named.conf

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri Mar 16 20:52:44 UTC 2001 

> 
> 
> 
> Hello all,
> 
> I just wish to run my named.conf by you guys and see if I understood the
> docs correctly.  It is included here at the bottom.  Basically here's the
> situation, my server has two IPs on the same interface 208.164.85.1 (dns
> server) and 64.110.177.129 (dhcp server).  I don't want anyone to transfer
> any zone information (they are only done by secondary servers right?  other
> servers need not transfer my zones?).

> I only wish to allow certain servers
> (indicated with the server tag) to be able to transfer the 64.110.177.128/28
> RDNS zone.  I also wish to deny recursive queries except from my own IPs.
> Keeping this in mind I drafted the named.conf below however, I see entries
> in the log saying "denied query from [some.ip].53 for websprinter.net" if I
> put in "allow-query  { 208.164.85.0/28; 64.110.177.128/25; };".  If I put in
> "allow-query { any; };", everything seems to work ok.

	You need "allow-query  { 208.164.85.0/28; 64.110.177.128/25; };" at
	the options level and "allow-query { any; };" at the zone level.

	This blocks access to cached data but not to zone data.

> I also perform DDNS
> from ISC's DHCP server on the same machine but gives out IPs via
> 64.110.177.129.  The problem is my ISP has delegated its RDNS to me even if
> the block is a partial one.

	This is not evident from the answers on the net.

;; ANSWER SECTION:
177.110.64.in-addr.arpa.  23h57m35s IN NS  ns4.interpacket.net.
177.110.64.in-addr.arpa.  23h57m35s IN NS  ns1.interpacket.net.
177.110.64.in-addr.arpa.  23h57m35s IN NS  ns2.interpacket.net.

> I suspect they're acting as secondary server
> and transferring zones from me (that's why I allow them to transfer zones,
> but only for the 64.110.177.128/25 block).  I also see several of these in
> my log files "named[5149]: 64.110.177.hosts:52: data
> "239.177.110.64.in-addr.arpa outside zone 128/25.177.110.64.in-addr.arpa
> (ignored)".  I suspect this is caused by bind refusing the DDNS from my DHCP
> server.

	No. This is caused by you having bad data in the zone file for
	128/25.177.110.64.in-addr.arpa.  It should contain a 
	entry for 239.128/25.177.110.64.in-addr.arpa not a
	entry for 239.177.110.64.in-addr.arpa.

	I suggest that you go and re-read about setting up classless
	in-addr.arpa zones again.  Then talk to your ISP again because
	128/25.177.110.64.in-addr.arpa is not yet delegated to you
	and 177.110.64.in-addr.arpa is not yet set up to support 
	classless in-addr.arpa (no cnames).

	Mark

> 
> Can anyone help me figure out these 2 problems?  Any comments on the
> included named.conf would also be appreciated (is it secure enough, does it
> make sense, are there redundancies, etc.).
> 
> 
> TIA,
> 
> M. Yu
> 
> 
> [named.conf]
> 
> server 216.226.222.62 {
>         bogus no;
>         support-ixfr no;
>         transfer-format many-answers;
> };
> 
> server 209.198.244.2 {
>         bogus no;
>         support-ixfr no;
>         transfer-format many-answers;
> };
> 
> server 209.198.248.226 {
>         bogus no;
>         support-ixfr no;
>         transfer-format many-answers;
> };
> 
> options {
>         version "You gotta be kidding me!";
>         directory "/var/named";
>         notify no;
>         recursion yes;
>         rfc2308-type1 yes;
>         treat-cr-as-space yes;
>          allow-query  { 208.164.85.0/28; 64.110.177.128/25; };
>         allow-transfer { none; };
>         allow-recursion { 208.164.85.0/28; 64.110.177.128/25; };
>         listen-on 53 { 208.164.85.1; };
>         query-source address 208.164.85.1 port *;
>         transfer-source 208.164.85.1;
>         maintain-ixfr-base yes;
>         statistics-interval 720;
>         topology { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
>         sortlist {
>                 { localhost; localnets; };
>                 { localnets; };
>         };
> };
> 
> logging {
>         channel update_debug {
>                 file "/var/log/update-debug.log";
>                 severity        debug   3;
>                 print-category  yes;
>                 print-severity  yes;
>                 print-time      yes;
>         };
>         channel security_info {
>                 file "/var/log/named-auth.info";
>                 severity        info;
>                 print-category  yes;
>                 print-severity  yes;
>                 print-time      yes;
>         };
> };
> 
> zone "." {
>         type hint;
>         file "named.root";
> };
> 
> zone "128/25.177.110.64.in-addr.arpa" {
>         type master;
>         file "64.110.177.hosts";
>         allow-update { 64.110.177.129; };
>         allow-transfer { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
>         also-notify { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
> };
> 
> zone "85.164.208.in-addr.arpa" {
>         type master;
>         file "208.164.85.hosts";
> };
> 
> zone "websprinter.net" {
>         type master;
>         file "WEBSPRINTER.NET.hosts";
>         allow-update { 64.110.177.129; };
> };
> 
> [end]
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list