Hi, Thanks for the suggestion. There are probably a few ways to fix these things, but in my case I found two things I needed... In options, I needed: allow-recursion {XXX.YYY.0.0/16; }; Also, I had trouble with external view. It had been set as: match-clients { !local_lan; }; This would not match external clients. I had to use: match-clients { any; }; Now things are working again... <div class="gmail_quote">On Thu, Dec 20, 2012 at 10:45 AM, Antonio Lopez <<a href="mailto:cubodebits@gmail.com" target="_blank">cubodebits@gmail.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Check allow-quey directive <div class="gmail_quote"> 2012/12/20 francis picabia <<a href="mailto:fpicabia@gmail.com" target="_blank">fpicabia@gmail.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">Hi, I'd really appreciate some help on this. I thought this was working when testing, but today when rolling it into production it fails me. I have internal and external views in named.conf The goal is to allow everyone (in and out) to query my domain, but allow only internal users to query the outside world. We had this working before in Redhat 5, but something has changed and it isn't working for RH 6. The strange thing is, I can do queries of the outside OK from the DNS server, or from systems on the same subnet. The ones I want to let use the view, seem to match the view, but are blocked: Dec 20 10:14:58 sedna named[7574]: 20-Dec-2012 10:14:58.759 security: info: client XXX.YYY.200.66#55286: view internal: query (cache) '<a href="http://onmail.com/MX/IN" target="_blank">onmail.com/MX/IN</a>' denied acl "local_lan" { XXX.YYY.0.0/16; 127.0.0.1; }; view "internal" { /* This view will contain zones you want to serve only to "internal" clients that connect via your directly attached LAN interfaces - "localnets" . */ match-clients { local_lan; XXX.YYY.1.3; }; match-destinations { any; }; recursion yes; additional-from-auth yes; additional-from-cache yes; empty-zones-enable yes; notify yes; allow-transfer { adcs; XXX.YYYY.1.3; }; also-notify { XXX.YYY.200.67; XXX.YYY.200.66; XXX.YYY.1.3;}; // all views must contain the root hints zone: include "/etc/named.root.hints"; include "/etc/named.rfc1912.zones"; zone "<a href="http://mydomain.ca" target="_blank">mydomain.ca</a>" in { type master; file "forward/<a href="http://mydomain.ca" target="_blank">mydomain.ca</a>"; }; zone "XXX.YYY.in-addr.arpa" in { type master; file "reverse/db.XXX.YYY.rev"; }; }; I've changed the first digits of my network IPs to XXX.YYY. The DNS system is on XXX.YYY.2.48, and systems on subnet 2 can query it OK. Other systems which should fall in the /16 network are not able to query. It seems like there is something about Bind 9.8 I'm missing. Running BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.5 </div></div>_______________________________________________ rhelv6-list mailing list <a href="mailto:rhelv6-list@redhat.com" target="_blank">rhelv6-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhelv6-list" target="_blank">https://www.redhat.com/mailman/listinfo/rhelv6-list</a> </blockquote></div> <div> </div>-- “software is like sex, its better when its free” _______________________________________________ rhelv6-list mailing list <a href="mailto:rhelv6-list@redhat.com">rhelv6-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhelv6-list" target="_blank">https://www.redhat.com/mailman/listinfo/rhelv6-list</a> </blockquote></div>