DNS query denied

Hello!

I have ISPConfig 2.2.35. Ubuntu 9.10
One client want to use google.com MX servers.
In ISPConfig I wrote DNS records of Google.com MX and SPF for google.com.
But after that I have this log:

Code:

Apr  7 20:02:38 itex named[28098]: client 121.121.195.94#23332: query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied
Apr  7 20:02:39 itex named[28098]: client 121.121.195.94#23369: query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied
Apr  7 20:02:40 itex named[28098]: client 121.121.195.94#23386: query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied
Apr  7 20:02:40 itex named[28098]: client 190.84.67.181#60549: query (cache) 'ASPMX.L.GOOGLE.com/A/IN' denied
Apr  7 20:02:41 itex named[28098]: client 121.121.195.94#23407: query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied
Apr  7 20:02:42 itex named[28098]: client 190.84.67.181#60565: query (cache) 'aspmx.googlemail.com/A/IN' denied
Apr  7 20:02:43 itex named[28098]: client 121.121.195.94#23435: query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied
Apr  7 20:02:43 itex named[28098]: client 190.84.67.181#60586: query (cache) 'ASPMX2.googlemail.com/A/IN' denied
Apr  7 20:02:44 itex named[28098]: client 121.121.195.94#23452: query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied
Apr  7 20:02:44 itex named[28098]: client 190.84.67.181#60618: query (cache) 'ASPMX3.googlemail.com/A/IN' denied
Apr  7 20:02:45 itex named[28098]: client 121.121.195.94#23466: query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied
Apr  7 20:02:45 itex named[28098]: client 190.84.67.181#60648: query (cache) 'ASPMX4.googlemail.com/A/IN' denied
Apr  7 20:02:46 itex named[28098]: client 190.84.67.181#60666: query (cache) 'ASPMX5.googlemail.com/A/IN' denied
Apr  7 20:02:47 itex named[28098]: client 190.84.67.181#60697: query (cache) 'ALT1.ASPMX.L.GOOGLE.com/A/IN' denied
Apr  7 20:02:48 itex named[28098]: client 190.84.67.181#60715: query (cache) 'ALT2.ASPMX.L.GOOGLE.com/A/IN' denied

Zonefile of this client is:

Code:

$TTL        86400
@       IN      SOA     ns.domain.com. support.domain.com. (
                        2010040601       ; serial, todays date + todays serial #
                        10800              ; refresh, seconds
                        3600              ; retry, seconds
                        604800              ; expire, seconds
                        86400 )            ; minimum, seconds
;
                NS      ns.domain.com.              ; Inet Address of name server 1
                NS      ns2.domain.com.              ; Inet Address of name server 2
;

  MX      10 ASPMX4.GOOGLEMAIL.COM.
  MX      10 ASPMX3.GOOGLEMAIL.COM.
  MX      10 ASPMX2.GOOGLEMAIL.COM.
  MX      10 aspmx.googlemail.com.
  MX      10 ALT2.ASPMX.L.GOOGLE.COM.
  MX      10 ALT1.ASPMX.L.GOOGLE.COM.
  MX      10 ASPMX.L.GOOGLE.COM.
  MX      10 ASPMX5.GOOGLEMAIL.COM.

domain.com.      A        123.123.123.123
www       A       123.123.123.123

mail       CNAME  ghs.google.com.

domain.com.       TXT  "v=spf1 a mx ptr mx:aspmx.googlemail.com include:aspmx.googlemail.com ~all"

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

Any ideas?

Thnks!

 

What's in /etc/resolv.conf?

 

Code:

domain domain.com
search domain.com
nameserver 127.0.0.1
nameserver 192.168.123.110

 

I guess your local DNS server doesn't allow recursive queries. Please use your ISP's nameservers in /etc/resolv.conf instead of 127.0.0.1.

 

Ok thnks.

I have too DNS servers:

1. it is my DNS BIND9 with IP: 123.123.123.123
2. it is my ISP's DNS server IP: 234.234.234.234

Now I use to servers for my hosting panel ISPConfig 2.

Why I can't use my DNS server?

Know my /etc/resolv.conf is:

Code:

domain domain.com
search domain.com
nameserver 234.234.234.234
nameserver 192.168.123.110

Where 234.234.234.234. is my ISP's DNS server IP Adress.

It is right?

Thnks.

 

That should work. Do you still get named errors in your logs?

 

Yes! I still get this errors!
I try to enter first ISP's DNS IP adress. And secondary ISP's DNS server too.

 

Try this...

domain domain.com
search domain.com
nameserver 234.234.234.234
nameserver 192.168.123.110 << delete this line



save the resolve.conf, restart the named service and see whether there is still error(s).

 

Still have problem.

 

Assuming that your problem is due to recursion issue --- then please

1. edit the file /etc/resolve.conf and save like this (XXX.XXX.XXX.XXX = name server of your ISP)

======================
search xxxx.com
nameserver XXX.XXX.XXX.XXX
======================

2. edit the /var/named/chroot/etc/named.conf, in the options section, add the following line:

allow-recursion { any; };

So the result should be like this:
==========================
options {

XXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX

allow-recursion { any; };

};

===========================

Restart the named service. See what is the result.

 

It is work ok. But now I have open DNS server. It is not safely.
What I can to do, to secure my DNS?
Thnk you!

 

Firstly, nice to note that you have overcome the problem.

For the recursion, if you don't want an open DNS, you may change the setting from "any" to a range of IPs suitable for your case, such as:

allow-recursion { IP1; IP2; };

[For me I enter my server's 2 static IPs as IP1 and IP2]

see the following link for details:
http://www.zytrax.com/books/dns/ch7/queries.html

Enjoy....

 

Thank you!

But I have this problem only with google mx.
And I dont know what IPs is recursion from google.com MX.
If I enter my server IPs, I suppose that problem will returns.

 

Try this...

Do a NS lookup to check the IPs of the google mail servers concerned, and then enter them into the recursion list (remember to add your servers' IPs into the recursion list too)

Restart the named service, see whether everything is fine. (Let us know)

 

After nslookup I enter all mx IP, but now have this log:

Code:

Apr 15 10:58:08 itex named[8012]: client 86.57.214.239#11841: query (cache) 'ALT1.ASPMX.L.GOOGLE.COM/A/IN' denied
Apr 15 10:58:09 itex named[8012]: client 86.57.214.239#11857: query (cache) 'ALT2.ASPMX.L.GOOGLE.COM/A/IN' denied
Apr 15 10:58:10 itex named[8012]: client 86.57.214.239#11874: query (cache) 'ASPMX.L.GOOGLE.COM/A/IN' denied
Apr 15 10:58:11 itex named[8012]: client 86.57.214.239#11887: query (cache) 'ASPMX2.GOOGLEMAIL.COM/A/IN' denied
Apr 15 10:58:12 itex named[8012]: client 86.57.214.239#11903: query (cache) 'ASPMX3.GOOGLEMAIL.COM/A/IN' denied
Apr 15 10:58:13 itex named[8012]: client 86.57.214.239#11923: query (cache) 'ASPMX4.GOOGLEMAIL.COM/A/IN' denied
Apr 15 10:58:14 itex named[8012]: client 86.57.214.239#11944: query (cache) 'ASPMX5.GOOGLEMAIL.COM/A/IN' denied

And this log repeats with another IPs. like this 86.57.214.239, 117.3.4.79, 95.56.66.114, 178.90.226.56 and so on.

 

Thnks for post but it is not about we talking.

 

Hi captain

I have the same problem. Did you solve it or have any information about it?

Thanks
SupuS

 

Hi!

No I did not resolved it. But my DNS work great and I did not have any problems. It is only notification and not serious problem.

 

Well I have this similar problem and I think one should take this very seriously. I am getting around 150,000 queries per day.

Code:

root@emone:# cat /var/log/syslog.* | grep 'named\[.*\]' | grep query | grep denied | awk '{print $1,$2}' | sort -k 1,1M -k 2n | uniq -c
154247 Nov 3
74598 Nov 4

Sample lines from /var/log/syslog

Code:

Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#37302: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#40779: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#43524: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#52513: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#32203: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#52374: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:45 emone named[1123]: client 62.63.21.66#2300: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#52642: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#17117: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#62877: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:47 emone named[1123]: client 5.199.169.87#42421: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#3205: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#57094: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:48 emone named[1123]: client 5.199.169.87#3125: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:51 emone named[1123]: client 82.124.48.189#52454: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:51 emone named[1123]: client 82.124.48.189#10888: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#12468: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#42806: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:52 emone named[1123]: client 82.124.48.189#60218: query (cache) 'a.packetdevil.com/A/IN' denied
Nov  4 20:17:54 emone named[1123]: client 82.124.48.189#2185: query (cache) 'a.packetdevil.com/A/IN' denied

Tried everything in this thread but nothing works.
Any solution anybody

 

I guess your local DNS server doesn't allow recursive queries.