dns resolution being denied to some servers

[Frothingdog]

I've a wierd problem that I can't figure out.

Our internal DNS server seems to be denying resolution to a few routers on our network and I can't figure out why.

resolv.conf is configured the same on all our routes, and all routers are in the master dns file.

We are onlly having problems with 8 of our routers (out of the 50 or so we are running)

Is there anything that springs to mind that would be causeing the problem?

Here's a snipet from the LOG file of the dns server:
Jul 12 11:53:51 nms named[8862]: client 1.2.3.4#37947: query (cache) 'router47/A/IN' denied
Jul 12 11:53:52 nms named[8862]: client 1.2.3.4#27328: query 'router47.ops.net/A/IN' denied
Jul 12 11:53:52 nms named[8862]: client 1.2.3.4#31182: query (cache) 'router47/A/IN' denied
Jul 12 11:54:11 nms named[8862]: client 1.2.3.10#37059: query (cache) 8.8.8.8.in-addr.arpa/PTR/IN' denied

Totally at a loss here.

Cheers
Morty

[Frothingdog]

further info:
DNS Server: OpenBSD nms.opts.net 3.9 GENERIC#617 i386 (yes I know it's old)

1 of the troubled routers:
OpenBSD router47.ops.net 4.5 NET5501#0 i386 (alittle newer )

[jggimi]

Since you insist on some mind reading, I'm going to take a wild guess that you need to review the Bind 9 Administrator Reference, and your named.conf file, or related configuration files. I'm going to guess you have some allow-query phrase somewhere which disallows resolutions.

Quote:

When used as an access control list, a non-negated match allows access and a negated match denies access. If there is no match, access is denied. The clauses allow-notify, allow-query, allow-transfer, allow-update, allow-update-forwarding, and blackhole all use address match lists this. Similarly, the listen-on option will cause the server to not accept queries on any of the machine's addresses which do not match the list.

If this isn't your problem, it's because I'm a poor mind reader.

(Hint) Try posting, at the very least, the dmesg of the system where the BIND server resides, and if you're using the built-in server, or, if you're using something else, such as a port of ISC's BIND 10.

While 3.9 might date from 2006, and has been unsupported since 2007, it was still using BIND 9. A different release of it then used today, 9.3.1 vs 9.4.2-P2.


(Second hint) If you want someone to review your DNS configuration, you will have to post it. I would post with obfuscated addresses/names for anything not on your private network.

[Frothingdog]

I apologize for the half-***ed post, but this was dumped on me because no one else go figure out why it wasn't working. I've very limited experience with bsd so I'm sorry for my ignorance.

Needless to say after reading your post I went looking around in our DNS server and finally came across the named.conf file. And guess what...it was being kept up to date on the acl for the routers.

So I updated the DNS names and the IP's and everything is working now.

See you are a mind reader you just needed some encouragment

Cheers and thanks again for the help.....next to time I'll be sure to post more info related to the topic in question.

Morty

[jggimi]

Glad to know I was of some help.

Usually I either give a detailed answer to the wrong question, or misunderstand the question entirely.

[rpindy]

By the way, if you do upgrade to 4.7, which I very highly recommend, you should completely reinstall as upgrades on the CDs would only go from 3.9 to 4.0 and so on. I also recommend following -stable. At the very least, don't let your server go that outdated!

[Frothingdog]

Well it ain't up to me. It's up to the powers that be.
We have several servers that need to be updated, OS and Hardware included.

But that would cost money. Actually that would cost quite a bit of money, hence why it hasn't been done yet.

[ocicat]

Quote:

Originally Posted by Frothingdog

It's up to the powers that be.

Repeating jggimi's assertion, OpenBSD 3.9 is no longer supported. What you should emphasize to management is that the project proper has no obligation to provide support on this version any more, & any assistance you obtain from anyone is out of whatever altruism they may have in passing on information. If anything breaks, you are on your own.

[Frothingdog]

It's seems they are willing to risk it. Drives me nuts.