named Denied Log Error Messages

Hi all, I see dozens of these denied error messages in the /var/log/messages file:

The messages look similar to these:

named[1473]: query (cache) ‘’ denied
named[1473]: query (cache) ‘’ denied

I am very concerned because these errors appear to be saying that the name server is NOT responding to DNS requests. Is that true? If so, how can I fix this?

Thanks for your time!<br><br>Post edited by: mrwilder, at: 2009/04/04 17:27

The key is to find out if your DNS server is allowing lookups of domains residing on it.

If so – the above error messages are likely messages due to the DNS server not being configured to allow just anyone to use is as a general nameserver (in DNS-speak, recursive queries may be disabled, which is a good thing).

If a random person on the Net can use your DNS server to look up a domain hosted on your server, but not use your DNS server to look up a domain hosted on some other server, you’re in good shape!

Yes, that sounds good, except I have two servers. Both of them have different domains on them, and both of them are name servers to each other’s domains.

I did not slave the DNS records for these domains, instead, I manually created the entries on both machines. It occurs to me that if i slave the zones, perhaps that would fix it… but I’d rather not do that if there is some other deeper problem.

Oh, yeah, I forgot to directly reply to your suggestion: Yes. Both name servers work fine, and they are available to the internet at large.

The old machine is a Sun running a Linux OS with a Cobalt shell, and it’s been up and running fine for years. The error state machine is the new linux box with Webmin/Virtualmin/Usermin. It’s been up and running for a few months with minor bugs, but nothing deadly that I know of.

But, again, it does appear the Webmin box is not serving NS records for the Sun box domains.


Can you help me understand your setup a little better? The domains that BIND is denying – are they domains residing on your servers?

So if we looked at the named.conf file in either of those nameservers, is there a zone entry for the domains being denied?

I’m trying to get my head around how various boxes you mentioned there fit into the puzzle here.


Never mind, I totally didn’t set up all of the relevant slave zones, thus, the machine in question didn’t want to serve the info. I’ve moved onto the suexec not configured correctly cgi and php apps wont execute problem now.

Sorry for wasting your time, thanks for the help though.