newbie: BIND not able to use named.root
Kevin Darcy
kcd at daimlerchrysler.com
Mon Jun 4 19:29:21 UTC 2001
If you lack full connectivity to the Internet DNS and yet for some reason you
need to resolve Internet names, then you must use forwarding. When you use
forwarding globally, i.e. in your "options" statement (as opposed to forwarding
just for one or more zones), then your hints file is essentially useless. When
using forwarding to deal with a connectivity issue, use "forward only" rather
than "forward first".
Note that if you lack *all* direct connectivity to the Internet, e.g. if you
are behind proxy-type firewalls, then generally speaking your clients do
*not* need to resolve Internet names, so this becomes a non-issue. In that
case, set up your own internal root zone.
By the way, doing a "ping" to the root servers is not really a valid test,
since many firewalls/routers block ICMP for security reasons. You should try
querying one of the root servers from the machine in question, and see if you
get an answer (note that, depending on what name you query, the answer you get
will most likely be a referral).
- Kevin
Jean-Christian Imbeault wrote:
> I'm new to BIND and DNS. I've been trying to use the O'Reilly book to set up
> a local DNS server but it seems the books suffers from a few typos (or
> things have changed in BIND 9.1.2) ... I hope someone can point me in the
> right direction ...
>
> I've installed BIND 9.1.2 on RH Linux 7.1 and have been able to get my DNS
> server to work if I use a forward option to point to my ISP's DNS servers in
> my named.conf. But without the forward option the server doesn't seem to be
> able to use the named.root file to manage queries on it's own. (Oh, I'm also
> behind a firewall but I don't know how to test to see if that is causing the
> problem or not, i've tried pinging the root servers but they don't answer).
>
> I've downloaded the named.root file from
> ftp.res.internic.net/domain/named.root so I'm pretty sure the file is not
> the problem.
>
> Here's the symptom:
>
> >[root at intranet named]# dig www.yahoo.com
> >; <<>> DiG 9.1.2 <<>> www.yahoo.com
> >;; global options: printcmd
> >;; connection timed out; no servers could be reached
>
> Here's my named.conf file:
>
> options {
> directory "/var/named";
> query-source address * port 53;
> // forward first;
> // forwarders {
> // 165.76.16.2;
> // 165.76.8.2;
> // };
> };
>
> controls {
> inet * allow {any;} keys {"rndc-key";};
> };
>
> key "rndc-key" {
> algorithm hmac-md5;
> secret "bGV0bWVp";
> };
>
> zone "intranet.mydomain.co.jp" {
> type master;
> file "db.intranet.mydomain.co.jp";
> };
> //x y used to protect the innocent ;)
> zone "y.x.10.in-addr.arpa" {
> type master;
> file "db.10.2.100";
> };
>
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0";
> };
>
> zone "." {
> type hint;
> file "db.cache";
> };
>
> Thanks!
>
> Jc
>
> --------------------
> Personally I feel that Netscape rocks as a port 80 scanner.
> The stuff you get back as output! Wow. <kt at NOSPAMalthacker.org>
>
> _________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
More information about the bind-users
mailing list