[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: unapproved query <-- dns/named8 after power-failure

On Wed, Aug 23, 2000 at 11:31:10AM -0700, Nate Amsden wrote:
> Will Trillich wrote:
> > [i've got debian 2.2/potato running as a router/ipmasq/firewall
> > box for my home intranet, with named 8.2.2-P5-NOESW]
> > 
> >         unapproved query from [207.63.39.40].1671 for "serensoft.com"
> >         unapproved query from [198.69.131.5].1648 for "serensoft.com"
> >         unapproved query from [205.177.10.10].1744 for "serensoft.com"
> 
> looks like you are restricting query access to your nameserver via
> access control lists(defined in named.conf) those entries look to me
> like those ip addresses are trying to get the IPs for serensoft.com,
> mail.serensoft.com, www.serensoft.com but your nameserver is rejecting
> them because they are not in the access control lists.
> 
> it does mean you are not answering DNS queries, at least queries from
> those IPs. it is a security feature, and must've gotten turned on, but
> named wasnt restarted until your system came online after the outage.
> look in named.conf for something along the lines of  'allow-query', or
> post your named.conf. i restrict zone transfers on my DNS(s) but i don't
> restrict queries. BTW - i just tried to send this mail to your email
> addy, and my mail server told me it cannot get a MX record for your
> domain(same problem your having) so i'll just send to the list hope u
> get it soon to fix :)

<blush>hi there. it's me again, señor moron, here.</blush>

restricting queries is kinda goofy for an internet nameserver, huh?

thanks for your response. good thing my isp is acting as secondary
nameserver... your stuff is getting through, and visitors are finding
my websites...

lookie what i found in my named.conf, which i'd pasted from some
manpage/faq/howto i ran across eons ago, and i managed to
uncomment the 'allow' part... but hadn't ever 'ndc restart'ed...

    // splitting name servers for security:
    //
    // for the one dealing with internet requests,
    // forbid recursion so we won't cache bogus
    // data from a malicious type:
    //
    // recursion no;
    //
    // for the other, to deal with internal resolvers,
    // limit where the requests can come from:
    //
    allow-query { 192.168/16; 127.0.0.1; 208.33.90.85; };

i'm feeling much better, now.

    // allow-query { 192.168/16; 127.0.0.1; 208.33.90.85; };

heh...  (boy, those log files got HUGE! and so did my
logcheck email box...)

> > i've also seen named report these, which still baffle me:
> > 
> >         named[338]: bad referral (com !< extreme-dm.com)
> >         named[338]: bad referral (net !< above.NET)
> >         named[364]: bad referral (AOL.com !< mx.aol.com)
> 
> i haven't seen that before, not sure what it is..

i'd still like to know, if anyone has an idea.

and re: the 172.*.*.* denials--

> you have all ICMP blocked? chances are the nameservers couldn't get a
> response from your nameserver so tried to ping you to see if your
> alive(wild guess) since its only icmp theres not much to be worried
> about(if it is only icmp ...? thats all i saw from your posted log)

i've had the 172.* denials ever since getting my dns registered
with internic, long before the 'allow-query' snag.

so i should allow icmp? i think i'm using most of the defaults
from the impasq.deb package...

--

thanks, nate, for helping me see the moron in the mirror!
Reply to: