troubleshooting Question

BIND requests denied - again...

Avatar of Alexandre Takacs
Alexandre TakacsFlag for Switzerland asked on
DNSLinuxInternet Protocols
36 Comments1 Solution1777 ViewsLast Modified:
Folks

Having more problems with my BIND server.

I already posted a question https://www.experts-exchange.com/OS/Linux/Q_24220201.html for a similar problem I thought it was fixed. However I have again denied requests:

Mar 16 09:40:06 xxx named[2932]: client 70.86.70.34#1151: query (cache) 'apevl.ch/NS/IN' denied

I muss confess I am at loss to explain why those queries are rejected whereas they where working a few days ago with an unchanged config...

Anyway my named.conf file:

------------------------------------------------
options {
    directory "/etc";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
    version "Surely you must be joking";
    listen-on port 53 {  88.191.98.49; 127.0.0.1;  };
    allow-recursion { trusted; };
    allow-query { any; };
    allow-query-cache { any; };
};

controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

acl "trusted" {
   88.191.98.49;
   127.0.0.1;
};


key "rndc_key" {
    algorithm hmac-md5;
      secret "PUSNeyNcuyQep6BbzLYYGAeOL+V8ItICcnldf5LAWSbyKl9fGOj6eHejgD+XKGjEb9WH/EJXYGNAJjl+8StWcQ==";
};

logging {
         channel channel_info {
                    file "/etc/bind.log" versions 3 size 5m;
                    severity info;
                    print-time yes;
                    print-severity yes;
                    print-category yes;
               };


         channel channel_notice {
                    file "/etc/bindnotice.log" versions 3 size 5m;
                    severity notice;
                    print-time yes;
                    print-severity yes;
                    print-category yes;
               };

# default
        category default             { channel_notice; };
        category general             { channel_notice; };
        category client              { channel_notice; };
        category config         { channel_notice; };
        category database       { channel_notice; };
        category dnssec         { channel_notice; };
        category lame-servers   { channel_notice; };
        category network        { channel_notice; };
        category notify         { channel_info; };
        category queries        { channel_notice; };
        category resolver       { channel_notice; };
        category security       { channel_info; };
        category update         { channel_info; };
        category update-security { channel_info; };
        category xfer-in        { channel_info; };
        category xfer-out       { channel_info; };
        category unmatched      { channel_notice; };
        category dispatch       { channel_notice; };
        category delegation-only { channel_notice; };
        category edns-disabled { channel_notice; };

    channel default_debug {
      file "/etc/named.run";
      severity dynamic;
    };

    channel default_stderr {
      stderr;
      severity info;
    };

    channel null {
      null;
    };
};


zone "." {
    type hint;
    file "/etc/root.hints";
};

zone "localhost" {
    type master;
    file "/etc/localhost";
};

zone "0.0.127.in-addr.arpa" {
    type master;
    file "/etc/127.0.0";
};

zone "apevl.ch" IN {
      type master;
      file "sites/apevl.ch/forward.zone";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};

zone "49.98.191.88.in-addr.arpa" {
      type master;
      file "sites/apevl.ch/reverse.zone.ipv4";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};

------------------------------------------------

and my forward.zone

------------------------------------------------

$TTL 14400;
@      IN      SOA      apevl.ch.      ns.apevl.ch. (
                  2009031503      ; Serial
                  3600            ; Refresh
                  360            ; Retry
                  1209600      ; Expire
                  3600 )      ; Min TTL
                       
            IN      NS     ns

ns.apevl.ch. A 88.191.98.49

ns1.apevl.ch. A 88.191.98.49

apevl.ch.      IN      A      88.191.98.49

      IN    N         ns.apevl.ch.
      IN         NS    ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.

      IN      MX      10      aspmx.l.google.com.

      IN      MX      20      alt1.aspmx.l.google.com.

      IN      MX      30      alt2.aspmx.l.google.com.

mail.apevl.ch.  IN  CNAME ghs.google.com.

www.apevl.ch.  IN  CNAME ghs.google.com.

google34160a471ab995a5.apevl.ch.      IN      CNAME      google.com.

------------------------------------------------

Any idea & suggestion MOST welcome :)

Regards
ASKER CERTIFIED SOLUTION
Morne Lategan

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 36 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 36 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros