dual internal/external chrooted bind w/third server and logging

Steven Champeon schampeo at hesketh.com
Thu May 17 15:45:20 UTC 2007 

OK, bear with me - I may be asking for the impossible here. 

I've got BIND 9.4.0 (soon to be 9.4.1) running on a host here with both
public and RFC1918 interfaces; there is a chrooted BIND setup that deals
out DNS for both public zones (via the public IP) and private (via the
private IP), following more or less the instructions Dave Lugo posted here:

 http://www.etherboy.com/dns/chrootdns.html

I'm not using views, because the public side and private side should have
their own unique configuration, listener, etc. already.

I have another zone (subdomain of a public zone) I'd like to use as a
logging channel for a service I'm playing with; without going into much
detail, suffice it to say that I want to do DNS "callbacks" from a mail
server/spam filtering/scoring system I've set up, such that I can log
the remote (sending) IP, whether the message in question was accepted or
rejected, and what spam score and threshold the message received, as a
way to generate data for a DNSBL.

To this end, I've set up - in addition to the BIND process(es) that
serve the public and private zones - a third server process, running on
127.0.0.2, with verbose logging turned on. The public server is
configured to forward inbound requests for the subdomains in question to
the private server, a la

zone "testlog.enemieslist.com" in {
  type forward;
  forward only;
  forwarders { 127.0.0.2 port 54; };
};

(yeah, it's running on port 54 in order to debug whether the requests
were being handled by the right server - I'll probably change it back
to 53, as it made no practical difference). 

The NS for testlog.enemieslist.com is ns3.enemieslist.com, which has
the IP of the public interface, which is master for enemieslist.com
and configured to forward requests for the testlog subdomain to the
"local" logging server.

So, for instance, I'd like my MTA to be able to let me know it had
rejected a message from 192.168.255.0, with a score of 5 and a spam
threshold of 4 for the recipient, by way of a DNS lookup of e.g.

192.168.255.0.4.5.testlog.enemieslist.com

The zone for testlog is wildcarded to always return 127.0.0.1 for any
query:

*.testlog.enemieslist.com.              IN      A       127.0.0.1

So, I should get a result of 127.0.0.1 from this query.

Unfortunately, what I get is:

schampeo at habanero:1003 $ dig +trace 192.168.255.0.4.5.testlog.enemieslist.com @ns3.enemieslist.com

; <<>> DiG 9.2.3 <<>> +trace 192.168.255.0.4.5.testlog.enemieslist.com @ns3.enemieslist.com
;; global options:  printcmd
.                       363999  IN      NS      L.ROOT-SERVERS.NET.
.                       363999  IN      NS      K.ROOT-SERVERS.NET.
.                       363999  IN      NS      M.ROOT-SERVERS.NET.
.                       363999  IN      NS      I.ROOT-SERVERS.NET.
.                       363999  IN      NS      G.ROOT-SERVERS.NET.
.                       363999  IN      NS      C.ROOT-SERVERS.NET.
.                       363999  IN      NS      E.ROOT-SERVERS.NET.
.                       363999  IN      NS      H.ROOT-SERVERS.NET.
.                       363999  IN      NS      B.ROOT-SERVERS.NET.
.                       363999  IN      NS      J.ROOT-SERVERS.NET.
.                       363999  IN      NS      D.ROOT-SERVERS.NET.
.                       363999  IN      NS      A.ROOT-SERVERS.NET.
.                       363999  IN      NS      F.ROOT-SERVERS.NET.
;; Received 436 bytes from 216.187.232.190#53(ns3.enemieslist.com) in 70 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 491 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 66 ms

enemieslist.com.        172800  IN      NS      dns01.hesketh.net.
enemieslist.com.        172800  IN      NS      dns02.hesketh.net.
;; Received 142 bytes from 192.5.6.30#53(a.gtld-servers.net) in 37 ms

testlog.enemieslist.com. 1800   IN      NS      ns3.enemieslist.com.
;; Received 93 bytes from 216.187.232.190#53(dns01.hesketh.net) in 44 ms

<snip 30 more of these>

testlog.enemieslist.com. 1800   IN      NS      ns3.enemieslist.com.
dig: Too many lookups

I suspect it may be an authority problem, but I can't seem to wrap my
head around where and how to fix it. How should I configure the SOA and
any NS records inside the "local" testlog zone? I want it to be able to
answer authoritatively for anything in testlog.enemieslist.com, though
to be fair as long as it's logging the queries it doesn't matter that
much to me; there's no action taken on the querying side in any case.

Any pointers? Why is the NS for testlog.enemieslist.com not answering
queries and logging them, like I believe it should be?

TIA,
Steve

-- 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/

More information about the bind-users mailing list