Ok. I'm in a picle now.
I recently update my ISPConfig server because of the certificate hassle in Ubuntu/Debian. Now I realise that my ISPConfig server log is full of this message...

client 38.104.58.118 query (cache) 'www.konsultoi.com/A/IN (http://www.konsultoi.com/A/IN/)' denied: 1 Time(s)

In short after updating to the Bind 9.4 the "allow-query-cache" seems to be screwed up pretty tightly.


What configuration changes would I need to do to allow any clinet to access the 9.4 DNS cache and make queries of the sites on my server?

Edit-> Found this (http://support.menandmice.com/jforum/posts/list/25.page)... I will try this now.

Edit-> That did not help. Seems only local networks can make queries to the Bind.

What's in your named.conf?

Havent changed any of it. (No manual changes seem to stay there anyway.)
I chrooted the user bind for ISPConfig.
(Also I noticed that bind does not log to /var/log/bind9/ but I still see in "logwatch" mail report what happens with bind.)

options {
pid-file "/var/run/bind/run/named.pid";
directory "/etc/bind";
auth-nxdomain no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." {
type hint;
file "db.root";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "db.local";
};

zone "108.134.79.in-addr.arpa" {
type master;
file "pri.108.134.79.in-addr.arpa";
};
zone "35.119.217.in-addr.arpa" {
type master;
file "pri.35.119.217.in-addr.arpa";
};
zone "105.25.217.in-addr.arpa" {
type master;
file "pri.105.25.217.in-addr.arpa";

etc... etc...

And
options {
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
did not work?

It doesnt seem to want to stay there. All changes seem to dissappear after a while. I think that...

options {
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
worked but it wont stay. Maybe ISPConfig overwrites the configuration?

Maybe ISPConfig overwrites the configuration?
Yes, but you can change the named.conf template in /root/ispconfig/isp/conf. Save the modified template in the /root/ispconfig/isp/conf/customized_templates directory.

Ok. I'm now officially unbind :)
The problem was not it the servers DNS/Bind settings.

I could not belive what my tests showed me so I took Wireshark and looked at the traffic between my Vista & 2 different DNS servers.

Apparantly ALL the name queries to the ns1 work from my Vista but NO query for ns2 (different network) so I assumed that the problem was with the newer ns2 that had been upgraded.

The REASON why no query worked for the ns2 was that no query LEFT my wonderfull Vista. Yes its true. All the queries to ns2 NEVER leave my PC. All other traffic to ns2 works just fine.

Apparently this has something to do with the fact that ns2 address was changed recently to other network for security and loadbalance reasons.


Sam

"You can start laughing now."