Problem with BIND 9 and OpenBSD 3.4
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Mon Dec 8 18:38:09 UTC 2003
G.T. <ethan_t at sbcglobal.net> wrote:
> I figured I'd finally get around to upgrading OpenBSD to 3.4 from 3.2 and
> left BIND for last since I figured it would be trivial to get going. I'd
> never had any problems with BIND 4 or 8 in the past but I sure am having
> trouble now. Queries from my internal network (listed in the acl clients)
> work fine. Here's my named.conf with only the rndc.key changed (let me
> know if you'd like to see my zone files, too):
> root at grits:/var/named# cat etc/named.conf
> // $OpenBSD: named-dual.conf,v 1.4 2003/02/27 14:44:04 todd Exp $
> // Update this list to include only the networks for which you want
> // to execute recursive queries. The default setting allows all hosts
> // on any IPv4 networks for which the system has an interface, and
> // the IPv6 localhost address.
> //
> acl clients {
> 192.168/16;
> localhost;
> ::1;
> };
> options {
> version ""; // remove this to allow version queries
> listen-on { any; };
> listen-on-v6 { any; };
> };
> key "rndc-key" {
> algorithm hmac-md5;
> secret "3nURT98M+8U2C52AJNzCBQ==";
> };
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
> logging {
> category lame-servers { null; };
> };
> view "internal" {
> match-clients { clients; };
> match-recursive-only yes;
> // Standard zones
> //
> zone "." {
> type hint;
> file "standard/root.hint";
> };
> zone "localhost" {
> type master;
> file "standard/localhost";
> allow-transfer { localhost; };
> };
> zone "127.in-addr.arpa" {
> type master;
> file "standard/loopback";
> allow-transfer { localhost; };
> };
> zone "1.168.192.in-addr.arpa" IN {
> type master;
> file "master/192.168.1.rev";
> };
> zone "2fortheroad.net" IN {
> type master;
> file "master/private.net";
> };
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
> type master;
> file "standard/loopback6.arpa";
> allow-transfer { localhost; };
> };
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
> type master;
> file "standard/loopback6.int";
> allow-transfer { localhost; };
> };
> };
> view "authoritative" {
> match-clients { !clients; };
> recursion no;
> additional-from-auth no;
> additional-from-cache no;
> // Master zones
> zone "2fortheroad.net" {
> type master;
> file "master/2fortheroad.net";
> allow-transfer { any; };
> };
> };
> When I turn querylog on I see queries in the logs but the external clients
> get query REFUSED.
> I've turned off pf and still get the same results. However, here is the
> output of pfctl -s rules:
> root at grits:/var/named# pfctl -s rules
> scrub in all fragment reassemble
> block drop in quick on sis0 inet from 127.0.0.0/8 to any
> block drop in quick on sis0 inet from 192.168.0.0/16 to any
> block drop in quick on sis0 inet from 172.16.0.0/12 to any
> block drop in quick on sis0 inet from 10.0.0.0/8 to any
> block drop out quick on sis0 inet from any to 127.0.0.0/8
> block drop out quick on sis0 inet from any to 192.168.0.0/16
> block drop out quick on sis0 inet from any to 172.16.0.0/12
> block drop out quick on sis0 inet from any to 10.0.0.0/8
> block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port = auth
> block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port =
> netbios-ns
> block drop in quick on sis0 inet proto udp from any to 67.127.23.18 port =
> netbios-ns
> block drop in log on sis0 all
> pass in on sis0 inet proto icmp from any to 67.127.23.18 keep state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = www flags
> S/SA keep state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = domain keep
> state
> pass in on sis0 inet proto udp from any to 67.127.23.18 port = domain keep
> state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = smtp flags
> S/SA keep state
> block drop out on sis0 all
> pass out on sis0 inet proto tcp all flags S/SA keep state
> pass out on sis0 proto icmp all keep state
> pass out on sis0 proto udp all keep state
> Thanks for looking and thanks for any help,
> Greg
> --
> "Destroy your safe and happy lives before it is too late,
> the battles we fought were long and hard,
> just not to be consumed by rock n' roll..." - The Mekons
My guess is twofold, something wrong with the zone
2fortheroad.net in the authoritive view ( anything in the
logfile ??)
Besides that, you could ease up the acl to the authorative
ti 'any'; since your internal already is matched. Does that
make any difference ?
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list