Re: Bind config question, centos 5.10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I cannot see your firewall rules, so I maybe on the wrong track here, but...
It's not really a good idea to be running a recursive name server that is
open to the world (any;)
Your server is trying to resolve something for a client that could be
anyone.
This kind of error appears when the domain being looked up is unreachable
or delegated to the wrong name servers.

If you are not able to block incoming requests from external sources in
your firewall,
you can do it in the bind config.

eg
        allow-query-cache {
                clients;
        };

        allow-transfer {
                my_networks;
        };

        allow-recursion {
                clients;
        };
};

acl "clients" {

        127.0.0.1;
        ::1;

        //private
        10.0.0.0/8;
        172.16.0.0/12;
        192.168.0.0/16;

        //public
        203.0.113.0/24;
198.51.100.0/24;
        2001:db8::/32;
}

acl "my_networks" {
192.0.2.0/24;
}


Of course these kind of queries might still come from your "clients" anyway,
but good practice is to not provide a open recursive name server unless you
really mean too.
see https://www.us-cert.gov/ncas/alerts/TA13-088A



On Sat, Aug 16, 2014 at 2:05 AM, Chuck Campbell <campbell@xxxxxxxxxxxx>
wrote:

> I must have something mis-configured in my bond setup. Things are working,
> but
> I'm getting TONS of this sort of stuff in my log:
>
> +2001:502:ad09::4#53: 1 Time(s)
>     network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns1.kuwaitnet.net/A/IN':
> +2001:503:a83e::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns1.kuwaitnet.net/AAAA/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns1.kuwaitnet.net/AAAA/IN':
> +2001:503:a83e::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns2.kuwaitnet.net/A/IN':
> +2001:503:a83e::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns2.kuwaitnet.net/AAAA/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns2.kuwaitnet.net/AAAA/IN':
> +2001:503:a83e::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns3.kuwaitnet.net/A/IN':
> +2001:503:a83e::2:30#53: 1 Time(s)
>     network unreachable resolving 'kns3.kuwaitnet.net/AAAA/IN':
> +2001:503:231d::2:30#53: 1 Time(s)
>
> I'm not sure where to look. it may be the "any" in the named.conf lines
> below,
> but I'm not sure.
> My named.conf looks like this:
> options {
>         listen-on port 53 { 127.0.0.1; any; };
> #       listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>
>         // Those options should be used carefully because they disable port
>         // randomization
>         // query-source    port 53;
>         // query-source-v6 port 53;
>
>         allow-query     { localhost; any; };
>         allow-query-cache { localhost; any; };
> #       allow-query     { localhost; };
> #       allow-query-cache { localhost; };
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> view localhost_resolver {
>         match-clients      { localhost; any; };
>         match-destinations { localhost; any; };
> #       match-clients      { localhost; };
> #       match-destinations { localhost; };
>         recursion yes;
>         include "/etc/named.rfc1912.zones";
> };
>
> --
> ACCEL Services, Inc.| Specialists in Gravity, Magnetics |  (713)993-0671
> ph.
>                     |   and Integrated Interpretation   |  (713)993-0608
> fax
> 448 W. 19th St. #325|            Since 1992             |  (713)306-5794
> cell
>  Houston, TX, 77008 |          Chuck Campbell           |
> campbell@xxxxxxxxxxxx
>                     |  President & Senior Geoscientist  |
>
>      "Integration means more than having all the maps at the same scale!"
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos
>
>
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux