No subject
Tue Apr 2 00:56:56 UTC 2013
All the tests to the 12.x.x.x address, return the same results:
[root at glaids root]# dig +norec version.bind txt chaos @12.108.32.11
; <<>> DiG 9.1.3 <<>> +norec version.bind txt chaos @12.108.32.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55320
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.1.3"
;; Query time: 21 msec
;; SERVER: 12.108.32.11#53(12.108.32.11)
;; WHEN: Thu Jul 11 12:19:06 2002
;; MSG SIZE rcvd: 48
All the tests to the 10.x.x.x address, return the same results:
[root at glamon root]# dig +norec version.bind txt chaos @10.117.3.11
; <<>> DiG 9.1.3 <<>> +norec version.bind txt chaos @10.117.3.11
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6662
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.1.3"
;; Query time: 34 msec
;; SERVER: 10.117.3.11#53(10.117.3.11)
;; WHEN: Thu Jul 11 12:05:54 2002
;; MSG SIZE rcvd: 48
I do not have any 10.IN-ADDR.ARPA zones in any files as I'm using split dns.
All machines in the dmz have a real 10.x.x.x IP, so should I add the
10.IN-ADDR.ARPA zone? If so how would I hide these addresses from the
Internet?
-Devon
-----Original Message-----
From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
Sent: Wednesday, July 10, 2002 8:19 PM
To: Devon Harding - GTHLA
Cc: bind-users at isc.org
Subject: Re: reverse DNS
First things first. You need to make sure you can query
the nameserver from the nameserver. Try the loopback address
first first with a non recursive query.
dig +norec version.bind txt chaos @127.0.0.1
Next try the external interface on the box
dig +norec version.bind txt chaos @10.x.x.x
Providing the nameserver is running these should get answers.
If you don't get answers then you need to check the firewall
on the box (ipchains and/or iptables).
Next you need to work outward.
From another box in you dmz try to make a query to your server
dig +norec version.bind txt chaos @10.x.x.x
If this doesn't work check the firewall on the test machine
and on the nameserver.
Then from your lan
dig +norec version.bind txt chaos @10.x.x.x
and/or
dig +norec version.bind txt chaos @12.x.x.x
depending apon where the NAT functionality is occuring.
Then from outside
dig +norec version.bind txt chaos @12.x.x.x
Note: since you are using RFC 1918 (net 10) addresses you should
also be serving the appropriate IN-ADDR.ARPA zones (10.IN-ADDR.ARPA)
You may also want to use views to hide 10.IN-ADDR.ARPA from outside
but keep things simple first then work up.
Mark
> This is the current setup of my dns server in my dmz.
>
>
> 12.x.x.x (Static NAT)
> DMZ------DNS Server (Bind 9.1.3)
> | 10.x.x.x (Real IP)
> |
> Internet----------FW-1
> |
> |
> LAN
>
> /etc/named.conf:
> options {
> directory "/var/named";
> };
> key "rndckey"{
> algorithm "hmac-md5";
> secret "ko3EjjIw+4Tf8BKHZqjq+g==";
> };
> controls{
> inet 127.0.0.1 allow{
> localhost;
> } keys{
> "rndckey";
> };
> };
> zone "." {
> type hint;
> file "named.ca";
> };
> zone "domain.com" {
> type master;
> file "domain.com";
> notify yes;
> };
> zone "x.x.12.IN-ADDR.ARPA" {
> type master;
> file "12.x.x";
> notify yes;
> };
> zone "0.0.127.IN-ADDR.ARPA" {
> type master;
> file "127.0.0";
> };
>
> /var/named/domain.com:
> $TTL 43200
> @ IN SOA felix.domain.com.
> hostmaster.felix.domain.com. (
> 2002070102 ; serial
> 30 ; refresh
> 15 ; retry
> 14D ; expire
> 12H ; default_ttl
> )
>
> ns2 IN A 12.x.x.x
> ns1 IN A 12.x.x.x
> www IN A 12.x.x.x
> mail IN A 12.x.x.x
> mail2 IN A 12.x.x.x
> @ IN MX 5 mail.domain.com.
> @ IN MX 10 mail2.domain.com.
> @ IN NS ns1.domain.com.
> @ IN NS ns2.domain.com.
>
> /var/named/12.108.32:
> $TTL 43200
> @ IN SOA ns1.domain.com.
> hostmaster.felix.domain.com. (
> 2002070102 ; serial
> 1H ; refresh
> 15 ; retry
> 14D ; expire
> 12H ; default_ttl
> )
> IN NS ns1.domain.com.
> IN NS ns2.domain.com.
>
> 110 IN PTR systems1.domain.com.
> 65 IN PTR netop.domain.com.
>
> -Devon
>
> -----Original Message-----
> From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> Sent: Wednesday, July 10, 2002 10:37 AM
> To: Devon Harding - GTHLA
> Cc: bind-users at isc.org
> Subject: Re: reverse DNS
>
>
> > The 12.x.x file actuallly looks like this:
> >
> > $TTL 43200
> > @ IN SOA ns1.domain.com.
> > hostmaster.felix.domain.com. (
> > 2002070102 ; serial
> > 1H ; refresh
> > 15 ; retry
> > 14D ; expire
> > 12H ; default_ttl
> > )
> > 110 IN PTR systems1.domain.com.
> > 65 IN PTR netop.domain.com.
> > 12 IN PTR vpn.domain.com.
> > 18 IN PTR glamon.domain.com.
> > 44 IN PTR mail.doamin.com.
> > 47 IN PTR mail2.domain.com.
> > 228 IN PTR mason2.domain.com.
> > 61 IN PTR webmail1.doamin.com.
> > 62 IN PTR webmail2.domain.com.
> > @ IN NS ns1.domain.com.
> > @ IN NS ns2.domain.com.
> >
> > I left a few lines out in the last post. But the NS records are there.
>
> Conventionly the NS records follow the SOA record.
> >
> > What's causing it not to connect from 'dig -x x.x.x.x'?
>
> Firewall? Error in resolv.conf?
>
> Mark
>
> >
> > -Devon
> >
> > -----Original Message-----
> > From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
> > Sent: Tuesday, July 09, 2002 5:57 PM
> > To: Devon Harding - GTHLA
> > Cc: bind-users at isc.org
> > Subject: Re: reverse DNS
> >
> >
> > >
> > > For some reason, I cannot to a reverse lookup on my IP address on my
> RH7.2
> > > system. When I do a 'dig -x 12.x.x.x', I get the following error: ';;
> > > connection timed out; no servers could be reached'
> >
> > Did you read your log files before posting?
> > You are missing the NS records for the zone.
> >
> > Mark
> >
> > > Here are my DNS files:
> > >
> > > named.conf
> > >
> > > options {
> > > directory "/var/named";
> > > };
> > > key "rndckey"{
> > > algorithm "hmac-md5";
> > > secret "ko3EjjIw+4Tf8BKHZqjq+g==";
> > > };
> > > controls{
> > > inet 127.0.0.1 allow{
> > > localhost;
> > > } keys{
> > > "rndckey";
> > > };
> > > };
> > > zone "." {
> > > type hint;
> > > file "named.ca";
> > > };
> > > zone "domain.com" {
> > > type master;
> > > file "domain.com";
> > > notify yes;
> > > };
> > > zone "x.x.12.IN-ADDR.ARPA" {
> > > type master;
> > > file "12.x.x";
> > > notify yes;
> > > };
> > > zone "0.0.127.IN-ADDR.ARPA" {
> > > type master;
> > > file "127.0.0";
> > > };
> > >
> > > 12.x.x:
> > >
> > > $TTL 43200
> > > @ IN SOA ns1.domain.com.
hostmaster.domain.com.
> (
> > > 2002070102 ; serial
> > > 1H ; refresh
> > > 15 ; retry
> > > 14D ; expire
> > > 12H ; default_ttl
> > > )
> > > 110 IN PTR systems1.domain.com.
> > > 65 IN PTR netop.domain.com.
> > >
> > > -Devon
> > >
> --
> Mark Andrews, Internet Software Consortium
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list