Alexandre Takacs
asked on
BIND requests denied - again...
Folks
Having more problems with my BIND server.
I already posted a question https://www.experts-exchange.com/questions/24220201/BIND-not-working-denied-requests.html for a similar problem I thought it was fixed. However I have again denied requests:
Mar 16 09:40:06 xxx named[2932]: client 70.86.70.34#1151: query (cache) 'apevl.ch/NS/IN' denied
I muss confess I am at loss to explain why those queries are rejected whereas they where working a few days ago with an unchanged config...
Anyway my named.conf file:
-------------------------- ---------- ---------- --
options {
  directory "/etc";
  pid-file "/var/run/named.pid";
  statistics-file "/var/run/named.stats";
  version "Surely you must be joking";
  listen-on port 53 {  88.191.98.49; 127.0.0.1;  };
  allow-recursion { trusted; };
  allow-query { any; };
  allow-query-cache { any; };
};
controls {
  inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
acl "trusted" {
  88.191.98.49;
  127.0.0.1;
};
key "rndc_key" {
  algorithm hmac-md5;
      secret "PUSNeyNcuyQep6BbzLYYGAeOL +V8ItICcnl df5LAWSbyK l9fGOj6eHe jgD+XKGjEb 9WH/EJXYGN AJjl+8StWc Q==";
};
logging {
     channel channel_info {
          file "/etc/bind.log" versions 3 size 5m;
          severity info;
          print-time yes;
          print-severity yes;
          print-category yes;
        };
     channel channel_notice {
          file "/etc/bindnotice.log" versions 3 size 5m;
          severity notice;
          print-time yes;
          print-severity yes;
          print-category yes;
        };
# default
    category default            { channel_notice; };
    category general          { channel_notice; };
    category client          { channel_notice; };
    category config     { channel_notice; };
    category database    { channel_notice; };
    category dnssec     { channel_notice; };
    category lame-servers  { channel_notice; };
    category network     { channel_notice; };
    category notify     { channel_info; };
    category queries     { channel_notice; };
    category resolver    { channel_notice; };
    category security    { channel_info; };
    category update     { channel_info; };
    category update-security { channel_info; };
    category xfer-in     { channel_info; };
    category xfer-out    { channel_info; };
    category unmatched    { channel_notice; };
    category dispatch    { channel_notice; };
    category delegation-only { channel_notice; };
    category edns-disabled { channel_notice; };
  channel default_debug {
      file "/etc/named.run";
      severity dynamic;
  };
  channel default_stderr {
      stderr;
      severity info;
  };
  channel null {
      null;
  };
};
zone "." {
  type hint;
  file "/etc/root.hints";
};
zone "localhost" {
  type master;
  file "/etc/localhost";
};
zone "0.0.127.in-addr.arpa" {
  type master;
  file "/etc/127.0.0";
};
zone "apevl.ch" IN {
      type master;
      file "sites/apevl.ch/forward.zo ne";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};
zone "49.98.191.88.in-addr.arpa " {
      type master;
      file "sites/apevl.ch/reverse.zo ne.ipv4";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};
-------------------------- ---------- ---------- --
and my forward.zone
-------------------------- ---------- ---------- --
$TTL 14400;
@ Â Â Â Â Â IN Â Â Â Â Â SOA Â Â Â Â Â apevl.ch. Â Â Â Â Â ns.apevl.ch. (
                 2009031503      ; Serial
                 3600            ; Refresh
                 360            ; Retry
                 1209600      ; Expire
                 3600 )      ; Min TTL
           Â
           IN      NS   ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. Â Â Â Â Â IN Â Â Â Â Â A Â Â Â Â Â 88.191.98.49
      IN   N        ns.apevl.ch.
      IN        NS   ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.
      IN      MX      10      aspmx.l.google.com.
      IN      MX      20      alt1.aspmx.l.google.com.
      IN      MX      30      alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape vl.ch. Â Â Â Â Â IN Â Â Â Â Â CNAME Â Â Â Â Â google.com.
-------------------------- ---------- ---------- --
Any idea &Â suggestion MOST welcome :)
Regards
Having more problems with my BIND server.
I already posted a question https://www.experts-exchange.com/questions/24220201/BIND-not-working-denied-requests.html for a similar problem I thought it was fixed. However I have again denied requests:
Mar 16 09:40:06 xxx named[2932]: client 70.86.70.34#1151: query (cache) 'apevl.ch/NS/IN' denied
I muss confess I am at loss to explain why those queries are rejected whereas they where working a few days ago with an unchanged config...
Anyway my named.conf file:
--------------------------
options {
  directory "/etc";
  pid-file "/var/run/named.pid";
  statistics-file "/var/run/named.stats";
  version "Surely you must be joking";
  listen-on port 53 {  88.191.98.49; 127.0.0.1;  };
  allow-recursion { trusted; };
  allow-query { any; };
  allow-query-cache { any; };
};
controls {
  inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
acl "trusted" {
  88.191.98.49;
  127.0.0.1;
};
key "rndc_key" {
  algorithm hmac-md5;
      secret "PUSNeyNcuyQep6BbzLYYGAeOL
};
logging {
     channel channel_info {
          file "/etc/bind.log" versions 3 size 5m;
          severity info;
          print-time yes;
          print-severity yes;
          print-category yes;
        };
     channel channel_notice {
          file "/etc/bindnotice.log" versions 3 size 5m;
          severity notice;
          print-time yes;
          print-severity yes;
          print-category yes;
        };
# default
    category default            { channel_notice; };
    category general          { channel_notice; };
    category client          { channel_notice; };
    category config     { channel_notice; };
    category database    { channel_notice; };
    category dnssec     { channel_notice; };
    category lame-servers  { channel_notice; };
    category network     { channel_notice; };
    category notify     { channel_info; };
    category queries     { channel_notice; };
    category resolver    { channel_notice; };
    category security    { channel_info; };
    category update     { channel_info; };
    category update-security { channel_info; };
    category xfer-in     { channel_info; };
    category xfer-out    { channel_info; };
    category unmatched    { channel_notice; };
    category dispatch    { channel_notice; };
    category delegation-only { channel_notice; };
    category edns-disabled { channel_notice; };
  channel default_debug {
      file "/etc/named.run";
      severity dynamic;
  };
  channel default_stderr {
      stderr;
      severity info;
  };
  channel null {
      null;
  };
};
zone "." {
  type hint;
  file "/etc/root.hints";
};
zone "localhost" {
  type master;
  file "/etc/localhost";
};
zone "0.0.127.in-addr.arpa" {
  type master;
  file "/etc/127.0.0";
};
zone "apevl.ch" IN {
      type master;
      file "sites/apevl.ch/forward.zo
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};
zone "49.98.191.88.in-addr.arpa
      type master;
      file "sites/apevl.ch/reverse.zo
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138;  91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76;  };
      allow-update { none;  };
      allow-query { any;  };
      zone-statistics yes;
      notify no;
      also-notify {  };
};
--------------------------
and my forward.zone
--------------------------
$TTL 14400;
@ Â Â Â Â Â IN Â Â Â Â Â SOA Â Â Â Â Â apevl.ch. Â Â Â Â Â ns.apevl.ch. (
                 2009031503      ; Serial
                 3600            ; Refresh
                 360            ; Retry
                 1209600      ; Expire
                 3600 )      ; Min TTL
           Â
           IN      NS   ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. Â Â Â Â Â IN Â Â Â Â Â A Â Â Â Â Â 88.191.98.49
      IN   N        ns.apevl.ch.
      IN        NS   ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.
      IN      MX      10      aspmx.l.google.com.
      IN      MX      20      alt1.aspmx.l.google.com.
      IN      MX      30      alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape
--------------------------
Any idea &Â suggestion MOST welcome :)
Regards
Also you had the SOA line wrong. It should be:
domain SOA PrimaryServer DomainAdminEmailAddress like in the attached.
See if this works. I might have a typo as I didnt test it, but it should work fine.
domain SOA PrimaryServer DomainAdminEmailAddress like in the attached.
See if this works. I might have a typo as I didnt test it, but it should work fine.
$TTL 14400;
@ IN SOA ns.apevl.ch. domainadmin.apevl.ch. (
2009031503 ; Serial
3600 ; Refresh
360 ; Retry
1209600 ; Expire
3600 ) ; Min TTL
IN NS ns.apevl.ch.
IN NS ns2.mydyndns.org.
IN NS ns3.mydyndns.org.
IN NS ns4.mydyndns.org.
IN NS ns5.mydyndns.org.
IN MX 10 aspmx.l.google.com.
IN MX 20 al1.aspmx.l.google.com.
IN MX 30 alt2.asmpx.l.google.com.
ns IN A 88.191.98.49
mail IN CNAME ghs.google.com.
www IN CNAME ghs.google.com.
google34160a471ab995a5 IN CNAME google.com.
ASKER
Hi
Good catch about the typos !
Amended forward.zone:
Alas dns requests still being denied
Regards
alex
Good catch about the typos !
Amended forward.zone:
$TTL 14400;
@ Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
      2009031601   ; Serial
      3600     ; Refresh
      360     ; Retry
      1209600   ; Expire
      3600 )   ; Min TTL
           Â
    IN   NS   ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. Â Â IN Â Â A Â Â 88.191.98.49
  IN   NS    ns.apevl.ch.
  IN    NS   ns1.apevl.ch.
  IN   NS   ns2.mydyndns.org.
  IN   NS   ns3.mydyndns.org.
  IN   NS   ns4.mydyndns.org.
  IN   NS   ns5.mydyndns.org.
  IN   MX   10   aspmx.l.google.com.
  IN   MX   20   alt1.aspmx.l.google.com.
  IN   MX   30   alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape vl.ch. Â Â IN Â Â CNAME Â Â google.com.
@ Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
      2009031601   ; Serial
      3600     ; Refresh
      360     ; Retry
      1209600   ; Expire
      3600 )   ; Min TTL
           Â
    IN   NS   ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. Â Â IN Â Â A Â Â 88.191.98.49
  IN   NS    ns.apevl.ch.
  IN    NS   ns1.apevl.ch.
  IN   NS   ns2.mydyndns.org.
  IN   NS   ns3.mydyndns.org.
  IN   NS   ns4.mydyndns.org.
  IN   NS   ns5.mydyndns.org.
  IN   MX   10   aspmx.l.google.com.
  IN   MX   20   alt1.aspmx.l.google.com.
  IN   MX   30   alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape
Alas dns requests still being denied
Mar 16 11:15:40 xxx  named[2939]: client 70.86.70.34#62665: query (cache) 'ns.apevl.ch/CNAME/IN' denied
Any idea ?Regards
alex
Is this a registered domain on the Internet, or an internal domain? I'm asking because I cannot resolve the name servers for the domain from the outside, which means it has not been registered with the .ch authoritives.
Where did you do that query from? Is 70.68.70.34 your workstation?
Where did you do that query from? Is 70.68.70.34 your workstation?
ASKER
Definitely registered with proper delegation as far as I can tell
70.68.70.34 is probably dnsstuf.com (running their test to validate my dns - which doesn't work)
Doing a query from my workstation works (kind of)
C:\Users\Alex>nslookup www.apevl.ch 88.191.98.49
Server: Â UnKnown
Address: Â 88.191.98.49
*** UnKnown can't find www.apevl.ch: Query refused
(ie I get to the server but the query is refused which is my problem)
70.68.70.34 is probably dnsstuf.com (running their test to validate my dns - which doesn't work)
Doing a query from my workstation works (kind of)
C:\Users\Alex>nslookup www.apevl.ch 88.191.98.49
Server: Â UnKnown
Address: Â 88.191.98.49
*** UnKnown can't find www.apevl.ch: Query refused
(ie I get to the server but the query is refused which is my problem)
from outside:
host -r NS apevl.ch
apevl.ch NS record not found, try again
Also, if I do:
host -t NS ch.
to get the authoritives for ch and I query them individually, it returns not NS record.
But that is another issue.
Have you tried copying my config file as-is? Just for a test.
I see you still have the duplication in your file. "IN NS ns" does not have a dot at the end, which means it will be translated to "IN NS ns.@" and @ refers to the domain for which the file was created, thus: "IN NS ns" = "IN NS ns.apevl.ch." which you also have later in the file. Take one of them out.
Secondly, you have two DNS servers configured, but both point to the same IP. That is ns and ns1. This is not acceptable for most ISP's and DNS hosting companies. Try taking one out.
host -r NS apevl.ch
apevl.ch NS record not found, try again
Also, if I do:
host -t NS ch.
to get the authoritives for ch and I query them individually, it returns not NS record.
But that is another issue.
Have you tried copying my config file as-is? Just for a test.
I see you still have the duplication in your file. "IN NS ns" does not have a dot at the end, which means it will be translated to "IN NS ns.@" and @ refers to the domain for which the file was created, thus: "IN NS ns" = "IN NS ns.apevl.ch." which you also have later in the file. Take one of them out.
Secondly, you have two DNS servers configured, but both point to the same IP. That is ns and ns1. This is not acceptable for most ISP's and DNS hosting companies. Try taking one out.
In your master config file:
zone "apevl.ch" IN {
There should not be IN there. Just:
zone "apevl.ch" {
zone "apevl.ch" IN {
There should not be IN there. Just:
zone "apevl.ch" {
I suspect that is what's causing it. Bind is not seeing itself as the master for that zone, and hence thinks that any query for that zone is using it to lookup external domains??? (Or so I suspect)
Scratch that, the IN is fine. Sorry.
Delete the ";" after
$TTL 14400;
Delete the ";" after
$TTL 14400;
I've now read through your config again and again and again, and my conclusion is:
Your zone file is incorrect, thus bind ignores it and as a result does not see itself as the master for that zone anymore. Any query asking about that zone, would then be seen as a recursive call, and you have:
allow-recursion { trusted; };
and trusted is defined as bind itself in:
acl "trusted" {
  88.191.98.49;
  127.0.0.1;
};
Thus any server except bind itself would receive "query refused" until the zone file is fixed.
The errors in your zone file, I suspect is:
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
which should read:
ns.apevl.ch. IN A 88.191.98.49
ns1.apevl.ch. IN A 88.191.98.49
(you left out the IN there).
and, as staded earlier, the duplicate ns line:
  IN   NS   ns.apevl.ch.
which should be deleted.
I hope this solves it for you!
Your zone file is incorrect, thus bind ignores it and as a result does not see itself as the master for that zone anymore. Any query asking about that zone, would then be seen as a recursive call, and you have:
allow-recursion { trusted; };
and trusted is defined as bind itself in:
acl "trusted" {
  88.191.98.49;
  127.0.0.1;
};
Thus any server except bind itself would receive "query refused" until the zone file is fixed.
The errors in your zone file, I suspect is:
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
which should read:
ns.apevl.ch. IN A 88.191.98.49
ns1.apevl.ch. IN A 88.191.98.49
(you left out the IN there).
and, as staded earlier, the duplicate ns line:
  IN   NS   ns.apevl.ch.
which should be deleted.
I hope this solves it for you!
ASKER
Hi again
Thanks for your efforts - not quite there but I guess we are on the right track...
Here is my revised zone file, as per your suggestions
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----
$TTL 14400
@ Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
                 2009031602      ; Serial
                 3600            ; Refresh
                 360            ; Retry
                 1209600      ; Expire
                 3600 )      ; Min TTL
           Â
ns.apevl.ch. IN A 88.191.98.49
ns1.apevl.ch. IN A 88.191.98.49
apevl.ch. Â Â Â Â Â IN Â Â Â Â Â A Â Â Â Â Â 88.191.98.49
      IN   NS        ns.apevl.ch.
      IN        NS   ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.
      IN      MX      10      aspmx.l.google.com.
      IN      MX      20      alt1.aspmx.l.google.com.
      IN      MX      30      alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape vl.ch. Â Â Â Â Â IN Â Â Â Â Â CNAME Â Â Â Â Â google.com.
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Here is my BIND startup log file - seems to load fine
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Mar 16 18:07:35 sd-16733 named[2936]: starting BIND 9.5.0-P2 -u bind
Mar 16 18:07:35 sd-16733 named[2936]: found 2 CPUs, using 2 worker threads
Mar 16 18:07:36 sd-16733 named[2936]: loading configuration from '/etc/bind/named.conf'
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv6 interfaces, port 53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface eth0, 88.191.98.49#53
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 255.255.255.255.IN-ADDR.AR PA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.IP 6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.0. 0.0.0.0.IP 6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: D.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: A.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: B.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies: view _bind
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on 127.0.0.1#953
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on ::1#953
Mar 16 18:07:36 sd-16733 named[2936]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2
Mar 16 18:07:36 sd-16733 named[2936]: running
-------------------------- ---------- ---------- ---------- ---------- ---------- ---------- ----
Still having denied queries...
Regards
alex
Thanks for your efforts - not quite there but I guess we are on the right track...
Here is my revised zone file, as per your suggestions
--------------------------
$TTL 14400
@ Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
                 2009031602      ; Serial
                 3600            ; Refresh
                 360            ; Retry
                 1209600      ; Expire
                 3600 )      ; Min TTL
           Â
ns.apevl.ch. IN A 88.191.98.49
ns1.apevl.ch. IN A 88.191.98.49
apevl.ch. Â Â Â Â Â IN Â Â Â Â Â A Â Â Â Â Â 88.191.98.49
      IN   NS        ns.apevl.ch.
      IN        NS   ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.
      IN      MX      10      aspmx.l.google.com.
      IN      MX      20      alt1.aspmx.l.google.com.
      IN      MX      30      alt2.aspmx.l.google.com.
mail.apevl.ch. Â IN Â CNAME ghs.google.com.
www.apevl.ch. Â IN Â CNAME ghs.google.com.
google34160a471ab995a5.ape
--------------------------
Here is my BIND startup log file - seems to load fine
--------------------------
Mar 16 18:07:35 sd-16733 named[2936]: starting BIND 9.5.0-P2 -u bind
Mar 16 18:07:35 sd-16733 named[2936]: found 2 CPUs, using 2 worker threads
Mar 16 18:07:36 sd-16733 named[2936]: loading configuration from '/etc/bind/named.conf'
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv6 interfaces, port 53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface eth0, 88.191.98.49#53
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 255.255.255.255.IN-ADDR.AR
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: D.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: A.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: B.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies: view _bind
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on 127.0.0.1#953
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on ::1#953
Mar 16 18:07:36 sd-16733 named[2936]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2
Mar 16 18:07:36 sd-16733 named[2936]: running
--------------------------
Still having denied queries...
Regards
alex
Mar 16 18:07:36 sd-16733 named[2936]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2
Note how its not saying:
zone apevl.ch/IN loaded.
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2
Note how its not saying:
zone apevl.ch/IN loaded.
File permissions on the zone file allow bind to read them?
ASKER
> File permissions on the zone file allow bind to read them?
Interesting idea...
Following one of your idea above I have amended the named.conf
allow-recursion { trusted; };
to
allow-recursion { any; };
but I still get query refused...
Hmm.....
Anyway thanks for your help &Â efforts !
alex
Interesting idea...
drwxr-xr-x  6 root bind  4096 2009-02-23 11:27 named
drwxr-xr-x 3 Â bind bind 4096 2009-03-15 02:43 etc
drwxr-xr-x 5  bind bind  4096 2009-03-15 01:50 sites
drwxr-xr-x 2 Â bind bind 4096 2009-01-29 23:31 apevl.ch
-rw-r--r-- Â Â 1 Â bind bind 719 2009-03-16 18:03 forward.zone
Seems ok drwxr-xr-x 3 Â bind bind 4096 2009-03-15 02:43 etc
drwxr-xr-x 5  bind bind  4096 2009-03-15 01:50 sites
drwxr-xr-x 2 Â bind bind 4096 2009-01-29 23:31 apevl.ch
-rw-r--r-- Â Â 1 Â bind bind 719 2009-03-16 18:03 forward.zone
Following one of your idea above I have amended the named.conf
allow-recursion { trusted; };
to
allow-recursion { any; };
but I still get query refused...
Hmm.....
Anyway thanks for your help &Â efforts !
alex
HI
i was monitoring this question, just want to add something
in my last post, i told you to check yourdomain  with a site which is checkdns.net
i just checked again
its still giving the error
Tried to fetch SOA record for domain, but DNS server ns.apevl.ch [88.191.98.49] returned error code Refused
as @Uberpappa mentioned , its a permission issue, but i dont think its a file permission issue
then named.conf file you attached, is that your full named.conf file ??
do you have any view clause in named.conf file ??
i was monitoring this question, just want to add something
in my last post, i told you to check yourdomain  with a site which is checkdns.net
i just checked again
its still giving the error
Tried to fetch SOA record for domain, but DNS server ns.apevl.ch [88.191.98.49] returned error code Refused
as @Uberpappa mentioned , its a permission issue, but i dont think its a file permission issue
then named.conf file you attached, is that your full named.conf file ??
do you have any view clause in named.conf file ??
Can you allow me access to the box for 15 minutes? We can open up a screen session so that we share the same screen. If you're up for it, mail me at uberpappa123 at gmail dot com
ASKER
Hi
Thanks for jumping in :)
>Â the named.conf file you attached, is that your full named.conf file ??
Verbatim (except for the allow-recursion { any; }; as per above
>Â do you have any view clause in named.conf file ??
Not sure to understand your question... ?
Regards
alex
Thanks for jumping in :)
>Â the named.conf file you attached, is that your full named.conf file ??
Verbatim (except for the allow-recursion { any; }; as per above
>Â do you have any view clause in named.conf file ??
Not sure to understand your question... ?
Regards
alex
Ok what i was saying is, in named.conf do you have this kind of line
#view localhost_resolver {
#    match-clients    { localhost; };
# Â Â Â match-destinations { localhost; };
# Â Â Â recursion yes;
    include "/etc/named.rfc1912.zones" ;
#};
is this Debain system or Redhat ??
the error i am seeing in checkdns.net, i had the same error which i solved by deleteing those file
have a look this one
https://www.experts-exchange.com/questions/23710035/Dns-server-returned-error-code-Refused.html
#view localhost_resolver {
#    match-clients    { localhost; };
# Â Â Â match-destinations { localhost; };
# Â Â Â recursion yes;
    include "/etc/named.rfc1912.zones"
#};
is this Debain system or Redhat ??
the error i am seeing in checkdns.net, i had the same error which i solved by deleteing those file
have a look this one
https://www.experts-exchange.com/questions/23710035/Dns-server-returned-error-code-Refused.html
ASKER
Hi
Debian system (Ubuntu 8.1 server)
But no view directives....
alex
Debian system (Ubuntu 8.1 server)
But no view directives....
alex
fosiul01:
In the log posted in the thread that you refer to, there is:
Sep  7 13:10:07 vps named[2641]: zone xx.co.uk/IN/localhost_reso lver: loaded serial 2008021501
In the logs posted in this thread, there is no:
Mar 16 18:07:36 sd-16733 named[2936]: zone apevl.ch/IN: loaded serial xxx
That is what is leading me towards something that is causing the zone file not to be loaded, like a syntax error, or a file permission problem.
In the log posted in the thread that you refer to, there is:
Sep  7 13:10:07 vps named[2641]: zone xx.co.uk/IN/localhost_reso
In the logs posted in this thread, there is no:
Mar 16 18:07:36 sd-16733 named[2936]: zone apevl.ch/IN: loaded serial xxx
That is what is leading me towards something that is causing the zone file not to be loaded, like a syntax error, or a file permission problem.
@Uberpappa , yes you are right,
its syntax or file permission...
@author, you said, that the solution i provided in last question thats worked , then again this problem started,
did you change anything ??
ok lets try with the syntax first,
can you try with the bellow syntax , Copy your original one as backup, then past this code in the sites/apevl.ch/forward.zon e
$TTL 14400
@ 86400 Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
         2009031602    ; Serial
         3600       ; Refresh
         360       ; Retry
         1209600    ; Expire
         3600 )    ; Min TTL
           Â
   IN   NS     ns.apevl.ch.
   IN     NS   ns1.apevl.ch.
   IN    NS    ns2.mydyndns.org.
   IN    NS    ns3.mydyndns.org.
   IN    NS    ns4.mydyndns.org.
   IN    NS    ns5.mydyndns.org.
   IN    MX    10    aspmx.l.google.com.
   IN    MX    20    alt1.aspmx.l.google.com.
   IN    MX    30    alt2.aspmx.l.google.com.
Dont add the rest , just stick with the basic one, see what happens.
at first we need to fix why your SOA record is not readable by outside world..
if we can fixed this , your that problem should be allright
its syntax or file permission...
@author, you said, that the solution i provided in last question thats worked , then again this problem started,
did you change anything ??
ok lets try with the syntax first,
can you try with the bellow syntax , Copy your original one as backup, then past this code in the sites/apevl.ch/forward.zon
$TTL 14400
@ 86400 Â Â IN Â Â Â SOA Â Â ns.apevl.ch. Â Â domainadmin.apevl.ch. (
         2009031602    ; Serial
         3600       ; Refresh
         360       ; Retry
         1209600    ; Expire
         3600 )    ; Min TTL
           Â
   IN   NS     ns.apevl.ch.
   IN     NS   ns1.apevl.ch.
   IN    NS    ns2.mydyndns.org.
   IN    NS    ns3.mydyndns.org.
   IN    NS    ns4.mydyndns.org.
   IN    NS    ns5.mydyndns.org.
   IN    MX    10    aspmx.l.google.com.
   IN    MX    20    alt1.aspmx.l.google.com.
   IN    MX    30    alt2.aspmx.l.google.com.
Dont add the rest , just stick with the basic one, see what happens.
at first we need to fix why your SOA record is not readable by outside world..
if we can fixed this , your that problem should be allright
your domain is working now!!
so    @@Uberpappa fixed it then
where was the problem ??
so    @@Uberpappa fixed it then
where was the problem ??
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Ok, Â thats fine, nice to see your efforts on this question.
so you saying , just restart the bind solved his issue ?/
so you saying , just restart the bind solved his issue ?/
Thats what it boils down to, yes
And the error is back ... haha
LOL !! wired..
anyway, main thing his problem is solved.
good luck you both
anyway, main thing his problem is solved.
good luck you both
Nope its not... its giving refused again, test it
ASKER
As mentioned by Uberpappa a simple restart solved the problem... Not quite sure to understand the exact nature of it but will monitor the whole thing very closely !
ANYWAY A BIG THANK YOU for all your efforts !!
ANYWAY A BIG THANK YOU for all your efforts !!
hmmm, in that case i will tell @author,
to remove bind, and install again from scratch .
its might be bind installation issue
to remove bind, and install again from scratch .
its might be bind installation issue
ASKER
This is CRAZY !!
ASKER
What would be the clean way to reinstall BIND ?
Just Remove the Bind, and install it again.. it might help you.
Backup your configs,
Remove any custom packages, and
apt-get --purge remove bind
apt-get --purge remove bind9
Move /etc/bind to /etc/bind.bac
Move /var/named to /var/named.bac
Then
apt-get install bind9
And take it from there again
Remove any custom packages, and
apt-get --purge remove bind
apt-get --purge remove bind9
Move /etc/bind to /etc/bind.bac
Move /var/named to /var/named.bac
Then
apt-get install bind9
And take it from there again
have a look this one how to remove
https://www.linuxquestions.org/questions/debian-26/remove-bind-from-debian-sarge-331699/
apt-get --purge remove bind
https://www.linuxquestions.org/questions/debian-26/remove-bind-from-debian-sarge-331699/
apt-get --purge remove bind
After removing, also check for any hanging processes:
ps -ef |grep named
ps -ef |grep bind
kill them all, if any
Then re-install
ps -ef |grep named
ps -ef |grep bind
kill them all, if any
Then re-install
      IN    NS   ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. Â Â Â IN Â Â Â A Â Â Â 88.191.98.49
   IN   N     ns.apevl.ch.
   IN     NS   ns1.apevl.ch.
There is a typo "IN N" instead of "IN NS"
Also, a duplication. You say "IN NS ns" in the beginning, and then "IN NS ns.apevl.ch." later.
I'll post a corrected file shortly...