shopping
By:
shopping

Problem with Recursive Queries

September 7, 2014 5.5k views

Hi,

When I test my domain of through www.intodns.com , I see mistake like this
Look for this Picture

I follow this tutorial :
https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04

But still there same problem.

3 Answers

Have a look on this guide, should help you solve the problem
The key is to disable recursion globally, and define views for external and internal hosts where recursion would be allowed only internally

http://www.team-cymru.org/Services/Resolvers/instructions.html

  • I got error like this

    • Starting domain name service... bind9 [fail]
  • OK, so let's do it differently - pls see the config I have in place, hope it helps.

    Make sure no zones are loaded outside of the view definition

    Configure your options section as follows. Make sure you replace X.X.X.X with your IP.

    options {
    directory "/var/cache/bind";
    dnssec-validation auto;
    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { none; };
    listen-on { 127.0.0.1; X.X.X.X; };
    allow-query { none; };
    allow-query-cache { none; };
    allow-transfer { xfer; };
    version none;
    notify no;
    transfer-format many-answers;
    max-transfer-time-in 60;
    recursion no;
    additional-from-cache no;
    };

    Configure the ACLs. Make sure the "internal" contains IPs of all your master or slave IPs, or all IPs that have to use the DNS server for name resolution. ACL "xfer" should contain only the IPs of your nameservers.

    acl internal { 127.0.0.0/8; place.all.your.ips; };
    acl xfer { place.your.nameserver.ips; };

    Configure internal and external view. Internal will grant full name resolution including recursion, cache etc, while the external view will only respond on configured zones. The expectations is all the zones are defined in /etc/bind/named.conf.local.zones.

    view "internal" in {
    match-clients { internal; };
    allow-query { internal; };
    recursion yes;
    additional-from-cache yes;
    allow-recursion { internal; };
    allow-query-cache { internal; };
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };

    view "external" in {
    match-clients { any; };
    recursion no;
    additional-from-cache no;
    additional-from-auth no;
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };

  • Where I can type ( view "internal" and view "external ) ? >> named.conf.local.zones . if that, there is same error.

  • please post the error from syslog

  • Hi,
    These settings I have made.

    In " named.conf.options " I add :
    acl internal { 127.0.0.0/8; place.all.your.ips; }; << my ip / 29 or just my ip
    acl xfer { place.your.nameserver.ips; }; << do you mean IP for ns1.digitalocean.com " 173.245.58.51 "

    options {
    directory "/var/cache/bind";
    dnssec-validation auto;
    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { none; };
    listen-on { 127.0.0.1; X.X.X.X; };
    allow-query { none; };
    allow-query-cache { none; };
    allow-transfer { xfer; };
    version none;
    notify no;
    transfer-format many-answers;
    max-transfer-time-in 60;
    recursion no;
    additional-from-cache no;
    };

    In " named.conf.local.zones " I add :

    mydomain <<< I type my domain

    zone "mydomain.com" {
    type master;
    file "/etc/bind/db.domain";
    };

    192.2.1.0 << This is just example

    zone "1.2.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192";
    };

    In " named.conf.local " I add :

    Note: There are no changes I've made

    view "internal" in {
    match-clients { internal; };
    allow-query { internal; };
    recursion yes;
    additional-from-cache yes;
    allow-recursion { internal; };
    allow-query-cache { internal; };
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };

    view "external" in {
    match-clients { any; };
    recursion no;
    additional-from-cache no;
    additional-from-auth no;
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };

  • This is syslog

    ep 7 06:40:44 pvttwt rsyslogd: [origin software="rsyslogd" swVersion="7.4.4" x-pid="361" x-info="http://www.rsyslog.com"] rsyslogd was HUPed
    Sep 7 06:47:01 pvttwt CRON[651]: (root) CMD (test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ))
    Sep 7 06:55:24 pvttwt kernel: [155222.154527] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=180.153.113.141 DST=104.131.229.65 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=TCP SPT=22203 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0
    Sep 7 07:01:15 pvttwt kernel: [155573.091147] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=184.105.139.85 DST=104.131.229.65 LEN=125 TOS=0x00 PREC=0x00 TTL=57 ID=54711 DF PROTO=UDP SPT=58747 DPT=1900 LEN=105
    Sep 7 07:02:37 pvttwt kernel: [155655.769362] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=222.69.143.120 DST=104.131.229.65 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=57227 PROTO=UDP SPT=53 DPT=46153 LEN=44
    Sep 7 07:03:07 pvttwt kernel: [155685.724907] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=112.125.126.228 DST=104.131.229.65 LEN=40 TOS=0x00 PREC=0x00 TTL=102 ID=256 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
    Sep 7 07:08:26 pvttwt kernel: [156004.235644] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=114.80.207.28 DST=104.131.229.65 LEN=40 TOS=0x00 PREC=0x00 TTL=103 ID=59778 PROTO=TCP SPT=6000 DPT=3306 WINDOW=16384 RES=0x00 SYN URGP=0
    Sep 7 07:09:01 pvttwt CRON[700]: (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)
    Sep 7 07:17:01 pvttwt CRON[729]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
    Sep 7 07:19:27 pvttwt kernel: [156665.046686] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=94.125.52.180 DST=104.131.229.65 LEN=76 TOS=0x00 PREC=0x00 TTL=35 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=56
    Sep 7 07:21:52 pvttwt kernel: [156810.787395] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=192.230.123.75 DST=104.131.229.65 LEN=300 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=280
    Sep 7 07:26:28 pvttwt kernel: [157086.694204] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=170.155.163.21 DST=104.131.229.65 LEN=73 TOS=0x00 PREC=0x00 TTL=53 ID=210 PROTO=UDP SPT=53 DPT=46153 LEN=53
    Sep 7 07:28:31 pvttwt kernel: [157209.991624] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=111.254.199.184 DST=104.131.229.65 LEN=76 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=56
    Sep 7 07:30:55 pvttwt kernel: [157353.413853] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=75.102.34.114 DST=104.131.229.65 LEN=118 TOS=0x00 PREC=0x00 TTL=53 ID=0 DF PROTO=UDP SPT=51471 DPT=1900 LEN=98
    Sep 7 07:39:01 pvttwt CRON[754]: (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)
    Sep 7 07:39:50 pvttwt kernel: [157888.369310] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=118.123.4.111 DST=104.131.229.65 LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=9586 PROTO=TCP SPT=49807 DPT=8080 WINDOW=1024 RES=0x00 SYN URGP=0
    Sep 7 07:42:56 pvttwt kernel: [158074.205747] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=113.200.222.67 DST=104.131.229.65 LEN=138 TOS=0x00 PREC=0x00 TTL=243 ID=33819 PROTO=UDP SPT=53 DPT=46153 LEN=118
    Sep 7 07:46:57 pvttwt kernel: [158315.853327] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=58.39.155.203 DST=104.131.229.65 LEN=74 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=54
    Sep 7 07:56:56 pvttwt kernel: [158914.724485] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=182.234.147.189 DST=104.131.229.65 LEN=134 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=114
    Sep 7 08:02:04 pvttwt kernel: [159222.404537] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=36.83.41.58 DST=104.131.229.65 LEN=76 TOS=0x00 PREC=0x00 TTL=236 ID=24725 DF PROTO=UDP SPT=10009 DPT=46153 LEN=56
    Sep 7 08:03:57 pvttwt kernel: [159335.345844] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=192.230.123.58 DST=104.131.229.65 LEN=92 TOS=0x00 PREC=0x00 TTL=55 ID=31364 DF PROTO=UDP SPT=53 DPT=46153 LEN=72
    Sep 7 08:05:26 pvttwt kernel: [159424.145315] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:ab:f0:08:00 SRC=93.180.5.26 DST=104.131.229.65 LEN=61 TOS=0x00 PREC=0x00 TTL=240 ID=54321 PROTO=UDP SPT=45248 DPT=161 LEN=41
    Sep 7 08:07:21 pvttwt kernel: [159539.433516] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=184.105.139.114 DST=104.131.229.65 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=22996 DF PROTO=UDP SPT=57552 DPT=123 LEN=20
    Sep 7 08:09:01 pvttwt CRON[805]: (root) CMD ( [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean)
    Sep 7 08:12:25 pvttwt kernel: [159843.307799] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=80.55.226.105 DST=104.131.229.65 LEN=78 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=UDP SPT=53 DPT=46153 LEN=58
    Sep 7 08:17:01 pvttwt CRON[836]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
    Sep 7 08:37:35 pvttwt kernel: [161353.251393] [UFW BLOCK] IN=eth0 OUT= MAC=04:01:26:d7:0b:01:4c:96:14:a4:af:f0:08:00 SRC=162.243.104.80 DST=104.131.229.65 LEN=118 TOS=0x00 PREC=0x00 TTL=63 ID=59226 DF PROTO=UDP SPT=38508 DPT=1900 LEN=98

Everything work well with this setting ( All tests was successful ) , but I still see this error message " http://i.imgur.com/dd2l1BE.png "

In " named.conf.options "
acl goodclients{
My IP;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };

     forwarders {
            8.8.8.8;
            8.8.4.4;
     };
    forward only;

    dnssec-enable yes;
    dnssec-validation yes;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

};

In " named.conf.local "

mydomain

zone "mydomain.com" {
type master;
file "/etc/bind/db.domain";
};

192.2.1.0
zone "1.2.192.in-addr.arpa" {
type master;
file "/etc/bind/db.192";
};

  • That error/configuration could be pretty nasty as it is allowing your server to become part of DDoS / cache poisoning attacks.
    So the key is to limit the public access to the name server and disallow recursive queries.
    Let's try to simplify the configuration if possible and avoid views.
    Add this statement after allow-query:

    allow-recursion { goodclients; };

  • I still see this error message " http://i.imgur.com/dd2l1BE.png "

  • I have replicated your configuration and I don't see the recursive queries to be allowed

    Ubuntu 14.04.1 LTS

    named.conf.options

    acl goodclients{
    178.62.24.228;
    localhost;
    localnets;
    };

    options {
    directory "/var/cache/bind";
    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    recursion yes;
    allow-query { goodclients; };
    allow-recursion { goodclients; };
    forwarders {
    8.8.8.8;
    8.8.4.4;
    };
    forward only;
    dnssec-enable yes;
    dnssec-validation yes;
    };

    When I execute the lookup from host not defined in "goodclients" I see the query is refused.

    nslookup
    > server 178.62.24.228
    Default server: 178.62.24.228
    Address: 178.62.24.228#53
    > sme.sk
    Server: 178.62.24.228
    Address: 178.62.24.228#53

    ** server can't find sme.sk: REFUSED

    Can you please check if you can run recursive query from outside of your trusted network?

  • The result is :

    nslookup

    server 104.131.229.65
    Default server: 104.131.229.65
    Address: 104.131.229.65#53
    sme.sk
    Server: 104.131.229.65
    Address: 104.131.229.65#53

    Non-authoritative answer:
    Name: sme.sk
    Address: 195.146.144.8
    Name: sme.sk
    Address: 195.146.144.9

  • There are no errors, but it did not solve the problem. :( : (

    IN " named.conf.options "
    acl internal { 127.0.0.0/8; 104.131.229.65/29; };
    acl xfer { 104.131.229.65; };

    options {
    directory "/var/cache/bind";
    forwarders {
    8.8.8.8;
    8.8.4.4;
    };
    forward only;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { none; };
    listen-on { 127.0.0.1; 104.131.229.65; };
    allow-query { none; };
    allow-query-cache { none; };
    allow-transfer { xfer; };
    version none;
    notify no;
    transfer-format many-answers;
    max-transfer-time-in 60;
    recursion no;
    additional-from-cache no;
    };

    IN " named.conf.local.zones "
    zone "pvttwt.com" {
    type master;
    file "/etc/bind/db.pvttwt";
    };

    zone "229.131.104.in-addr.arpa" {
    type master;
    file "/etc/bind/db.104";
    };

    IN " named.conf "

    include "/etc/bind/named.conf.options";
    view "internal" in {
    match-clients { internal; };
    allow-query { internal; };
    recursion yes;
    additional-from-cache yes;
    allow-recursion { internal; };
    allow-query-cache { internal; };
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };

    view "external" in {
    match-clients { any; };
    recursion no;
    additional-from-cache no;
    additional-from-auth no;
    include "/etc/bind/zones.rfc1918";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.local.zones";
    };


    nslookup pvttwt.com

    Server: 104.131.229.65
    Address: 104.131.229.65#53

    Name: pvttwt.com
    Address: 104.131.229.65


    dig pvttwt.com

    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64559
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pvttwt.com. IN A

    ;; ANSWER SECTION:
    pvttwt.com. 604800 IN A 104.131.229.65

    ;; AUTHORITY SECTION:
    pvttwt.com. 604800 IN NS ns.pvttwt.com.

    ;; ADDITIONAL SECTION:
    ns.pvttwt.com. 604800 IN A 104.131.229.65

    ;; Query time: 2 msec
    ;; SERVER: 104.131.229.65#53(104.131.229.65)
    ;; WHEN: Mon Sep 08 21:45:06 EDT 2014
    ;; MSG SIZE rcvd: 88


    service bind9 restart

    • Stopping domain name service... bind9 waiting for pid 6208 to die [ OK ]
    • Starting domain name service... bind9 [ OK ]

    Why ?

  • I think I understand it now - the real data helped.
    We are trying to solve the problem that doesn't exist.
    Let's look at the data:

    dig pvttwt.com any
    
    ; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> pvttwt.com any
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26456
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 3
    
    ;; QUESTION SECTION:
    ;pvttwt.com.                    IN      ANY
    
    ;; ANSWER SECTION:
    pvttwt.com.             1800    IN      MX      20 mx2.zohomail.com.
    pvttwt.com.             1800    IN      MX      10 mx.zohomail.com.
    pvttwt.com.             1800    IN      SOA     NS1.DIGITALOCEAN.com. hostmaster.pvttwt.com. 1410279981 3600 900 1209600 1800
    pvttwt.com.             463     IN      A       104.131.229.65
    pvttwt.com.             1800    IN      NS      NS2.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      NS3.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      NS1.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      ns.pvttwt.com.
    
    ;; AUTHORITY SECTION:
    pvttwt.com.             1800    IN      NS      NS1.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      NS3.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      NS2.DIGITALOCEAN.com.
    pvttwt.com.             1800    IN      NS      ns.pvttwt.com.
    
    ;; ADDITIONAL SECTION:
    NS1.DIGITALOCEAN.com.   171463  IN      A       173.245.58.51
    NS2.DIGITALOCEAN.com.   171463  IN      A       173.245.59.41
    NS3.DIGITALOCEAN.com.   171463  IN      A       198.41.222.173
    
    ;; Query time: 94 msec
    ;; SERVER: 37.139.4.57#53(37.139.4.57)
    ;; WHEN: Tue Sep  9 19:58:24 2014
    ;; MSG SIZE  rcvd: 327
    
    

    The name servers defined for your domain are DigitalOcean's nameservers and your server we are looking at. If we look on the intoDNS report for your domain, we see more-less the same, except for the first line which is showing only DigitalOcean's servers. A bit unusual but OK.

    The problematic line in the report is "Recursive Queries" which is showing errors for 3 servers, but those are DigitalOcean's nameservers, not the one you have built.

    The problem that could be validated is the fact I can't reach the nameserver at all, but I don't know what the setup is and why it is configured the way it is configured.
    Your server is not open for recursive queries, it's closed from public access completely. If this is the intention then it's fine, if it should be publicly accessible then you need to investigate what's wrong with the setup.

  • So what I can do to solve this error message ?

  • It can be false positive.
    Have a look on this report, it is not reporting any problem with recursive queries
    http://www.dnssy.com/report.php?q=pvttwt.com

I do this test

root@...:/etc/bind# dig @192.168.10.115 google.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @192.168.10.115 google.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
root@...:/etc/bind# dig @104.131.229.65 pvttwt.com

; <<>> DiG 9.9.5-3-Ubuntu <<>> @104.131.229.65 pvttwt.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pvttwt.com. IN A

;; ANSWER SECTION:
pvttwt.com. 604800 IN A 104.131.229.65

;; AUTHORITY SECTION:
pvttwt.com. 604800 IN NS ns.pvttwt.com.

;; ADDITIONAL SECTION:
ns.pvttwt.com. 604800 IN A 104.131.229.65

;; Query time: 2 msec
;; SERVER: 104.131.229.65#53(104.131.229.65)
;; WHEN: Mon Sep 08 22:57:46 EDT 2014
;; MSG SIZE rcvd: 88

Have another answer? Share your knowledge.