local caching nameserver
Kevin Darcy
kcd at chrysler.com
Fri Mar 20 03:16:30 UTC 2009
Chris wrote:
> On Thu, 2009-03-19 at 21:18 -0500, Kevin Darcy wrote:
>
>> Hmmm... I don't understand. You say the box is "not connected", yet
>> you're running a reporting script that presumably is looking up Internet
>> names/addresses and trying to resolve them (?). It needs access --
>> either directly or indirectly via forwarding -- to the Internet DNS in
>> order to do that. Thus, for DNS purposes it is "connected".
>>
>> If you're querying the Internet DNS, you *should* be successfully
>> loading those RFC 1918 (private-range)-oriented zones. Otherwise you
>> risk polluting the Internet DNS infrastructure with pointless queries,
>> i.e. querying public DNS for private addresses. It's not really
>> acceptable to just ignore the zone-loading errors.
>>
>> Your nameserver is not running correctly since it's not finding zone
>> files for zones which are defined as "master" in named.conf. My guess
>> would be that you're running chroot'ed and those zone files are not in
>> the correct location relative to the chroot point.
>>
>>
>> - Kevin
>>
>>
> Yes you're correct Kevin, I neglected to mention that I'm connected via
> a DSL line. I have this in my /etc/named.conf:
>
> // Access lists (ACL's) should be defined here
> include "/var/lib/named/etc/bogon_acl.conf";
> include "/var/lib/named/etc/trusted_networks_acl.conf";
>
> // Define logging channels
> include "/var/lib/named/etc/logging.conf";
>
> options {
> version "";
> directory "/var/lib/named";
> dump-file "/var/tmp/named_dump.db";
> pid-file "/var/run/named.pid";
> statistics-file "/var/tmp/named.stats";
> zone-statistics yes;
> // datasize 256M;
> coresize 100M;
> // fetch-glue no;
> // recursion no;
> // recursive-clients 10000;
> auth-nxdomain yes;
> query-source address * port *;
> listen-on port 53 { any; };
> cleaning-interval 120;
> transfers-in 20;
> transfers-per-ns 2;
> lame-ttl 0;
> max-ncache-ttl 10800;
>
> // forwarders { first_public_nameserver_ip;
> second_public_nameserver_ip; };
>
> // allow-update { none; };
> // allow-transfer { any; };
>
> // Prevent DoS attacks by generating bogus zone transfer
> // requests. This will result in slower updates to the
> // slave servers (e.g. they will await the poll interval
> // before checking for updates).
> notify no;
> // notify explicit;
> // also-notify { secondary_name_server };
>
> // Generate more efficient zone transfers. This will place
> // multiple DNS records in a DNS message, instead of one per
> // DNS message.
> transfer-format many-answers;
>
> // Set the maximum zone transfer time to something more
> // reasonable. In this case, we state that any zone transfer
> // that takes longer than 60 minutes is unlikely to ever
> // complete. WARNING: If you have very large zone files,
> // adjust this to fit your requirements.
> max-transfer-time-in 60;
>
> // We have no dynamic interfaces, so BIND shouldn't need to
> // poll for interface state {UP|DOWN}.
> interface-interval 0;
>
> // Uncoment these to enable IPv6 connections support
> // IPv4 will still work
> // listen-on { none; };
> // listen-on-v6 { any; };
>
> // allow-query { trusted_networks; };
> allow-recursion { trusted_networks; };
>
> // Deny anything from the bogon networks as
> // detailed in the "bogon" ACL.
> blackhole { bogon; };
> };
>
> // workaround stupid stuff... (OE: Wed 17 Sep 2003)
> zone "ac" { type delegation-only; };
> zone "cc" { type delegation-only; };
> zone "com" { type delegation-only; };
> zone "cx" { type delegation-only; };
> zone "lv" { type delegation-only; };
> zone "museum" { type delegation-only; };
> zone "net" { type delegation-only; };
> zone "nu" { type delegation-only; };
> zone "ph" { type delegation-only; };
> zone "sh" { type delegation-only; };
> zone "tm" { type delegation-only; };
> zone "ws" { type delegation-only; };
>
> zone "." IN {
> type hint;
> file "/var/lib/named/named.ca";
> };
>
> zone "localdomain" IN {
> type master;
> file "/var/lib/named/var/lib/named/master/localdomain.zone";
> allow-update { none; };
> };
>
> zone "localhost" IN {
> type master;
> file "/var/lib/named/var/lib/named/master/localhost.zone";
> allow-update { none; };
> };
>
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "/var/lib/named/var/lib/named/reverse/named.local";
> allow-update { none; };
> };
>
> #zone "168.192.in-addr.arpa" {
> # type master;
> # #file "mandrakesoft.reversed";
> # file "/var/lib/named/var/lib/named/reverse/named.local";
> # allow-update { none; };
> #};
>
> zone
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> IN {
> type master;
> file "/var/lib/named/var/lib/named/reverse/named.ip6.local";
> allow-update { none; };
> };
>
> zone "255.in-addr.arpa" IN {
> type master;
> file "/var/lib/named/var/lib/named/reverse/named.broadcast";
> allow-update { none; };
> };
>
> zone "0.in-addr.arpa" IN {
> type master;
> file "/var/lib/named/var/lib/named/reverse/named.zero";
> allow-update { none; };
> };
>
> zone "10.IN-ADDR.ARPA" {
> type master;
> file "/var/lib/named/var/lib/named/master/empty";
> };
>
> zone "16.172.IN-ADDR.ARPA" {
> type master;
> file "/var/lib/named/var/lib/named/master/empty";
> };
>
> zone "31.172.IN-ADDR.ARPA" {
> type master;
> file "/var/lib/named/var/lib/named/master/empty";
> };
>
> zone "168.192.IN-ADDR.ARPA" {
> type master;
> file "/var/lib/named/var/lib/named/master/empty";
> };
>
> My hosts file in /var/lib/named/etc and /var/lib/named/var/lib/named/etc
> is:
>
> 127.0.0.1 localhost.localdomain cpollock.localdomain cpollock localhost
>
> or is this more correct or does it make a difference?
>
> 127.0.0.1 localhost.localdomain localhost
>
>
> I was told that named is running chroot'd
> in /var/lib/named/var/lib/named, I have the same named.conf file in that
> directory. I'm not familiar at all with running something chroot'd so
> I'm only going by what I've been told. Any help you could give or
> anything else I can provide would be appreciated.
>
Well, I'm not sure what all this "I've been told" stuff is about,
because you originally said you set this up yourself, but I highly doubt
that you're chroot'ed to /var/lib/named/var/lib/named, since your hosts
files aren't relative to that (not that you should really need hosts
file anyway, and certainly not *two* of them in different parts of the
chroot hierarchy), and neither are your log files relative to that.
My guess would be that you're _actually_ chroot'ed to /var/lib/named.
That would make a whole lot more sense.
In any case, wherever you're chroot'ed, all pathname references in
named.conf are interpreted relative to that. Adjust them accordingly.
My recommendation would be to eliminate the redundant components in your
pathnames and just use subdomains of the chroot point, e.g.
/var/lib/named/master and /var/lib/named/reverse. Repeating the pathname
component sequence "/var/lib/named" multiple times in the (absolute)
pathnames doesn't seem to me to add any particular value, it just makes
them long and unwieldy and goofy-looking and more prone to being mistyped.
- Kevin
More information about the bind-users
mailing list