Alexandre Takacs

asked on 3/16/2009

BIND requests denied - again...

Folks

Having more problems with my BIND server.

I already posted a question https://www.experts-exchange.com/questions/24220201/BIND-not-working-denied-requests.html for a similar problem I thought it was fixed. However I have again denied requests:

Mar 16 09:40:06 xxx named[2932]: client 70.86.70.34#1151: query (cache) 'apevl.ch/NS/IN' denied

I muss confess I am at loss to explain why those queries are rejected whereas they where working a few days ago with an unchanged config...

Anyway my named.conf file:

------------------------------------------------
options {
directory "/etc";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version "Surely you must be joking";
listen-on port 53 { 88.191.98.49; 127.0.0.1; };
allow-recursion { trusted; };
allow-query { any; };
allow-query-cache { any; };
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

acl "trusted" {
88.191.98.49;
127.0.0.1;
};

key "rndc_key" {
algorithm hmac-md5;
      secret "PUSNeyNcuyQep6BbzLYYGAeOL+V8ItICcnldf5LAWSbyKl9fGOj6eHejgD+XKGjEb9WH/EJXYGNAJjl+8StWcQ==";
};

logging {
channel channel_info {
file "/etc/bind.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};

channel channel_notice {
file "/etc/bindnotice.log" versions 3 size 5m;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};

# default
category default             { channel_notice; };
category general       { channel_notice; };
category client      { channel_notice; };
category config { channel_notice; };
category database { channel_notice; };
category dnssec { channel_notice; };
category lame-servers { channel_notice; };
category network { channel_notice; };
category notify { channel_info; };
category queries { channel_notice; };
category resolver { channel_notice; };
category security { channel_info; };
category update { channel_info; };
category update-security { channel_info; };
category xfer-in { channel_info; };
category xfer-out { channel_info; };
category unmatched { channel_notice; };
category dispatch { channel_notice; };
category delegation-only { channel_notice; };
category edns-disabled { channel_notice; };

channel default_debug {
      file "/etc/named.run";
      severity dynamic;
};

channel default_stderr {
      stderr;
      severity info;
};

channel null {
      null;
};
};

zone "." {
type hint;
file "/etc/root.hints";
};

zone "localhost" {
type master;
file "/etc/localhost";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/127.0.0";
};

zone "apevl.ch" IN {
      type master;
      file "sites/apevl.ch/forward.zone";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138; 91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76; };
      allow-update { none; };
      allow-query { any; };
      zone-statistics yes;
      notify no;
      also-notify { };
};

zone "49.98.191.88.in-addr.arpa" {
      type master;
      file "sites/apevl.ch/reverse.zone.ipv4";
      allow-transfer { 127.0.0.1; 204.13.249.75; 208.78.69.75; 208.78.69.138; 204.13.249.138; 91.198.22.75; 91.198.22.138; 203.62.195.75; 203.62.195.76; 204.13.249.76; };
      allow-update { none; };
      allow-query { any; };
      zone-statistics yes;
      notify no;
      also-notify { };
};

------------------------------------------------

and my forward.zone

------------------------------------------------

$TTL 14400;
@      IN      SOA      apevl.ch.      ns.apevl.ch. (
                  2009031503      ; Serial
                  3600            ; Refresh
                  360            ; Retry
                  1209600      ; Expire
                  3600 )      ; Min TTL

            IN      NS ns

ns.apevl.ch. A 88.191.98.49

ns1.apevl.ch. A 88.191.98.49

apevl.ch.      IN      A      88.191.98.49

      IN N       ns.apevl.ch.
      IN       NS ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.

      IN      MX      10      aspmx.l.google.com.

      IN      MX      20      alt1.aspmx.l.google.com.

      IN      MX      30      alt2.aspmx.l.google.com.

mail.apevl.ch. IN CNAME ghs.google.com.

www.apevl.ch. IN CNAME ghs.google.com.

google34160a471ab995a5.apevl.ch.      IN      CNAME      google.com.

------------------------------------------------

Any idea & suggestion MOST welcome :)

Regards

DNSLinuxInternet Protocols

Last Comment

Morne Lategan

8/22/2022 - Mon

Morne Lategan

3/16/2009

In your zone definition file, you have:

IN NS ns

ns.apevl.ch. A 88.191.98.49

ns1.apevl.ch. A 88.191.98.49

apevl.ch. IN A 88.191.98.49

IN N ns.apevl.ch.
IN NS ns1.apevl.ch.

There is a typo "IN N" instead of "IN NS"

Also, a duplication. You say "IN NS ns" in the beginning, and then "IN NS ns.apevl.ch." later.

I'll post a corrected file shortly...

Morne Lategan

3/16/2009

Also you had the SOA line wrong. It should be:

domain SOA PrimaryServer DomainAdminEmailAddress like in the attached.

See if this works. I might have a typo as I didnt test it, but it should work fine.

$TTL 14400;
@       IN      SOA     ns.apevl.ch.    domainadmin.apevl.ch. (
                  2009031503      ; Serial
                  3600            ; Refresh
                  360            ; Retry
                  1209600      ; Expire
                  3600 )      ; Min TTL
 
        IN      NS      ns.apevl.ch.
        IN      NS      ns2.mydyndns.org.
        IN      NS      ns3.mydyndns.org.
        IN      NS      ns4.mydyndns.org.
        IN      NS      ns5.mydyndns.org.
 
        IN      MX      10 aspmx.l.google.com.
        IN      MX      20 al1.aspmx.l.google.com.
        IN      MX      30 alt2.asmpx.l.google.com.
 
ns			IN      A       88.191.98.49
mail    		IN      CNAME   ghs.google.com.
www     		IN      CNAME   ghs.google.com.
google34160a471ab995a5	IN      CNAME	google.com.

Open in new window

Alexandre Takacs

3/16/2009

ASKER

Hi

Good catch about the typos !

Amended forward.zone:

$TTL 14400;
@ IN SOA ns.apevl.ch. domainadmin.apevl.ch. (
2009031601 ; Serial
3600 ; Refresh
360 ; Retry
1209600 ; Expire
3600 ) ; Min TTL

IN NS ns

ns.apevl.ch. A 88.191.98.49

ns1.apevl.ch. A 88.191.98.49

apevl.ch. IN A 88.191.98.49

IN NS ns.apevl.ch.
IN NS ns1.apevl.ch.
IN NS ns2.mydyndns.org.
IN NS ns3.mydyndns.org.
IN NS ns4.mydyndns.org.
IN NS ns5.mydyndns.org.

IN MX 10 aspmx.l.google.com.

IN MX 20 alt1.aspmx.l.google.com.

IN MX 30 alt2.aspmx.l.google.com.

mail.apevl.ch. IN CNAME ghs.google.com.

www.apevl.ch. IN CNAME ghs.google.com.

google34160a471ab995a5.apevl.ch. IN CNAME google.com.

Alas dns requests still being denied

Mar 16 11:15:40 xxx named[2939]: client 70.86.70.34#62665: query (cache) 'ns.apevl.ch/CNAME/IN' denied

Any idea ?

Regards

alex

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!

Walt Forbes

Morne Lategan

3/16/2009

Is this a registered domain on the Internet, or an internal domain? I'm asking because I cannot resolve the name servers for the domain from the outside, which means it has not been registered with the .ch authoritives.

Where did you do that query from? Is 70.68.70.34 your workstation?

Alexandre Takacs

3/16/2009

ASKER

Definitely registered with proper delegation as far as I can tell

70.68.70.34 is probably dnsstuf.com (running their test to validate my dns - which doesn't work)

Doing a query from my workstation works (kind of)

C:\Users\Alex>nslookup www.apevl.ch 88.191.98.49
Server: UnKnown
Address: 88.191.98.49

*** UnKnown can't find www.apevl.ch: Query refused

(ie I get to the server but the query is refused which is my problem)

Morne Lategan

3/16/2009

from outside:

host -r NS apevl.ch

apevl.ch NS record not found, try again

Also, if I do:

host -t NS ch.

to get the authoritives for ch and I query them individually, it returns not NS record.

But that is another issue.

Have you tried copying my config file as-is? Just for a test.

I see you still have the duplication in your file. "IN NS ns" does not have a dot at the end, which means it will be translated to "IN NS ns.@" and @ refers to the domain for which the file was created, thus: "IN NS ns" = "IN NS ns.apevl.ch." which you also have later in the file. Take one of them out.

Secondly, you have two DNS servers configured, but both point to the same IP. That is ns and ns1. This is not acceptable for most ISP's and DNS hosting companies. Try taking one out.

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Morne Lategan

3/16/2009

In your master config file:

zone "apevl.ch" IN {

There should not be IN there. Just:

zone "apevl.ch" {

Morne Lategan

3/16/2009

I suspect that is what's causing it. Bind is not seeing itself as the master for that zone, and hence thinks that any query for that zone is using it to lookup external domains??? (Or so I suspect)

Morne Lategan

3/16/2009

Scratch that, the IN is fine. Sorry.

Delete the ";" after

$TTL 14400;

All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat

William Peck

Morne Lategan

3/16/2009

I've now read through your config again and again and again, and my conclusion is:

Your zone file is incorrect, thus bind ignores it and as a result does not see itself as the master for that zone anymore. Any query asking about that zone, would then be seen as a recursive call, and you have:

allow-recursion { trusted; };

and trusted is defined as bind itself in:

acl "trusted" {
88.191.98.49;
127.0.0.1;
};

Thus any server except bind itself would receive "query refused" until the zone file is fixed.

The errors in your zone file, I suspect is:

ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49

which should read:

ns.apevl.ch. IN A 88.191.98.49
ns1.apevl.ch. IN A 88.191.98.49

(you left out the IN there).

and, as staded earlier, the duplicate ns line:

IN NS ns.apevl.ch.

which should be deleted.

I hope this solves it for you!

Alexandre Takacs

3/16/2009

ASKER

Hi again

Thanks for your efforts - not quite there but I guess we are on the right track...

Here is my revised zone file, as per your suggestions

------------------------------------------------------------------------------------------
$TTL 14400
@ IN SOA ns.apevl.ch. domainadmin.apevl.ch. (
                  2009031602      ; Serial
                  3600            ; Refresh
                  360            ; Retry
                  1209600      ; Expire
                  3600 )      ; Min TTL

ns.apevl.ch. IN A 88.191.98.49

ns1.apevl.ch. IN A 88.191.98.49

apevl.ch.      IN      A      88.191.98.49

      IN NS       ns.apevl.ch.
      IN       NS ns1.apevl.ch.
      IN      NS      ns2.mydyndns.org.
      IN      NS      ns3.mydyndns.org.
      IN      NS      ns4.mydyndns.org.
      IN      NS      ns5.mydyndns.org.

      IN      MX      10      aspmx.l.google.com.

      IN      MX      20      alt1.aspmx.l.google.com.

      IN      MX      30      alt2.aspmx.l.google.com.

mail.apevl.ch. IN CNAME ghs.google.com.

www.apevl.ch. IN CNAME ghs.google.com.

google34160a471ab995a5.apevl.ch.      IN      CNAME      google.com.
------------------------------------------------------------------------------------------

Here is my BIND startup log file - seems to load fine

------------------------------------------------------------------------------------------
Mar 16 18:07:35 sd-16733 named[2936]: starting BIND 9.5.0-P2 -u bind
Mar 16 18:07:35 sd-16733 named[2936]: found 2 CPUs, using 2 worker threads
Mar 16 18:07:36 sd-16733 named[2936]: loading configuration from '/etc/bind/named.conf'
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv6 interfaces, port 53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 16 18:07:36 sd-16733 named[2936]: listening on IPv4 interface eth0, 88.191.98.49#53
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: D.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: A.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: automatic empty zone: B.E.F.IP6.ARPA
Mar 16 18:07:36 sd-16733 named[2936]: default max-cache-size (33554432) applies: view _bind
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on 127.0.0.1#953
Mar 16 18:07:36 sd-16733 named[2936]: command channel listening on ::1#953
Mar 16 18:07:36 sd-16733 named[2936]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2
Mar 16 18:07:36 sd-16733 named[2936]: running
------------------------------------------------------------------------------------------

Still having denied queries...

Regards

alex

Morne Lategan

3/16/2009

Mar 16 18:07:36 sd-16733 named[2936]: zone 0.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 127.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone 255.in-addr.arpa/IN: loaded serial 1
Mar 16 18:07:36 sd-16733 named[2936]: zone localhost/IN: loaded serial 2

Note how its not saying:

zone apevl.ch/IN loaded.

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Morne Lategan

3/16/2009

File permissions on the zone file allow bind to read them?

Alexandre Takacs

3/16/2009

ASKER

> File permissions on the zone file allow bind to read them?

Interesting idea...

drwxr-xr-x 6 root bind 4096 2009-02-23 11:27 named
drwxr-xr-x 3 bind bind 4096 2009-03-15 02:43 etc
drwxr-xr-x 5 bind bind 4096 2009-03-15 01:50 sites
drwxr-xr-x 2 bind bind 4096 2009-01-29 23:31 apevl.ch
-rw-r--r-- 1 bind bind 719 2009-03-16 18:03 forward.zone

Seems ok

Following one of your idea above I have amended the named.conf

allow-recursion { trusted; };

to

allow-recursion { any; };

but I still get query refused...

Hmm.....

Anyway thanks for your help & efforts !

alex

fosiul01

3/16/2009

HI
i was monitoring this question, just want to add something

in my last post, i told you to check yourdomain with a site which is checkdns.net

i just checked again
its still giving the error

Tried to fetch SOA record for domain, but DNS server ns.apevl.ch [88.191.98.49] returned error code Refused

as @Uberpappa mentioned , its a permission issue, but i dont think its a file permission issue

then named.conf file you attached, is that your full named.conf file ??

do you have any view clause in named.conf file ??

Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!

James Murphy

Morne Lategan

3/16/2009

Can you allow me access to the box for 15 minutes? We can open up a screen session so that we share the same screen. If you're up for it, mail me at uberpappa123 at gmail dot com

Alexandre Takacs

3/16/2009

ASKER

Hi

Thanks for jumping in :)

> the named.conf file you attached, is that your full named.conf file ??

Verbatim (except for the allow-recursion { any; }; as per above

> do you have any view clause in named.conf file ??

Not sure to understand your question... ?

Regards

alex

fosiul01

3/16/2009

Ok what i was saying is, in named.conf do you have this kind of line

#view localhost_resolver {
# match-clients { localhost; };
# match-destinations { localhost; };
# recursion yes;
include "/etc/named.rfc1912.zones";
#};

is this Debain system or Redhat ??

the error i am seeing in checkdns.net, i had the same error which i solved by deleteing those file
have a look this one

https://www.experts-exchange.com/questions/23710035/Dns-server-returned-error-code-Refused.html

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Alexandre Takacs

3/16/2009

ASKER

Hi

Debian system (Ubuntu 8.1 server)

But no view directives....

alex

Morne Lategan

3/16/2009

fosiul01:

In the log posted in the thread that you refer to, there is:

Sep 7 13:10:07 vps named[2641]: zone xx.co.uk/IN/localhost_resolver: loaded serial 2008021501

In the logs posted in this thread, there is no:

Mar 16 18:07:36 sd-16733 named[2936]: zone apevl.ch/IN: loaded serial xxx

That is what is leading me towards something that is causing the zone file not to be loaded, like a syntax error, or a file permission problem.

fosiul01

3/16/2009

@Uberpappa , yes you are right,
its syntax or file permission...

@author, you said, that the solution i provided in last question thats worked , then again this problem started,

did you change anything ??

ok lets try with the syntax first,

can you try with the bellow syntax , Copy your original one as backup, then past this code in the sites/apevl.ch/forward.zone

$TTL 14400
@ 86400 IN SOA ns.apevl.ch. domainadmin.apevl.ch. (
2009031602 ; Serial
3600 ; Refresh
360 ; Retry
1209600 ; Expire
3600 ) ; Min TTL

IN NS ns.apevl.ch.
IN NS ns1.apevl.ch.
IN NS ns2.mydyndns.org.
IN NS ns3.mydyndns.org.
IN NS ns4.mydyndns.org.
IN NS ns5.mydyndns.org.

IN MX 10 aspmx.l.google.com.

IN MX 20 alt1.aspmx.l.google.com.

IN MX 30 alt2.aspmx.l.google.com.

Dont add the rest , just stick with the basic one, see what happens.

at first we need to fix why your SOA record is not readable by outside world..
if we can fixed this , your that problem should be allright

Your help has saved me hundreds of hours of internet surfing.

fblack61

fosiul01

3/16/2009

your domain is working now!!

so @@Uberpappa fixed it then

where was the problem ??

ASKER CERTIFIED SOLUTION

Morne Lategan

3/16/2009

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.

View this solution by signing up for a free trial.

Members can start a 7-Day free trial and enjoy unlimited access to the platform.

See Pricing Options

Start Free Trial

GET A PERSONALIZED SOLUTION

Ask your own question & get feedback from real experts

Find out why thousands trust the EE community with their toughest problems.

fosiul01

3/16/2009

Ok, thats fine, nice to see your efforts on this question.

so you saying , just restart the bind solved his issue ?/

Morne Lategan

3/16/2009

Thats what it boils down to, yes

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Morne Lategan

3/16/2009

And the error is back ... haha

fosiul01

3/16/2009

LOL !! wired..

anyway, main thing his problem is solved.

good luck you both

Morne Lategan

3/16/2009

Nope its not... its giving refused again, test it

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst

William Peck

Alexandre Takacs

3/16/2009

ASKER

As mentioned by Uberpappa a simple restart solved the problem... Not quite sure to understand the exact nature of it but will monitor the whole thing very closely !
ANYWAY A BIG THANK YOU for all your efforts !!

fosiul01

3/16/2009

hmmm, in that case i will tell @author,
to remove bind, and install again from scratch .

its might be bind installation issue

Alexandre Takacs

3/16/2009

ASKER

This is CRAZY !!

⚡ FREE TRIAL OFFER

Try out a week of full access for free.

Find out why thousands trust the EE community with their toughest problems.

Alexandre Takacs

3/16/2009

ASKER

What would be the clean way to reinstall BIND ?

fosiul01

3/16/2009

Just Remove the Bind, and install it again.. it might help you.

Morne Lategan

3/16/2009

Backup your configs,

Remove any custom packages, and

apt-get --purge remove bind
apt-get --purge remove bind9

Move /etc/bind to /etc/bind.bac
Move /var/named to /var/named.bac

Then

apt-get install bind9

And take it from there again

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

rwheeler23

fosiul01

3/16/2009

have a look this one how to remove
https://www.linuxquestions.org/questions/debian-26/remove-bind-from-debian-sarge-331699/

apt-get --purge remove bind

Morne Lategan

3/16/2009

After removing, also check for any hanging processes:

ps -ef |grep named
ps -ef |grep bind

kill them all, if any

Then re-install