Linux – view external: query (cache) denied on bind9/named
binddomain-name-systemlinuxnamed-conf
Is this an attack? I get a lot of :
view external: query (cache) denied in the /var/log/messages
Best Answer
No that's no hack ;) Obviously Your DNS server isn't set up well. Try adding
nameserver 127.0.0.1
to DNS server's /etc/resolv.conf and add your subnet (192.168.0.0/24) to /etc/bind/named.conf
Have you tried using an ACL? Sounds funny, I know. Also, why the match-recursive-only turned on? Wouldn't that make your clients only get results if they are doing recursive queries?
acl "internal-net" {
10.24.0.0/16; 127/8;
};
view "internal" {
match-clients { "internal-net"; };
# --- I'm removing this because I'm making the daft assumption
# --- that you are trusting your clients on your internal network,
# --- so why bother restricting them? Then there's this tidbit
# --- from http://www.zytrax.com/books/dns/ch7/view.html#match-recursive-only
# --- which seems to imply that the client match will fail because
# --- the client might not be asking for recursion...
#match-recursive-only yes;
allow-recursion { "internal-net"; };
allow-transfer { "internal-net"; };
zone "ct.sierracollege.edu" {
type master;
file "data/db.ct.int";
};
include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "named.ca";
};
};
It seems you have users querying your server for names that aren't yours. If the 200k log events are all from the same client IP address, I'd block that IP in my firewall for 24-48 hours to see if they stop and report them to their ISP. If they're from many different addresses (especially from different ISPs and different parts of the world), I'd spend some time to figure out why they're querying your server.
dig example.com.co. NS
Does the above command mistakenly list your name server as an authoritative one for their domain? If so, contact them using their whois contact information.
Best Answer
No that's no hack ;) Obviously Your DNS server isn't set up well. Try adding
nameserver 127.0.0.1
to DNS server's/etc/resolv.conf
and add your subnet (192.168.0.0/24) to/etc/bind/named.conf
acl internals { 127.0.0.0/8; 192.168.0.0/24; };