so it looks like manually copying the files to /chroot/dns is not needed. Yes I think the mount thing is due to the upgrade. so when a request hits your name server, either internal or external it wants to point it at your ISP not your actual server the IP's you have in your zone file are not going to work.ħ0.89.201.XXX is your ISP. Check lines 17, 18 and 20.ĭoes this mean that all the vhost sites need to go into folder? Looks like there are errors in pri/cs-mn.zone. Pri/cs-mn.zone:20: ignoring out-of-zone data (mserver) ![]() Pri/cs-mn.zone:18: ignoring out-of-zone data (csmn1) Pri/cs-mn.zone:17: ignoring out-of-zone data (csmn2) Zone localhost/IN: loaded serial 2011021101 No, it scrolled off the screen and I had a 'bot' or something accessing the site at the same time. Touch: cannot touch `it': Permission denied Was the output to named -g -d 1 then complete output? If it was then none of you zone files were loaded.ĭoes named-checkconf -z return your zone files ok now? I also noticed you are using IPv6 ![]() Lrwxrwxrwx 1 root root 21 Feb 11 00:11 root.cache -> /var/bind/named.cacheĭrwxrwx- 2 root named 4096 Feb 11 00:11 sec Lrwxrwxrwx 1 root root 13 Feb 11 00:11 sec -> /var/bind/sec rw-r- 1 root named 77 Feb 11 00:11 rndc.key Gentoo Forums Forum Index Networking & Security soa dig Forums :: View topic - Error in Bind process. If your intention is not to have an open dns server, then put a restriction in your dns configuration so that only allowed hosts can use the server for recursive dig NS dig +trace NS Now the question is who is querying your server -ġ.Legitimate internal users/Apps - I would not worry about this.Ģ.Not authorized external users - Your dns servers should allow resolving only for domains that they are authoritative for. Doing 'dig +trace' shows two NS records for the domain, but if you query those domains, there is no response. The reason it is failing is the NS servers for '' are not properly setup. Most certainly your server is trying to resolve '' and it is failing. To get rid of the above, I added: additional-from-cache no Once I did this, I am now seeing the following in syslog: Mar 4 00:02:21 mail named: client 127.0.0.1#42139: query (cache) '24.124.41./PTR/IN' denied I've tried the following now in to block recursion. ![]() REJECT all - anywhere anywhere reject-with icmp-port-unreachable LOG all - anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: " REJECT all - anywhere loopback/8 reject-with icmp-port-unreachableĪCCEPT all - anywhere anywhere state RELATED,ESTABLISHEDĪCCEPT tcp - anywhere anywhere tcp dpt:httpĪCCEPT tcp - anywhere anywhere tcp dpt:httpsĪCCEPT tcp - anywhere anywhere state NEW tcp dpt:sshĪCCEPT udp - anywhere anywhere udp dpt:domainĪCCEPT tcp - anywhere anywhere tcp dpt:domainĪCCEPT icmp - anywhere anywhere icmp echo-request My iptables reads: Chain INPUT (policy ACCEPT) I have checked my forwarders in nf, and none of them match the IPs showing in the logs (they are all basically different IPs, not just 193.95.142.60). Why would my bind setup be trying to resolve (it's not my domain, nothing to do with me).is there anything I can do firewall-wise or bind config to stop this?.In today's syslog, there are 144258 instances of this, all related to. I am having a problem with traffic bandwidth, and my syslog is full of the following type of issue: error (unexpected RCODE REFUSED) resolving '/AAAA/IN': 193.95.142.60#53Įrror (unexpected RCODE REFUSED) resolving '/A/IN': 2001:7c8:3:2::5#53 I have a website which I host myself, and I use bind9 as my DNS server (host my own nameservers etc.).
0 Comments
Leave a Reply. |