DNS upgrade issues, bind9.5.0_P1

Applications IP Networking
1

so we had bind 9.3.0...

we upgraded to 9.5.0 patch 1

we kept the exact same named.conf

now we have a problem that some DMZ server cant do lookups from our DNS slave anymore.

in the named.log we see things like this:

22-Jul-2008 16:05:04.694 security: info: client <our DMZ servers IP>3#50992: query (cache) './NS/IN' denied

note I have removed out IP addresses, the IP was an external facing IP.

the question is...
what changed???
why is bind behaving is a new way?

I am very new to DNS and bind so be easy on me :slight_smile:

2

You might need to explicitly allow queries from clients in the options section in named.conf:
example:
allow-query {
::;
127.0.0.1;
10.0.0.0/8;
192.168.0.0/24;
};

or just allow anyone:
allow-query { any };

Of course it would be safer to restrict queries to your clients only.

some other details on this article

3

Sorry your thread was sitting, I just joined and maybe I can help.

From the error this is a recursion setting, your inside server is trying to do look ups and being denied (which you knew) I think it might be related to changes in the named.conf noted here:

  1. [security] "allow-query-cache" and "allow-recursion" now
    cross inherit from each other.

                  If allow-query-cache is not set in named.conf then
              allow-recursion is used if set, otherwise allow-query
              is used if set, otherwise the default \(localnets;
              localhost;\) is used.

              If allow-recursion is not set in named.conf then
              allow-query-cache is used if set, otherwise allow-query
              is used if set, otherwise the default \(localnets;
              localhost;\) is used.

Are you using allow-recursion? or allow-query-source, are you using any sort of match clients or anything like that? (a snip of the named.conf would help).