caching-only name server not caching or name serving
Treptow, Craig
Treptow.Craig at principal.com
Sat Jun 22 20:13:51 UTC 2002
Shouldn't this:
allow-query { 192.168.1.1/24 ; } ;
be:
allow-query { 192.168.1/24 ; } ;
I'm not sure if a denied query will give a "SERVFAIL" though.
-----Original Message-----
From: thompsop [mailto:bitherder at mindspring.com]
Sent: Saturday, June 22, 2002 12:00 AM
To: comp-protocols-dns-bind at isc.org
Subject: Re: caching-only name server not caching or name serving
those who know me have no need of my name wrote:
>
> in comp.protocols.dns.bind i read:
>
> > I've tried to configure a cache-only ns (9.2.1 under RHL 2.4.9-34).
> >I've tried the recipipes in various books. I've tried the "h2n" tool
> >(specifically h2n-hp/h2n). It looks like nothing is working.
>
> hmm. this sounds like you want bind to resolve individual names in a
> custom fashion, e.g., to prevent banner ads from being fetched or to reach
> hosts using names not otherwise present in the dns, but that conflicts with
> the description of bind's role as a caching-only resolver.
First, I very much appreciate your help.
I just want to run a caching-only name server. I don't have a
static
IP. I do have a group of Win clients. At any given time, some or none
or all may be connected to my private (192.168.1/24) network. I'm
pretty sure there's no other name server variant (slave, partial slave)
that I can (or should) run.
>
> >The linux
> >box can resolve names, but I think it's falling back to use the
> >Earthlink DNS servers I've hardwired into "resolv.conf", which doesn't
> >seem like an ideal solution.
>
> resolv.conf tells your applications which nameservers to use, they do not
> automatically attempt to use the local system. if i understand what you
> are trying to do then your resolv.conf *must* only use it's own address (r
> 127.0.0.1) as a nameserver, i.e., replace earthlink's ip addresses with
> your own.
Here's my "resolv.conf" (with comments intact)
----- cut here -----
domain 33.third
# According to man pages:
# The domain and search keywords are mutually exclusive. If more than
# one instance of these keywords is present, the last instance wins.
# NOTE ; "search" is a list of *domains*, not hosts !!!
# search dns Tachyon
# search 33.third
# Try the localhost first, then the known Mindspring DNS server.
# I think I read somewhere where this is some kind of default....
# nameserver 0.0.0.0
nameserver 192.168.1.1
nameserver 207.69.188.185
nameserver 207.69.188.186
nameserver 207.69.188.187
nameserver 207.69.188.188
nameserver 207.69.188.189
options attempts:2
options timeout:30
options debug
----- cut here -----
>
> >The Win boxes, which are using the Linux
> >box as a firewall (via pppd modem) can't resolve anything, but can ping
> >IP numbers. Everyone is getting (via DHCP) the correct address of the
> >Linux box as DNS server.
>
> no they aren't or it would be working.
Here's the output of "ipconfig /all" on an XP box. It shows the
DNS
settings obtained from dhcpd:
----- cut here -----
Windows IP Configuration
Host Name . . . . . . . . . . . . : dyad
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : 33.third
Description . . . . . . . . . . . : Intel(R) PRO/100+ Management
Adapter
Physical Address. . . . . . . . . : 00-D0-77-E4-00-91
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.1
207.69.188.185
207.69.188.186
207.69.188.187
Primary WINS Server . . . . . . . : 192.168.1.1
Lease Obtained. . . . . . . . . . : Wednesday, June 19, 2002
9:41:42 PM
Lease Expires . . . . . . . . . . : Saturday, June 29, 2002
9:41:42 PM
----- cut here -----
>
> > Here's the result of a "dig" executed on the server, looking for
> >it's own IP.
>
> >[root at tachyon root]# dig 192.168.1.1
>
> should be ``dig -x 192.168.1.1''. your command is trying to find a tld of
> `1' (the left-most label), which doesn't exist. using -x causes dig to
> construct the appropriate reverse lookup request (see bottom).
Here's dig -x. Same stuff (I wouldn't to make it too
easy....). Maybe
I'm mistaken. I assumed that the "status: SERVFAIL" was a failure
notice. Is it?????
----- cut here -----
[root at tachyon root]# dig -x 192.168.1.1
; <<>> DiG 9.2.1 <<>> -x 192.168.1.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11286
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;1.1.168.192.in-addr.arpa. IN PTR
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Jun 21 22:22:38 2002
;; MSG SIZE rcvd: 42
----- cut here -----
>
> a caching-only resolver won't have the rfc-1918 reverse zone loaded, so
> it's not surprising that the query fails. since you didn't post your
> named.conf or any of the zones it loads (except the root hint) it's
> difficult to know just where you went wrong.
Here's "named.conf" except for the "logging" portion. I've
trimmed
most of the comments, except for these at the top, which are there to
remind me just how confusing the world of name resolution really is ....
even the pros can't agree:
----- cut here -----
/*
** According to Linux TCP/IP Network Administration (Mann; SGI), p.405
** A caching-only configuration needs: "/etc/nsswitch.conf",
"/etc/named.conf",
** a hints or forwarders file, and a reverse loopback file.
** According to Linux Network Administrators Guide (Kirch & Dawson;
O'Reilly) p.109
** A caching-only configuration needs: "named.boot" and "named.ca"
** ("No other files are needed for a caching-only server configuration")
** According to DNS and BIND , 4th Ed. (Albitz & Liu; O'Reilly) p.205
** "a caching-only name server needs a root hints file and a db.127.0.0
file."
options
{
dialup yes ;
heartbeat-interval 480 ;
directory "/var/named";
listen-on { 192.168.1.1 ; } ;
// query-source address * port 53;
};
zone "."
{
type hint ;
file "db.cache" ;
};
zone "0.0.127.in-addr.arpa"
{
type master ;
dialup yes ;
file "db.127.0.0" ;
# Allow dynamic updating
allow-update { 192.168.1.1/24 ; } ;
allow-query { 192.168.1.1/24 ; } ;
};
controls
{
inet 192.168.1.1 port 953
allow { 192.168.1.1; } keys { "TachyonDnsKey"; };
};
# Contains the algorithm and secret key value of key "TachyonDnsKey"
include "/etc/rndc.key";
----- cut here -----
the "db.cache" file is basically nothing but comments. Here's
"db.127.0.0". Basically as output by the "h2n" tool, but I've changed
the seconds values to something more readable :
----- cut here -----
$TTL 259200
; [S/N] [REFRESH] [RETRY] [EXPIRE] [MINIMUN/NEGATIVE-CACHINE]
; (SN 3h 1h 7d 24h)
; the defaults are (3h:1h:1w:1d)
; @ IN SOA tachyon.33.third. mnemotronic.mindspring.com. ( 2002062000
43200 21600 604800 3600 )
@ IN SOA tachyon.33.third. mnemotronic.mindspring.com. ( 2002062000 24h
8h 1w 2d )
IN NS tachyon.33.third.
1 PTR localhost.
----- cut here ----
I figured out the "rndc" problem. My keys were conflicting. So
rndc
doesn't hork up wookie hairballs anymore. Yea.
If you can figure this out, I'll put in my will (my stock
portfolio is
currently at about -$100K)
#include std.disclaimer.author.full.bull
More information about the bind-users
mailing list