DNS query denied

Discussion in 'Installation/Configuration' started by Captain, Apr 8, 2010.

  1. Captain

    Captain Member

    Hello!

    I have ISPConfig 2.2.35. Ubuntu 9.10
    One client want to use google.com MX servers.
    In ISPConfig I wrote DNS records of Google.com MX and SPF for google.com.
    But after that I have this log:
    Code:
    Apr  7 20:02:38 itex named[28098]: client 121.121.195.94#23332: query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr  7 20:02:39 itex named[28098]: client 121.121.195.94#23369: query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr  7 20:02:40 itex named[28098]: client 121.121.195.94#23386: query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr  7 20:02:40 itex named[28098]: client 190.84.67.181#60549: query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied
    Apr  7 20:02:41 itex named[28098]: client 121.121.195.94#23407: query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied
    Apr  7 20:02:42 itex named[28098]: client 190.84.67.181#60565: query (cache) 'aspmx.googlemail.com/A/IN' denied
    Apr  7 20:02:43 itex named[28098]: client 121.121.195.94#23435: query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied
    Apr  7 20:02:43 itex named[28098]: client 190.84.67.181#60586: query (cache) 'ASPMX2.googlemail.com/A/IN' denied
    Apr  7 20:02:44 itex named[28098]: client 121.121.195.94#23452: query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied
    Apr  7 20:02:44 itex named[28098]: client 190.84.67.181#60618: query (cache) 'ASPMX3.googlemail.com/A/IN' denied
    Apr  7 20:02:45 itex named[28098]: client 121.121.195.94#23466: query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied
    Apr  7 20:02:45 itex named[28098]: client 190.84.67.181#60648: query (cache) 'ASPMX4.googlemail.com/A/IN' denied
    Apr  7 20:02:46 itex named[28098]: client 190.84.67.181#60666: query (cache) 'ASPMX5.googlemail.com/A/IN' denied
    Apr  7 20:02:47 itex named[28098]: client 190.84.67.181#60697: query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN' denied
    Apr  7 20:02:48 itex named[28098]: client 190.84.67.181#60715: query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN' denied
    
    Zonefile of this client is:
    Code:
    $TTL        86400
    @       IN      SOA     ns.domain.com. support.domain.com. (
                            2010040601       ; serial, todays date + todays serial #
                            10800              ; refresh, seconds
                            3600              ; retry, seconds
                            604800              ; expire, seconds
                            86400 )            ; minimum, seconds
    ;
                    NS      ns.domain.com.              ; Inet Address of name server 1
                    NS      ns2.domain.com.              ; Inet Address of name server 2
    ;
    
      MX      10 ASPMX4.GOOGLEMAIL.COM.
      MX      10 ASPMX3.GOOGLEMAIL.COM.
      MX      10 ASPMX2.GOOGLEMAIL.COM.
      MX      10 aspmx.googlemail.com.
      MX      10 ALT2.ASPMX.L.GOOGLE.COM.
      MX      10 ALT1.ASPMX.L.GOOGLE.COM.
      MX      10 ASPMX.L.GOOGLE.COM.
      MX      10 ASPMX5.GOOGLEMAIL.COM.
    
    domain.com.      A        123.123.123.123
    www       A       123.123.123.123
    
    mail       CNAME  ghs.google.com.
    
    domain.com.       TXT  "v=spf1 a mx ptr mx:aspmx.googlemail.com include:aspmx.googlemail.com ~all"
    
    ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
    
    Any ideas?

    Thnks!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/resolv.conf?
     
  3. Captain

    Captain Member

    Code:
    domain domain.com
    search domain.com
    nameserver 127.0.0.1
    nameserver 192.168.123.110
    
     
  4. falko

    falko Super Moderator ISPConfig Developer

    I guess your local DNS server doesn't allow recursive queries. Please use your ISP's nameservers in /etc/resolv.conf instead of 127.0.0.1.
     
  5. Captain

    Captain Member

    Ok thnks.

    I have too DNS servers:

    1. it is my DNS BIND9 with IP: 123.123.123.123
    2. it is my ISP's DNS server IP: 234.234.234.234

    Now I use to servers for my hosting panel ISPConfig 2.

    Why I can't use my DNS server?

    Know my /etc/resolv.conf is:

    Code:
    domain domain.com
    search domain.com
    nameserver 234.234.234.234
    nameserver 192.168.123.110
    
    Where 234.234.234.234. is my ISP's DNS server IP Adress.

    It is right?

    Thnks.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    That should work. Do you still get named errors in your logs?
     
  7. Captain

    Captain Member

    Yes! I still get this errors!
    I try to enter first ISP's DNS IP adress. And secondary ISP's DNS server too.
     
  8. createch

    createch ISPConfig Developer ISPConfig Developer

    Try this...

    domain domain.com
    search domain.com
    nameserver 234.234.234.234
    nameserver 192.168.123.110 << delete this line



    save the resolve.conf, restart the named service and see whether there is still error(s).
     
  9. Captain

    Captain Member

    Still have problem.
     
  10. createch

    createch ISPConfig Developer ISPConfig Developer

    Assuming that your problem is due to recursion issue --- then please

    1. edit the file /etc/resolve.conf and save like this (XXX.XXX.XXX.XXX = name server of your ISP)

    ======================
    search xxxx.com
    nameserver XXX.XXX.XXX.XXX
    ======================

    2. edit the /var/named/chroot/etc/named.conf, in the options section, add the following line:

    allow-recursion { any; };

    So the result should be like this:
    ==========================
    options {

    XXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXX

    allow-recursion { any; };

    };

    ===========================

    Restart the named service. See what is the result.
     
  11. Captain

    Captain Member

    It is work ok. But now I have open DNS server. It is not safely.
    What I can to do, to secure my DNS?
    Thnk you!
     
  12. createch

    createch ISPConfig Developer ISPConfig Developer

    Firstly, nice to note that you have overcome the problem.

    For the recursion, if you don't want an open DNS, you may change the setting from "any" to a range of IPs suitable for your case, such as:

    allow-recursion { IP1; IP2; };

    [For me I enter my server's 2 static IPs as IP1 and IP2]

    see the following link for details:
    http://www.zytrax.com/books/dns/ch7/queries.html

    Enjoy....
     
  13. Captain

    Captain Member

    Thank you!

    But I have this problem only with google mx.
    And I dont know what IPs is recursion from google.com MX.
    If I enter my server IPs, I suppose that problem will returns.
     
  14. createch

    createch ISPConfig Developer ISPConfig Developer

    Try this...

    Do a NS lookup to check the IPs of the google mail servers concerned, and then enter them into the recursion list (remember to add your servers' IPs into the recursion list too)

    Restart the named service, see whether everything is fine. (Let us know)
     
  15. Captain

    Captain Member

    After nslookup I enter all mx IP, but now have this log:
    Code:
    Apr 15 10:58:08 itex named[8012]: client 86.57.214.239#11841: query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr 15 10:58:09 itex named[8012]: client 86.57.214.239#11857: query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr 15 10:58:10 itex named[8012]: client 86.57.214.239#11874: query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied
    Apr 15 10:58:11 itex named[8012]: client 86.57.214.239#11887: query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied
    Apr 15 10:58:12 itex named[8012]: client 86.57.214.239#11903: query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied
    Apr 15 10:58:13 itex named[8012]: client 86.57.214.239#11923: query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied
    Apr 15 10:58:14 itex named[8012]: client 86.57.214.239#11944: query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied
    
    And this log repeats with another IPs. like this 86.57.214.239, 117.3.4.79, 95.56.66.114, 178.90.226.56 and so on.
     
  16. Captain

    Captain Member

    Thnks for post but it is not about we talking.
     
  17. SupuS

    SupuS Member HowtoForge Supporter

    Hi captain

    I have the same problem. Did you solve it or have any information about it?

    Thanks
    SupuS
     
  18. Captain

    Captain Member

    Hi!

    No I did not resolved it. But my DNS work great and I did not have any problems. It is only notification and not serious problem.
     
  19. andcha

    andcha New Member

    Well I have this similar problem and I think one should take this very seriously. I am getting around 150,000 queries per day.

    Code:
    [email protected]:# cat /var/log/syslog.* | grep 'named\[.*\]' | grep query | grep denied | awk '{print $1,$2}' | sort -k 1,1M -k 2n | uniq -c
    154247 Nov 3
    74598 Nov 4
    
    Sample lines from /var/log/syslog

    Code:
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#37302: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#40779: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#43524: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#52513: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#32203: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#52374: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#2300: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#52642: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#17117: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#62877: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#42421: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#3205: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#57094: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#3125: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:51 emone named[1123]: client 82.124.48.189#52454: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:51 emone named[1123]: client 82.124.48.189#10888: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#12468: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#42806: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#60218: query (cache) 'a.packetdevil.com/A/IN' denied
    Nov  4 20:17:54 emone named[1123]: client 82.124.48.189#2185: query (cache) 'a.packetdevil.com/A/IN' denied
    Tried everything in this thread but nothing works.
    Any solution anybody
     
    Last edited: Nov 4, 2013
  20. julykuy

    julykuy New Member

    I guess your local DNS server doesn't allow recursive queries.
     

Share This Page