Re: unapproved query <-- dns/named8 after power-failure
Will Trillich wrote:
> restricting queries is kinda goofy for an internet nameserver, huh?
yes it can be :)
> thanks for your response. good thing my isp is acting as secondary
> nameserver... your stuff is getting through, and visitors are finding
> my websites...
my stuff wouldn't of gotten through until you fixed it..seems the
secondary NS wouldn't give out the MX record either, not sure why. I
looked into it and it seems that your secondary NS
OVCWEB1.SPEEDEX.NET, is not giving authoritative responses for your
domain. That could be why it didn't work when your NS was (effectivly)
down. Sounds like a configuration issue on your isp's end. Now I'm not a
DNS expert i can only compare responses between your servers and mine,
both my primary and secondary NS give authoritative responses for
domains hosted by me(but non authoritative responses for domains not
hosted by me) whereas your primary NS gives authoritative for your
domain(serensoft.com) but the secondary does not. I checked this using
'nslookup'.
> lookie what i found in my named.conf, which i'd pasted from some
> manpage/faq/howto i ran across eons ago, and i managed to
> uncomment the 'allow' part... but hadn't ever 'ndc restart'ed...
> allow-query { 192.168/16; 127.0.0.1; 208.33.90.85; };
>
> i'm feeling much better, now.
Funny how rebooting/shutting down a unix box can cause problems like
this isn't it :)) I find it quite..ironic that such problems can arise.
a few weeks ago i upgraded one of my servers to 2.2.16(actually probably
more like a month or 2 ago), it was runnin fine for..25 days ..? then a
hdd overheated and the system crashed. the system would _NOT_ come back
up. a bug in 2.2.16 with raid caused the system to crash every time it
tried to come up. And if that wasn't enough theplace where it is
co-located at was closed! it took 3 days to get to the #$(# box! and
another hour to trakc down the problem and downgrade the kernel. All
because of a reboot ....
> > > named[338]: bad referral (com !< extreme-dm.com)
> > > named[338]: bad referral (net !< above.NET)
> > > named[364]: bad referral (AOL.com !< mx.aol.com)
> >
> > i haven't seen that before, not sure what it is..
> http://www.acmebw.com/askmrdns/bind-messages.htm
> i'd still like to know, if anyone has an idea.
I looked it up ..
http://www.acmebw.com/askmrdns/bind-messages.htm
bad referral (state.il.us !< SOS.STATE.IL.US)
CATEGORY: response-checks
SEVERITY: info
PAGE:
FURTHER INFO:
Indicates that while querying the SOS.STATE.IL.US name servers, your
name server was referred to the state.il.us name servers. Since a
referral should always point to name servers authoritative for
descendant zones, this is an error. The name server that sent the
referral is probably misconfigured, and not authoritative for the zone
delegated to it.
So this could be tied to your ISP not giving authoritative responses for
your domain, and passing the request onto you(yes i am talking out of my
ass but it makes sense to me! :) )
> i've had the 172.* denials ever since getting my dns registered
> with internic, long before the 'allow-query' snag.
ask your ISP to fix your secondary NS. and see if the ping messages go
away..
>
> so i should allow icmp? i think i'm using most of the defaults
> from the impasq.deb package...
in most cases yes you probably should, it doesn't matter though, usually
i don't log icmp stuff, the logs can get big(and aren't very useful
IMO).
> thanks, nate, for helping me see the moron in the mirror!
lol! sure
nate
--
:::
ICQ: 75132336
http://www.aphroland.org/
http://www.linuxpowered.net/
aphro@aphroland.org
Reply to: