I need help, i've spend some time to troubleshoot the dns server that i created. but what happend is:

when i tried to resolve the address i receive below log:

Nov 15 04:21:01 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#51843 (mydbhostname.example.local.example.local): query 'mydbhostname.example.local.example.local/A/IN' **denied**
Nov 15 04:21:01 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#51843 (mydbhostname.example.local.example.local): query 'mydbhostname.example.local.example.local/AAAA/IN' **denied**
Nov 15 04:24:11 mydnshostname00 named[1057]: client xxx.yyy.zzz.111#44369 (22.zzz.yyy.xxx.in-addr.arpa): query '22.zzz.yyy.xxx.in-addr.arpa/PTR/IN' **denied**
Nov 15 04:36:31 mydnshostname00 named[1057]: client xxx.yyy.zzz.122#26059 (example.local): query 'example.local/SOA/IN' **denied**

but however, i can get my dns resolved properly from the local dns server itself.

any advice what possibly went wrong? or ow to troubleshoot this?

here are my configurations:


options {
        listen-on port 53 {; xxx.yyy.zzz.121; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; xxx.yyy.zzz.0/30; };
        allow-transfer  { localhost; xxx.yyy.zzz.122; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;

zone "." IN {
        type hint;
        file "named.ca";
zone "example.local" IN{
        type master;
        file "forward.example";
        allow-update { none; };
zone "zzz.yyy.xxx.in-addr.arpa" IN {
        type master;
        file "reverse.example";
        allow-update { none; };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


$TTL 86400
@   IN  SOA     MasterDNSDomain.example.local. root.example.local. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL

@                       IN  NS          MasterDNSDomain.example.local.
@                       IN  NS          SlaveDNSDomain.example.local.
;@                      IN  A           xxx.yyy.zzz.121
;@                      IN  A           xxx.yyy.zzz.122
;@                      IN  A           xxx.yyy.zzz.120
;@                      IN  A           xxx.yyy.zzz.111
;@                      IN  A           xxx.yyy.zzz.112
@                       IN  A           xxx.yyy.zzz.113

MasterDNSDomain         IN  A           xxx.yyy.zzz.121
SlaveDNSDomain          IN  A           xxx.yyy.zzz.122
ClientServerco01        IN  A           xxx.yyy.zzz.120
mydbhostname            IN  A           xxx.yyy.zzz.111
ClientServercr02        IN  A           xxx.yyy.zzz.112
ClientServerwb03        IN  A           xxx.yyy.zzz.113

www                     IN  CNAME       ClientServerwb03


$TTL 86400
@       IN  SOA     MasterDNSDomain.example.local. root.example.local. (
        2011071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL

@                       IN  NS          MasterDNSDomain.example.local.
@                       IN  NS          SlaveDNSDomain.example.local.

113                     IN  PTR         example.local.

MasterDNSDomain         IN  A           xxx.yyy.zzz.121
SlaveDNSDomain          IN  A           xxx.yyy.zzz.122
ClientServerco01        IN  A           xxx.yyy.zzz.120
mydbhostname            IN  A           xxx.yyy.zzz.111
ClientServercr02        IN  A           xxx.yyy.zzz.112
ClientServerwb03        IN  A           xxx.yyy.zzz.113

121                     IN  PTR         MasterDNSDomain.example.local.
122                     IN  PTR         SlaveDNSDomain.example.local.
120                     IN  PTR         ClientServerco01.example.local.
111                     IN  PTR         mydbhostname.example.local.
112                     IN  PTR         ClientServercr02.example.local.
113                     IN  PTR         ClientServerwb03.example.local.

Firewall Config

firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp

Permission Config

chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

in my Slave DNS Server


options {
        listen-on port 53 {; xxx.yyy.zzz.122; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; xxx.yyy.zzz.0/30; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;

zone "." IN {
        type hint;
        file "named.ca";
zone "example.local" IN {
        type slave;
        file "slaves/example.fwd";
        masters { xxx.yyy.zzz.121; };
zone "zzz.yyy.xxx.in-addr.arpa" IN {
        type slave;
        file "slaves/example.rev";
        masters { xxx.yyy.zzz.121; };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Firewall Config

firewall-cmd --permanent --add-port=53/tcp

Permission COnfig

chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

Thank you in Advance


  • 171
  • 2
  • 11

2 Answers2


Allow your subnet to query.

options { allow-query {; localhost; }; };

What you have is only 2 ip addresses

allow-query { localhost; xxx.yyy.zzz.0/30; }; 


Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
  • yes i have options allow-query is in place - as you can see in my edited post above – AnD Nov 15 '15 at 05:19

You should check additionally following configuration instructions too:

allow-recursion { your subnet;; };
Jenny D
  • 27,358
  • 21
  • 74
  • 110