query-source

Kevin Darcy kcd at daimlerchrysler.com
Wed Dec 13 17:45:07 UTC 2000 

Forwarding won't work with recursion turned off.


- Kevin

Tony Johnson wrote:

> Thanks.  Yes I have a firewall with internal records and want to be
> forwarded external records.  I get that invalid argument error when I change
> my query source on the firewall and point it to my primary dns server.  Yes
> , I have the forwarders setp on the firewall dns but it appears the
> forwarders line is being ignored as I have tested this with the forward only
> option on and forwarders being my primary and secondary name servers.   If I
> change resolv.conf and user the primary nameserver, I will have all the
> external dns I want, just no internal records, such as an internal mail
> server.
>
> [root at proxy /etc]# cat named.conf
> options {
>         directory "/var/named";
>         pid-file "/var/run/named.pid";
>         named-xfer "/usr/sbin/named-xfer";
>         files unlimited;
>         recursion no;
>         check-names master warn;
>         datasize 20M;
>         transfers-in 10;
>         deallocate-on-exit yes;
>         cleaning-interval 60;
>         interface-interval 60;
>         statistics-interval 60;
>         listen-on { 172.16.0.1; };
>         topology {
>                 207.204.83.64/26;
>         };
>         forward only;
>         forwarders {
>                 207.204.83.72; 207.204.83.73;
>         };
> };
> controls {
>         unix "/var/run/ndc" perm 0600 owner 0 group 0;  // the default
>  };
> zone "prereg.com" {
>         type slave;
>         masters {
>                 207.204.83.72;
>         };
>         file "prereg.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { 207.204.83.72; };
>         allow-query { 172.16.0.0/23; };
> };
> zone "showmaster.com" {
>         type slave;
>         masters {
>                 207.204.83.72;
>         };
>         file "showmaster.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { 207.204.83.72; };
>         allow-query { 172.16.0.0/23; };
> };
> zone "demandpub.com" {
>         type slave;
>         masters {
>                 207.204.83.72;
>         };
>         file "demandpub.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { 207.204.83.72; };
>         allow-query { 172.16.0.0/23; };
> };
> zone "0.16.172.in-addr.arpa" {
>         type master;
>         file "reverse.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { any; };
> };
> zone "1.16.172.in-addr.arpa" {
>         type master;
>         file "reverse1.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { none; };
> };
> zone "localhost" {
>         type master;
>         file "localhost.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { any; };
> };
> zone "0.0.127.in-addr.arpa" {
>         type master;
>         file "127.0.0.zone";
>         check-names fail;
>         allow-update { none; };
>         allow-transfer { any; };
>         allow-query { any; };
> };
> zone "." {
>         type hint;
>         file "root.hint";
> };
> logging {
>         channel xfer-log {
>                 file "/var/log/bind-xfer.log" versions unlimited size 10m;
>                 print-category yes;
>                 print-severity yes;
>                 print-time yes;
>                 severity info;
>         };
>         category xfer-in { xfer-log; };
>         category xfer-out { xfer-log; };
>         category notify { xfer-log; };
>         category load { xfer-log; };
> };
> > -----Original Message-----
> > From: Joseph S D Yao [SMTP:jsdy at cospo.osis.gov]
> > Sent: Monday, December 11, 2000 4:30 PM
> > To:   gjohnson at showmaster.com
> > Cc:   comp-protocols-dns-bind at moderators.isc.org
> > Subject:      Re: query-source
> >
> > On Mon, Dec 11, 2000 at 07:16:31PM +0000, gjohnson at showmaster.com wrote:
> > > I have a problem being forwarded dns responses from my primary dns
> > > server to my firewall which is running dns for private use.  When I use
> > > query source and point it to my primary name server I get an error
> > ...
> > > Dec 11 13:12:41 proxy named[19326]: sysquery: sendto
> > > ([207.204.83.72].53): Invali
> > > d argument
> > >
> > > I thought the whole point of the query source is to point it to another
> > > name server (in this case my primary dns server) so U can have dns
> > > queries forwarded to you, but it's not working that way and the
> > > firewall is not being forwarded dns answers.  I get the invalid
> > > argument when I do point my source to my name server. Am I missing
> > > something?
> >
> > I am left with no clear idea what your configuration looks like.  But
> > you certainly have the wrong idea about "query-source".
> >
> > I suspect that you want to forward all queries that your internal name
> > server can't authoritatively respond to, to your firewall.  The correct
> > option is "forwarders { ip; ... };" inside your options{} statement.
> > If you're inside a firewall, and the firewall is your ONLY source for
> > external name service, then you would want to add the "forward only"
> > option.
> >
> > The "query-source" option MUST refer to an IP address on your name
> > server [if it specifies an IP address].  It is used to specify the IP
> > address and/or port FROM which the name server will be sending a query.
> > Not TO which.
> >
> > --
> > Joe Yao                               jsdy at cospo.osis.gov - Joseph S. D.
> > Yao
> > COSPO/OSIS Computer Support                                   EMT-B
> > -----------------------------------------------------------------------
> > This message is not an official statement of COSPO policies.

More information about the bind-users mailing list