Re: named on lenny

To: debian-isp@lists.debian.org
Cc: debian-isp@lists.debian.org
Subject: Re: named on lenny
From: Thomas Goirand <thomas@goirand.fr>
Date: Sun, 08 Mar 2009 19:31:06 +0800
Message-id: <[🔎] 49B3AC7A.1070805@goirand.fr>
In-reply-to: <[🔎] Pine.LNX.4.21.0903080945170.1466-100000@student.dicea.unifi.it>
References: <[🔎] Pine.LNX.4.21.0903080945170.1466-100000@student.dicea.unifi.it>

Leonardo Boselli wrote:
> After udate to lenny two DNS stopped workin, better, they bagan to have a
> behaviour  "a la SMTP" .
> hosts are in a.b.c.0/24 .
> if a query arrive from an host in their localnet all ok, otherwise if the
> querying machine is outside their localnet[s] the they supply the address
> only if the supplied address in in a zone for which they are
> official primary or secondary DNS.
> otherwise no lich and in the log i find:
> 
> Mar  7 23:37:25 mydnsserver named[2248]: client 
>      151.16.***.***#34363: query
>      (cache) 'www.google.it/A/IN' denied
> 
> i copied etch configuration files ... did i make some error ?
> 
> they have to supply dns service to everyone.

Have a look into your named.conf.options. You might have some ACL that
are set to allow recursion ONLY for authoritative zones (which is a good
thing by the way). Here is mine:

auth-nxdomain no;    # conform to RFC1035
allow-transfer  { "gplhostnetwork";};
allow-recursion { localhost; "gplhostnetwork"; };


Then on top, I have something like this:

acl "gplhostnetwork" { {
	x.y.z.0/21;
        127.0.0.1;     // myself, just to be sure
        192.134.4.0/24; // nic.fr, for ZoneCheck
        193.0.0.63;     // ripe
        };
};

Do something similar and you will be good... (of course, don't write
x.y.z, replace it by your network...)

Thomas

Reply to:

References:
- named on lenny
  - From: Leonardo Boselli <leo@dicea.unifi.it>

Prev by Date: named on lenny
Next by Date: Re: DVB Card for TV streaming (ISP)
Previous by thread: named on lenny
Next by thread: Re: named on lenny
Index(es):
- Date
- Thread