Query refused on bind (named)

Hi there

Having a huge problem and I can't figure out why this keeps happening:

dig r-nash.office.protected.com @192.168.2.2

; <<>> DiG 9.3.4 <<>> r-nash.office.protected.com @192.168.2.2
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65269
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;r-nash.office.protected.com.   IN      A

;; Query time: 1 msec
;; SERVER: 192.168.2.2#53(192.168.2.2)
;; WHEN: Mon Mar 19 12:07:12 2007
;; MSG SIZE  rcvd: 45




I keep getting "refused" when I try to query this server from anywhere on the network, but everything works fine when I try the same query on the server that is running the BIND service.

What is causing this please? I have tried and tried and tried, but I keep getting this.

Here is my named.conf file

//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        listen-on port 53 { 192.168.2.2; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
        allow-query     { any; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view localhost_resolver {
        allow-query { any; };
        match-clients      { localhost; };
        match-destinations { localhost; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
};


Here is my rfc zone file:

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "1.168.192.IN-ADDR.ARPA." IN {
        type master;
        file "192.168.1.db";
        allow-query { any; };
};
zone "2.168.192.IN-ADDR.ARPA." IN {
        type master;
        file "192.168.2.db";
        allow-query { any; };
};
zone "office.protected.com." IN {

allow-query {
        any;
};
type master;
        file "office.protected.com.db";
};
zone "." IN {

type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
        allow-query { any; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
        allow-query { any; };
};

zone "0.0.127.in-addr.arpa" IN {
        allow-query {
        any;
};
type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-query { any; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
        allow-query { any; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
        allow-query { any; };
};


And here is my main zone file:

$TTL 1H
@       SOA     development     root.development (      6
                                                3H
                                                1H
                                                1W
                                                1H )
                        NS      localhost.
m-whelan        IN      1H      A       192.168.2.240
t-ward  IN      1H      A       192.168.2.20
k-rosewarne IN  1H      A       192.168.2.14
a-pieters       IN      1H      A       192.168.2.9
development     IN      1H      A       192.168.2.2
        IN      1H      A       192.168.2.2
printer IN      1H      A       192.168.2.245
b-stabb IN      1H      A       192.168.2.13

t-legg  IN      1H      A       192.168.1.5
d-walker        IN      1H      A       192.168.1.6
a-sundaram      IN      1H      A       192.168.1.7
a-cox   IN      1H      A       192.168.1.8
r-abzadeh       1H      A       192.168.1.9
a-cross IN      1H      A       192.168.1.10
m-harrison      IN      1H      A       192.168.1.11
d-carter        IN      1H      A       192.168.1.12
j-irish IN      1H      A       192.168.1.13
r-nash  IN      1H      A       192.168.1.14
printer2        IN      1H      A       192.168.1.254
phpmyadmin.development  IN      1H      CNAME   development
r-nash  IN      1H      A       192.168.1.14
admin.development       IN      1H      CNAME   development
sd.development  IN      1H      CNAME   development
cp.development  IN      1H      CNAME   development
secure.development      IN      1H      CNAME   development
client.development      IN      1H      CNAME   development
test.development        IN      1H      CNAME   development
sales.development       IN      1H      CNAME   development
support.development     IN      1H      CNAME   development
samsung IN      1H      CNAME   printer
LVL 2
x_terminat_or_3Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pablouruguayCommented:
just a question.. . you dont have a firewall or block the port 53 in this server ???

do a iptables -L to see what are in your server
0
x_terminat_or_3Author Commented:
No, software firewall is disabled

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
0
pablouruguayCommented:
please remove this 3 lines and restart named and try again please

        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        listen-on port 53 { 192.168.2.2; };
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

x_terminat_or_3Author Commented:
I removed those lines but I still get the refused bit
0
pablouruguayCommented:
i didnt see the error....

maybe can teste removing with # the lines on query.. to accept any query... only for checking
0
x_terminat_or_3Author Commented:
where do I do that?
0
pablouruguayCommented:
in the named.conf comment all  

allow-query     { any; };

like this

#allow-query     { any; };

and restart named with /etc/init.d/named restart
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
x_terminat_or_3Author Commented:
I FIXED IT!

The problem was this:

view localhost_resolver {
        allow-query { any; };
        match-clients      { localhost; };
        match-destinations { localhost; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
};

I changed the match-clients , and match-destinations to any, and now it works it works!
0
x_terminat_or_3Author Commented:
I'll award you some points but the actual answer was self-found, so please be patient while admin deals with this.

Thank you for your help
0
pablouruguayCommented:
nice :)....  i learned in this question... thank you
0
pablouruguayCommented:
paq and refunded??? i dont understand...
0
x_terminat_or_3Author Commented:
Looks like I misunderstood what was being asked. I have amended the thread mentioned by Vee_Mod to get you points.

Thanks for your help
0
x_terminat_or_3Author Commented:
No this is exactly what I wanted. Thanks Vee_Mod
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.