# BIND 9.4.1_p1 Query Refused from remote host

## xtz

Hi. I have BIND 9.4.1_p1 @ ns1.1speed.eu, and is master for the 1speed.eu domain. From localhost, it's working perfect, but if I try to use it from another host, it says 'Query refused' for anything different than *1speed.eu. Example:

nslookup from localhost:

```
xtz@gateway ~ $ nslookup

> server ns1.1speed.eu

Default server: ns1.1speed.eu

Address: 83.228.76.4#53

> x.1speed.eu

Server:         ns1.1speed.eu

Address:        83.228.76.4#53

Name:   x.1speed.eu

Address: 83.228.82.2

> mail.com

Server:         ns1.1speed.eu

Address:        83.228.76.4#53

Non-authoritative answer:

Name:   mail.com

Address: 205.158.62.116
```

nslookup from a remote host:

```
> x.1speed.eu

Server:  ns1.1speed.eu

Address:  83.228.76.4

Name:    x.1speed.eu

Address:  83.228.82.2

> mail.com

Server:  ns1.1speed.eu

Address:  83.228.76.4

*** ns1.1speed.eu can't find mail.com: Query refused
```

What's the probem with it? Here is my /etc/bind/named.conf configuration:

```
options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarding ip address(es) :

        forward first;

        forwarders {

                212.39.90.42;

                212.39.90.43;

        };

        listen-on-v6 { none; };

        listen-on { any; };

        // to allow only specific hosts to use the DNS server:

        //allow-query {

        //      127.0.0.1;

        //};

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

};

// Briefly, a zone which has been declared delegation-only will be effectively

// limited to containing NS RRs for subdomains, but no actual data beyond its

// own apex (for example, its SOA RR and apex NS RRset). This can be used to

// filter out "wildcard" or "synthesized" data from NAT boxes or from

// authoritative name servers whose undelegated (in-zone) data is of no

// interest.

// See http://www.isc.org/products/BIND/delegation-only.html for more info

//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };

zone "." IN {

        type hint;

        file "named.ca";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        allow-update { none; };

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        allow-update { none; };

        notify no;

};

zone "1speed.eu" IN {

        type master;

        allow-query { any; };

        file "pri/1speed.eu.zone";

};

zone "76.228.83.in-addr.arpa" IN {

        type master;

        allow-query { any; };

        file "/etc/bind/pri/83.228.76";

};

zone "82.228.83.in-addr.arpa" IN {

        type master;

        allow-query { any; };

        file "/etc/bind/pri/83.228.82";

};

zone "83.228.83.in-addr.arpa" IN {

        type master;

        allow-query { any; };

        file "/etc/bind/pri/83.228.83";

};
```

----------

## vad3r

If i got you right it's a recursion problem. You can get hostnames for your local domains but not for other domains. Try adding

```
recursion yes;
```

to your bind config.

----------

## xtz

Still doesn't work from anything different than localhost.

----------

## vad3r

You have set "allow-query { any; }; " for all zones you are authoritive of but you should add a similar entry in global configuration. 

```
options {

...

allow-query { ANY; };

...

}
```

----------

## Princess Nell

I'm wondering when ISC changed this behaviour - I can confirm that 9.4.2 needs to have

"allow-query { any; }; " in options, too, but the online manual explicitly states

 *Quote:*   

> If not specified, the default is to allow queries from all hosts.

 

----------

## kashani

Now that you've got it working you should immediately sit down and close the big DoS attack vector you've just created. 

Bad: allow-query { any; };

Good: allow-recursion { 127.0.0.1; 10.0.0.0/8; };

kashani

----------

## xtz

I've chosen a more complex, hence more efficient solution, which allows caching and recursion only for my clients and for all others I'm only giving authoritative replies for zones, I'm a master for. It's done with:

```

view "clients" {

  match-clients {

    1.2.3.4;

    1.2.3.4/x;

  }

  allow-query { any; };

  recursion yes;

ALL ZONES YOU WANT

}

view "others" {

  match-clients { "any"; };

  allow-query { any; };

  recursion no;

ALL ZONES YOU ARE MASTER FOR

}
```

----------

