Valid HTML 4.01 Transitional
Prev: Wi-fi Won't Connect to New Network Next: Windows Vista Service Pack Won't Install
(Index)
Jim Carter's Bugfixes

DNS Query Denied

James F. Carter
2008-03-20
Symptom:

The DNS server for a domain is upgraded and starts logging errors similar to this:

Mar 20 13:06:11 dns1.example.com named[3357]: client 128.97.12.3#53: query (cache) 'other.example.net/A/IN' denied

Workstations which rely on this server as a forwarder, particularly Windows boxes, are not getting recursive DNS answers from it. The users, unable to view their favorite websites, are gathering outside your door with pitchforks.

What's going on:

In the transition from BIND 9.3.2 to 9.4.1.P1 (the version I upgraded to) a default got changed: formerly the default for all maps was to allow any site to query them; now any map for which you are authoritative may be queried by anyone, but forwarding requests are allowed only from the subnet that the server is actually connected to. If the client is on another subnet the recursive query will be refused, while the same query on the server's own subnet will be executed.

How to fix:

Following instructions in the BIND administrator's manual, I added explicit allow-query statements to my named.conf file. Here is a shortened version from our master server; slaves are essentially identical except the map stanzas are for slaves. Be careful to include semicolons at the end of everything.

// This conveniently defines our local network (simplified).
// Localhost must be listed explicitly.
acl ournets { 
        128.97.4.0/24; 
        128.97.12.0/24; 
        127.0.0.1;
};
options {
        forwarders {
                164.67.128.1;
        };
        // This option governs recursive queries and 
        // zones lacking "allow-query any".
        allow-query { ournets; };
        allow-transfer {
                128.97.0.0/16;
                164.67.0.0/16;
        };
        // other options omitted
};
// DNS maps for which we are authoritative.  Reverse domain
// is not shown.
zone "math.ucla.edu" {
        type master;
        file "master/math.zone";
        //We want the outside world to be able to resolve our names.
        allow-query { any; };
};
// We don't want the outside world seeing our Windows Active 
// Directory, so this stanza lacks "allow-query any".  Numerous
// other A.D. zones are not shown, nor localhost and hints.
zone "_tcp.math.ucla.edu" {
        type master;
        file "master/math.tcp";
};

    

Prev: Wi-fi Won't Connect to New Network Next: Windows Vista Service Pack Won't Install
(Index)