The subject is the best way I can describe it.
Recursion is confirmed disabled for non-allowed clients yet I see logs in tcpdump of answered queries to unauthorized clients
I have recursion set to ONLY allow certain clients but tcpdump is still showing a ton of responses to unauthorized clients
192.41.162.30.domain > 10.0.10.10.14618: [udp sum ok] 21373- q: AAAA? dns.sjc.llns.net. 0/9/6 ns: llns.net. NS dns.phx1.llns.net., llns.net. NS dns.lax.llns.net., llns.net. NS dns.sjc.llns.net., llns.net. NS dns.lga.llns.net., llns.net. NS dns.iad.llns.net., A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. Type50, A1RT98BS5QGC9NFI51S9HCI47ULJG6JH.net. RRSIG, H8OTTGNKI8LBEDSJ18FK8O0P68MP2L8H.net. Type50, H8OTTGNKI8LBEDSJ18FK8O0P68MP2L8H.net. RRSIG ar: dns.phx1.llns.net. A 69.28.136.99, dns.lax.llns.net. A 69.28.144.99, dns.sjc.llns.net. A 69.28.148.99, dns.lga.llns.net. A 69.28.152.99, dns.iad.llns.net. A 69.28.156.99, . OPT UDPsize=4096 OK (713) and
192.52.178.30.domain > 10.0.10.10.13958: [udp sum ok] 18625- q: A? ns2.alsw.com. 0/6/3 ns: alsw.com. NS ns1.alsw.com., alsw.com. NS ns2.alsw.com., CK0POJMG874LJREF7EFN8430QVIT8BSM.com. Type50, CK0POJMG874LJREF7EFN8430QVIT8BSM.com. RRSIG, CTGS1RHC2N2SR0IRKV4LQ3FJMHFVCBKC.com. Type50, CTGS1RHC2N2SR0IRKV4LQ3FJMHFVCBKC.com. RRSIG ar: ns1.alsw.com. A 66.18.106.34, ns2.alsw.com. A 66.18.110.14, . OPT UDPsize=4096 OK (590) 16:40:45.685896 IP (tos 0x0, ttl 64, id 28776, offset 0, flags [none], proto UDP (17), length 69) 10.0.10.10.23242 > 66.18.106.34.domain: [bad udp cksum e348!] 33374% [1au] A? ns2.alsw.com. ar: . OPT UDPsize=4096 OK (41) So clearly its returning records
When I test from a server that falls within the same ACL (basically, any client that is NOT in my allow list for recursion in BIND) I see the refused
16:39:51.585246 IP (tos 0x0, ttl 55, id 31198, offset 0, flags [none], proto UDP (17), length 67) my_test_server_ip.47288 > 10.0.10.10.domain: [udp sum ok] 22771+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39) 16:39:51.585412 IP (tos 0x0, ttl 64, id 31855, offset 0, flags [none], proto UDP (17), length 67) 10.0.10.10.domain > my_test_server_ip.47288: [bad udp cksum 2525!] 22771 Refused- q: A? google.com. 0/0/1 ar: . OPT UDPsize=4096 (39) Note refused in the response
So I cant figure out for the life of me why I see non-authorized clients getting responses that I dont serve records for meanwhile I test from a non-authorized client I have access to and I get refused
EDIT: Here is the config - http://pastebin.ca/3372301
FWIW I have a similar setup on my slaves and I see the same thing. NON-authorized clients get refused that I can test with but tcpdump shows answers being responded to. The idea behind this is basically a split-view DNS master that servers master zones to 3 slaves - 2 internal slaves (serving 10.x.x.x addresses and other internal records) and 1 external slave which will be hosting externally accessible records. Right now I want to try to identify why even though I explicitly only allow recursion from certain hosts, I still see in tcpdump responses getting responded TO but any server I test from that is not allowed gets refused (and it shows in tcpdump)
[link] [comments]