BIND failing to resolve with 'WARNING: recursion requested but not available'
48,479
Solution 1
try switching your ACL statements
acl "trusted" {
173.255.211.166;
104.200.17.225; //this is the client in question
10.8.0.0/24;
10.8.1.0/24;
127.0.0.1/32;
::1/128;
};
acl "outside" {
any;
};
Solution 2
Your 104.200.17.225 client was matching the "outside" acl first. Rearranging the order of the acls probably helped, but the more reliable way to do this is to exclude your "trusted" address from "outside":
acl "outside" {
!173.255.211.166;
!104.200.17.225; //this is the client in question
!10.8.0.0/24;
!10.8.1.0/24;
!127.0.0.1/32;
!::1/128;
any;
};
Related videos on Youtube
Author by
user3766148
Updated on September 18, 2022Comments
-
user3766148 almost 2 years
- there are no errors in the logs and query logging won't initialize
- iptables is fully disabled
but the server will respond with "WARNING: recursion requested but not available" because my client 104.200.17.225 is going to external. But the client 'is in' the trusted ACL. Bind is ignoring my trusted list entirely.
mlr01 ~ # dig facebook.com ; <<>> DiG 9.9.5 <<>> facebook.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10440 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;facebook.com. IN A ;; AUTHORITY SECTION: . 3600000 IN NS G.ROOT-SERVERS.NET. . 3600000 IN NS I.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS L.ROOT-SERVERS.NET. . 3600000 IN NS K.ROOT-SERVERS.NET. . 3600000 IN NS M.ROOT-SERVERS.NET. . 3600000 IN NS H.ROOT-SERVERS.NET. . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS J.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. ;; Query time: 42 msec ;; SERVER: 66.228.35.79#53(66.228.35.79) ;; WHEN: Thu Oct 16 23:28:20 UTC 2014 ;; MSG SIZE rcvd: 252
Named appears to be ignoring my ACL:
cat /etc/bind/named.conf acl "outside" { any; }; acl "trusted" { 173.255.211.166; 104.200.17.225; //this is the client in question 10.8.0.0/24; 10.8.1.0/24; 127.0.0.1/32; ::1/128; }; options { directory "/var/bind"; pid-file "/var/run/named/named.pid"; transfer-source 198.74.49.126; listen-on-v6 { ::1; 2600:3c03::f03c:91ff:feae:9e6d;}; listen-on { 127.0.0.1; 66.228.35.79;}; max-cache-ttl 1600; version none; allow-query { any; }; allow-query-cache { any; }; allow-transfer { trusted; }; allow-update { trusted; }; //forward first; forwarders { 109.74.192.20; 97.107.133.4; 198.74.49.126; //internal router1 }; }; logging { channel default_log { file "/var/log/named/named.log" versions 5 size 50M; print-time yes; print-severity yes; print-category yes; severity warning; }; channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; }; channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; }; category default { default_log; }; category general { default_log; }; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; }; view "internal" { match-clients { trusted; }; allow-query-cache { any; }; allow-recursion { trusted; }; recursion yes; zone "azevedomd.com" { type master; file "pri/azevedomd.com.internal"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.internal"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; }; view "external" { match-clients { any; }; match-destinations { any; }; recursion no; allow-query { any; }; zone "." IN { type hint; file "/var/bind/named.ca"; }; zone "azevedomd.com" { type master; file "pri/azevedomd.com.external"; }; zone "35.228.66.in-addr.arpa"{ type master; file "pri/reverse.external"; }; zone "127.in-addr.arpa" { type master; file "pri/127.0.0.1"; }; };
Query logging says it is going to external. Why is it ignoring internal and the trusted list? The client is in the list.
17-Oct-2014 00:17:03.886 client 104.200.17.225#41300 (facebook.com): view external: query: facebook.com IN A +E (66.228.35.79