named query denied (Solved)

timm · 2010-09-05 14:29:48

I am trying to figure out how to set up named for my local network, yes I know it's overkill but...

I keep getting messages like this when trying to run a pacman -Syu from a machine other than the one that is running named:

Sep 5 09:01:48 localhost named[19589]: client 192.168.50.3#52402: query (cache) 'schlunix.org/A/IN' denied

I'm also seeing this when I try access the net from my Windows box, but I'm having no trouble surfing.

Sep 5 09:06:53 localhost named[19589]: client 192.168.50.20#6557: query (cache) 'www.wikipedia.org/A/IN' denied

I have a public nameserver in resolv.conf below the local one. I found this morning that I can't do a pacman -Syu from 192.168.50.3 if the local nameserver is in its resolv.conf; if I take that out and leave just the public one, things work fine.

I thought this was a query-allow issue in named.conf, but it happens whether I use an acl or even any in the query-allow line.

I assume I have a setting wrong somewhere, but not sure what it is. What am I doing wrong?

named.conf:

//
// /etc/named.conf
//
// add acl (access control list) for trusted
//acl "trusted" {
// 127.0.0.1;
// 192.168.50/24;
// 192.168.55/24;
// 192.168.100/24;
// 192.168.200.24;
//};

options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;

// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};

zone "." IN {
type hint;
file "root.hint";
};

zone "tim.lan" IN {
type master;
file "tim.lan.zone";
allow-query {localhost;192.168.50.1;192.168.50.2;192.168.50.3;192.168.50.20;192.168.50.22;};
};

zone "50.168.192.in-addr.arpa" IN {
type master;
file "50.168.192.zone";
// allow-query {any;};
allow-query {localhost;192.168.50.1;192.168.50.2;192.168.50.3;192.168.50.20;192.168.50.22;};
};

logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};

Last edited by timm (2010-09-07 19:09:28)

fukawi2 · 2010-09-05 22:51:52

You need to allow recursion for your LAN/ACL since you are not querying any of your master zones (tim.lan), but recursing to resolve other zones that you don't master for (schlunix.org)

In options{}:

allow-recursion { trusted; };

Last edited by fukawi2 (2010-09-05 22:52:42)

timm · 2010-09-06 21:07:37

Thanks, that fixed that. Now I've continued playing, and I'm getting things like:

Sep 6 16:02:01 localhost named[26001]: error (network unreachable) resolving 'www.facebook.com/A/IN': 2001:503:c27::2:30#53

My spouse is obviously surfing from elsewhere in the house. If I understand my research, this is just because I'm not using IPv6 on the nameserver, is that correct?

fukawi2 · 2010-09-06 22:44:49

I'm guessing so. Try adding -4 to /etc/conf.d/named to force bind to only use IPv4

timm · 2010-09-07 17:17:30

Ok, adding -4 to the end of the NAMED_ARGS= string seems to have stopped the error lines in the log.

And I posted the following, so I'll leave it up, but it seems I must have had a typo somewhere. I retyped much of the conf files after finding no errors anywhere, and now it seems to work, so that would seem to be the answer. Thanks for your help.

-----

But one more because all of a sudden it's a problem and you're 2 for 2. I have a mix of windows machines and linux. I can now ping flawlessly to any machine in the network, and any on the web, from the linux machines. But my windows machines are now giving me grief. Pings on the local network are EXTREMELY slow on the first iteration, and there is nothing I can do do ping a certain one of my linux boxes by name. (Found this out because we use a program on that box, and suddenly this morning it didn't work) I can access it by IP number, but the box name comes back unknown. The linux boxes can find it just fine using its name. I rebooted the offending linux box just to make sure, no change.

I just realized that if I try to ping from the windows boxes using the full name; server.tim.lan, I get a could not find host. Pinging just the name, server, works. The windows boxes show my linux bind box as the primary dns server.

Last edited by timm (2010-09-07 19:09:06)

Arch Linux

#1 2010-09-05 14:29:48

named query denied (Solved)

#2 2010-09-05 22:51:52

Re: named query denied (Solved)

#3 2010-09-06 21:07:37

Re: named query denied (Solved)

#4 2010-09-06 22:44:49

Re: named query denied (Solved)

#5 2010-09-07 17:17:30

Re: named query denied (Solved)

Board footer