I cannot see your firewall rules, so I maybe on the wrong track here, but... It's not really a good idea to be running a recursive name server that is open to the world (any;) Your server is trying to resolve something for a client that could be anyone. This kind of error appears when the domain being looked up is unreachable or delegated to the wrong name servers.
If you are not able to block incoming requests from external sources in your firewall, you can do it in the bind config.
eg allow-query-cache { clients; };
allow-transfer { my_networks; };
allow-recursion { clients; }; };
acl "clients" {
127.0.0.1; ::1;
//private 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
//public 203.0.113.0/24; 198.51.100.0/24; 2001:db8::/32; }
acl "my_networks" { 192.0.2.0/24; }
Of course these kind of queries might still come from your "clients" anyway, but good practice is to not provide a open recursive name server unless you really mean too. see https://www.us-cert.gov/ncas/alerts/TA13-088A
On Sat, Aug 16, 2014 at 2:05 AM, Chuck Campbell campbell@accelinc.com wrote:
I must have something mis-configured in my bond setup. Things are working, but I'm getting TONS of this sort of stuff in my log:
+2001:502:ad09::4#53: 1 Time(s) network unreachable resolving 'kns1.kuwaitnet.net/A/IN': +2001:503:231d::2:30#53: 1 Time(s) network unreachable resolving 'kns1.kuwaitnet.net/A/IN': +2001:503:a83e::2:30#53: 1 Time(s) network unreachable resolving 'kns1.kuwaitnet.net/AAAA/IN': +2001:503:231d::2:30#53: 1 Time(s) network unreachable resolving 'kns1.kuwaitnet.net/AAAA/IN': +2001:503:a83e::2:30#53: 1 Time(s) network unreachable resolving 'kns2.kuwaitnet.net/A/IN': +2001:503:231d::2:30#53: 1 Time(s) network unreachable resolving 'kns2.kuwaitnet.net/A/IN': +2001:503:a83e::2:30#53: 1 Time(s) network unreachable resolving 'kns2.kuwaitnet.net/AAAA/IN': +2001:503:231d::2:30#53: 1 Time(s) network unreachable resolving 'kns2.kuwaitnet.net/AAAA/IN': +2001:503:a83e::2:30#53: 1 Time(s) network unreachable resolving 'kns3.kuwaitnet.net/A/IN': +2001:503:231d::2:30#53: 1 Time(s) network unreachable resolving 'kns3.kuwaitnet.net/A/IN': +2001:503:a83e::2:30#53: 1 Time(s) network unreachable resolving 'kns3.kuwaitnet.net/AAAA/IN': +2001:503:231d::2:30#53: 1 Time(s)
I'm not sure where to look. it may be the "any" in the named.conf lines below, but I'm not sure. My named.conf looks like this: options { listen-on port 53 { 127.0.0.1; any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port // randomization // query-source port 53; // query-source-v6 port 53; allow-query { localhost; any; }; allow-query-cache { localhost; any; };# allow-query { localhost; }; # allow-query-cache { localhost; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view localhost_resolver { match-clients { localhost; any; }; match-destinations { localhost; any; }; # match-clients { localhost; }; # match-destinations { localhost; }; recursion yes; include "/etc/named.rfc1912.zones"; };
-- ACCEL Services, Inc.| Specialists in Gravity, Magnetics | (713)993-0671 ph. | and Integrated Interpretation | (713)993-0608 fax 448 W. 19th St. #325| Since 1992 | (713)306-5794 cell Houston, TX, 77008 | Chuck Campbell | campbell@accelinc.com | President & Senior Geoscientist |
"Integration means more than having all the maps at the same scale!"
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos