query-source
Kevin Darcy
kcd at daimlerchrysler.com
Wed Dec 13 17:45:07 UTC 2000
Forwarding won't work with recursion turned off.
- Kevin
Tony Johnson wrote:
> Thanks. Yes I have a firewall with internal records and want to be
> forwarded external records. I get that invalid argument error when I change
> my query source on the firewall and point it to my primary dns server. Yes
> , I have the forwarders setp on the firewall dns but it appears the
> forwarders line is being ignored as I have tested this with the forward only
> option on and forwarders being my primary and secondary name servers. If I
> change resolv.conf and user the primary nameserver, I will have all the
> external dns I want, just no internal records, such as an internal mail
> server.
>
> [root at proxy /etc]# cat named.conf
> options {
> directory "/var/named";
> pid-file "/var/run/named.pid";
> named-xfer "/usr/sbin/named-xfer";
> files unlimited;
> recursion no;
> check-names master warn;
> datasize 20M;
> transfers-in 10;
> deallocate-on-exit yes;
> cleaning-interval 60;
> interface-interval 60;
> statistics-interval 60;
> listen-on { 172.16.0.1; };
> topology {
> 207.204.83.64/26;
> };
> forward only;
> forwarders {
> 207.204.83.72; 207.204.83.73;
> };
> };
> controls {
> unix "/var/run/ndc" perm 0600 owner 0 group 0; // the default
> };
> zone "prereg.com" {
> type slave;
> masters {
> 207.204.83.72;
> };
> file "prereg.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { 207.204.83.72; };
> allow-query { 172.16.0.0/23; };
> };
> zone "showmaster.com" {
> type slave;
> masters {
> 207.204.83.72;
> };
> file "showmaster.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { 207.204.83.72; };
> allow-query { 172.16.0.0/23; };
> };
> zone "demandpub.com" {
> type slave;
> masters {
> 207.204.83.72;
> };
> file "demandpub.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { 207.204.83.72; };
> allow-query { 172.16.0.0/23; };
> };
> zone "0.16.172.in-addr.arpa" {
> type master;
> file "reverse.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { any; };
> };
> zone "1.16.172.in-addr.arpa" {
> type master;
> file "reverse1.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { none; };
> };
> zone "localhost" {
> type master;
> file "localhost.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { any; };
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "127.0.0.zone";
> check-names fail;
> allow-update { none; };
> allow-transfer { any; };
> allow-query { any; };
> };
> zone "." {
> type hint;
> file "root.hint";
> };
> logging {
> channel xfer-log {
> file "/var/log/bind-xfer.log" versions unlimited size 10m;
> print-category yes;
> print-severity yes;
> print-time yes;
> severity info;
> };
> category xfer-in { xfer-log; };
> category xfer-out { xfer-log; };
> category notify { xfer-log; };
> category load { xfer-log; };
> };
> > -----Original Message-----
> > From: Joseph S D Yao [SMTP:jsdy at cospo.osis.gov]
> > Sent: Monday, December 11, 2000 4:30 PM
> > To: gjohnson at showmaster.com
> > Cc: comp-protocols-dns-bind at moderators.isc.org
> > Subject: Re: query-source
> >
> > On Mon, Dec 11, 2000 at 07:16:31PM +0000, gjohnson at showmaster.com wrote:
> > > I have a problem being forwarded dns responses from my primary dns
> > > server to my firewall which is running dns for private use. When I use
> > > query source and point it to my primary name server I get an error
> > ...
> > > Dec 11 13:12:41 proxy named[19326]: sysquery: sendto
> > > ([207.204.83.72].53): Invali
> > > d argument
> > >
> > > I thought the whole point of the query source is to point it to another
> > > name server (in this case my primary dns server) so U can have dns
> > > queries forwarded to you, but it's not working that way and the
> > > firewall is not being forwarded dns answers. I get the invalid
> > > argument when I do point my source to my name server. Am I missing
> > > something?
> >
> > I am left with no clear idea what your configuration looks like. But
> > you certainly have the wrong idea about "query-source".
> >
> > I suspect that you want to forward all queries that your internal name
> > server can't authoritatively respond to, to your firewall. The correct
> > option is "forwarders { ip; ... };" inside your options{} statement.
> > If you're inside a firewall, and the firewall is your ONLY source for
> > external name service, then you would want to add the "forward only"
> > option.
> >
> > The "query-source" option MUST refer to an IP address on your name
> > server [if it specifies an IP address]. It is used to specify the IP
> > address and/or port FROM which the name server will be sending a query.
> > Not TO which.
> >
> > --
> > Joe Yao jsdy at cospo.osis.gov - Joseph S. D.
> > Yao
> > COSPO/OSIS Computer Support EMT-B
> > -----------------------------------------------------------------------
> > This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list