Views seem to have broken my config
Kevin Darcy
kcd at daimlerchrysler.com
Wed Dec 7 23:59:26 UTC 2005
Mark Ratering wrote:
>Hi everyone,
>
>I created a new config for myself using views so that my internal multihomed
>hosts would get traffic on their inside interfaces. One day after
>implementing this new config noone in the inside network can access any site
>for which my DNS server is the SOA. When I query from outside I receive
>this output for my dig command, does anyone have any idea what would cause
>this?
>
>; <<>> DiG 9.2.2 <<>> efax.com
>;; global options: printcmd
>;; Got answer:
>;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61675
>;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
>
>;; QUESTION SECTION:
>;efax.com. IN A
>
>;; AUTHORITY SECTION:
>. 518400 IN NS F.ROOT-SERVERS.NET.
>. 518400 IN NS G.ROOT-SERVERS.NET.
>. 518400 IN NS H.ROOT-SERVERS.NET.
>. 518400 IN NS I.ROOT-SERVERS.NET.
>. 518400 IN NS J.ROOT-SERVERS.NET.
>. 518400 IN NS K.ROOT-SERVERS.NET.
>. 518400 IN NS L.ROOT-SERVERS.NET.
>. 518400 IN NS M.ROOT-SERVERS.NET.
>. 518400 IN NS A.ROOT-SERVERS.NET.
>. 518400 IN NS B.ROOT-SERVERS.NET.
>. 518400 IN NS C.ROOT-SERVERS.NET.
>. 518400 IN NS D.ROOT-SERVERS.NET.
>. 518400 IN NS E.ROOT-SERVERS.NET.
>
>;; Query time: 56 msec
>;; SERVER: 152.160.35.51#53(152.160.35.51)
>;; WHEN: Wed Dec 7 09:20:39 2005
>;; MSG SIZE rcvd: 237
>
>
>My config:
>
>options {
>
> directory "/var/named";
>
> serial-query-rate 5;
>
> allow-transfer {
> 69.61.38.17;
> 209.69.70.3;
> 129.250.35.34;
> 129.250.35.250;
> 129.250.35.251;
> };
>
> also-notify {
> 69.61.38.17;
> 129.250.35.34;
> 129.250.35.250;
> 129.250.35.251;
> };
> notify yes;
>
>};
>
>
>view "internal" { //Internal view of zones
>
> match-clients {
> 192.168.0.0/24;
> 192.168.1.0/24;
> };
>Bunch of zones
>
>};
>view "external" { //View for the outside world
>
>match-clients { any; };
>recursion no;
>
>Bunch of zones
>
>};
>
You have recursion turned off for your "external" view, so you shouldn't
be able to resolve names in non-hosted (assuming it's non-hosted) zones
like efax.com for Internet clients. Therefore the output you show seems
perfectly normal to me.
Can you query *hosted* zones from the Internet?
What's more perplexing is why your internal clients can't resolve hosted
zones. The only thing that comes to mind is that there's some extra
NAT'ing going on, and the queries aren't coming from the address ranges
you think them are. I would turn on query logging -- if you have 9.3 or
later, the query log will even tell which view was matched, which might
be useful in your situation.
- Kevin
More information about the bind-users
mailing list