:45 AM, David S. wrote: Hi Pil, In that case, don't you want recursion on in view mynetwork? I won't recursion in my network, so recursion is no. - -- Best regards, David http://blog.pnyet.web.id On 09/27/2010 03:32 PM, Phil Mayers wrote: In that case, don't you want recursion on in view mynetwork? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
query cache denied in vew statement
Dear All,
I had problem when trying to use view class on my named.conf, please
see attached file and below my query log:
# tail -f /var/log/named/query.log
27-Sep-2010 02:54:49.738 security: info: client 127.0.0.1#48295: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
27-Sep-2010 02:59:58.323 security: info: client 127.0.0.1#58482: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
27-Sep-2010 03:00:02.233 security: info: client 127.0.0.1#37472: view
mynetwork: query (cache) 'yahoo.co.uk/A/IN' denied
27-Sep-2010 03:03:14.227 security: info: client 127.0.0.1#42151: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
27-Sep-2010 03:03:44.490 security: info: client 127.0.0.1#40996: view
mynetwork: query (cache) 'telkom.net/A/IN' denied
I've been search but I can't solve this problem, I'm using BIND 9.7.1.p2
on CentOS 5.5 64bit
Thank You
--
-
--
Best regards,
David
http://blog.pnyet.web.id
acl trusted {
10.100.112.0/24;
10.100.113.0/24;
10.100.114.0/24;
10.100.115.0/24;
10.100.116.0/24;
10.100.117.0/24;
10.100.118.0/24;
10.100.119.0/24;
10.100.120.0/24;
10.100.121.0/24;
10.100.122.0/24;
10.100.123.0/24;
10.100.124.0/24;
10.100.125.0/24;
10.100.126.0/24;
10.100.127.0/24;
202.91.10.0/24;
203.92.13.0/24;
localhost;
};
acl bogon {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
77.0.0.0/8;
79.0.0.0/8;
92.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
113.0.0.0/8;
128.138.129.98/32;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
192.0.2.0/24;
197.0.0.0/8;
224.0.0.0/3;
};
logging {
category lame-servers { null; };
category edns-disabled { null; };
channel named_log {
syslog local2;
severity debug;
};
channel named_log {
file logs/named.log versions 3 size 50m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};
channel audit_log {
file logs/audit.log versions 3 size 50m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};
channel xfer_log {
file logs/xfer.log versions 3 size 50m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};
channel queries_log {
file logs/query.log versions 3 size 50m;
severity debug;
print-severity yes;
print-time yes;
print-category yes;
};
category default { named_log; };
category general { named_log; };
category security { audit_log; };
category config { named_log; };
category resolver { audit_log; };
category xfer-in { xfer_log; };
category xfer-out { xfer_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { queries_log; };
category lame-servers { audit_log; };
};
options {
directory /var/named;
allow-transfer { xfer; };
pid-file named.pid;
listen-on port 53 { any; };
statistics-file named.stats;
memstatistics-file named.memstats;
dump-file named.dump;
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 100;
interface-interval 0;
allow-query { trusted; };
blackhole { bogon; };
};
view mynetwork in {
match-clients {trusted; };
recursion no;
allow-transfer { xfer; };
additional-from-auth yes;
additional-from-cache yes;
};
view internet in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
additional-from-auth no;
additional-from-cache no;
zone indigo.com {
type master;
file master/db.ind;
};
zone kpt.com {
type master;
file master/db.kpt;
};
zone 116.10.100.in-addr.arpa {
type master;
file master/db.116;
};
zone 3.2.1.in-addr.arpa {
type master;
file master/db.1.2.3;
};
# Loopback address
zone localhost {
type master;
file master/db.localhost;
};
zone 0.0.127.in-addr.arpa {
type master;
file master/db.127.0.0;
};
# Special zones
zone 255.in-addr.arpa {
type master;
file
Re: query cache denied in vew statement
On 09/26/2010 09:25 PM, David S. wrote: Dear All, I had problem when trying to use view class on my named.conf, please see attached file and below my query log: You've set additional-from-cache but not allow-query-cache ACL. The default has everyone denied. Do you need to set additional-from-cache? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query cache denied in vew statement
I've removed additional-from-cache and restart bind, below part of
named.conf
options {
directory /var/named;
allow-transfer { xfer; };
pid-file named.pid;
listen-on port 53 { any; };
statistics-file named.stats;
memstatistics-file named.memstats;
dump-file named.dump;
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 100;
interface-interval 0;
allow-query { trusted; };
blackhole { bogon; };
};
view mynetwork in {
match-clients {trusted; };
recursion no;
allow-transfer { xfer; };
};
view internet in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
# tail -f /var/log/named/audit.log
28-Sep-2010 04:50:05.012 security: info: client 127.0.0.1#53517: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
28-Sep-2010 04:56:22.653 security: info: client 127.0.0.1#34194: view
mynetwork: query (cache) 'kiputih.com/A/IN' denied
-
--
Best regards,
David
http://blog.pnyet.web.id
On 09/27/2010 04:36 AM, Phil Mayers wrote:
On 09/26/2010 09:25 PM, David S. wrote:
Dear All,
I had problem when trying to use view class on my named.conf, please
see attached file and below my query log:
You've set additional-from-cache but not allow-query-cache ACL.
The default has everyone denied.
Do you need to set additional-from-cache?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: query cache denied in vew statement
In article mailman.146.1285538312.555.bind-us...@lists.isc.org,
David S. da...@pnyet.web.id wrote:
I've removed additional-from-cache and restart bind, below part of
named.conf
You still haven't added 'allow-query-cache { trusted};};'.
options {
directory /var/named;
allow-transfer { xfer; };
pid-file named.pid;
listen-on port 53 { any; };
statistics-file named.stats;
memstatistics-file named.memstats;
dump-file named.dump;
zone-statistics yes;
notify no;
transfer-format many-answers;
max-transfer-time-in 100;
interface-interval 0;
allow-query { trusted; };
blackhole { bogon; };
};
view mynetwork in {
match-clients {trusted; };
recursion no;
allow-transfer { xfer; };
};
view internet in {
match-clients { any; };
recursion no;
allow-transfer { xfer; };
# tail -f /var/log/named/audit.log
28-Sep-2010 04:50:05.012 security: info: client 127.0.0.1#53517: view
mynetwork: query (cache) 'yahoo.com/A/IN' denied
28-Sep-2010 04:56:22.653 security: info: client 127.0.0.1#34194: view
mynetwork: query (cache) 'kiputih.com/A/IN' denied
-
--
Best regards,
David
http://blog.pnyet.web.id
On 09/27/2010 04:36 AM, Phil Mayers wrote:
On 09/26/2010 09:25 PM, David S. wrote:
Dear All,
I had problem when trying to use view class on my named.conf, please
see attached file and below my query log:
You've set additional-from-cache but not allow-query-cache ACL.
The default has everyone denied.
Do you need to set additional-from-cache?
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Barry Margolin, bar...@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
