Need expert bind config advice
AD Marshall
AD.VICE at ParadoxCafe.Com
Wed Nov 14 01:17:44 UTC 2001
Long explanation, context, some useful references, and just two short "QUESTION"s below --
Our simple aim is to set up a secure, relatively performance-and-maintenance-efficient configuration for BIND that we can easily adapt to many small-to-medium-sized LANs in VietNam for secure, dial-on-demand/kill-on-idle Internet sharing and later adapt to broadband.
On our testing/learning box (using RH7.1, bind-9.1.3-1, dial-up ISP Internet access, serving only one Win2K and one Win98 workstation, forwarding on using iptables), we've been getting the seemingly incorrect /var/log/messages entries that follow below from the network-BIND-DNS configuration files we're using (these, /etc/hosts to zone files in /var/named/, follow after the log entries).
With logging set in named.conf to include "category queries { named_info; };", /var/log/messages shows named going through recursive queries for "hcm.vnvnn". This seems wrong since ".vn" is VietNam's country suffix and "hcm.vnn.vn" is our ISP. For POP3 apps, we use the IP for "mail.vnn.vn", 203.162.0.9.)
QUESTION: Have we configured something wrong that is causing the queries for "hcm.vnvnn"? If yes, how can we correct it? If no, how is the reversal of the TLD and the ISP's domain explained?
We also not sure if we can do reverse lookups. Using "dig @localhost 127.0.0.1" or "dig @localhost 192.168.8.3", both respond with ";; connection timed out; no servers could be reached". But using "host" does apparently work:
[root at vcserver1 AD.VICE]# host 127.0.0.1
1.0.0.127.in-addr.arpa. domain name pointer localhost.
[root at vcserver1 AD.VICE]# host 192.168.8.3
3.8.168.192.in-addr.arpa. domain name pointer vcws01.viceconsulting.cam.
[Note: Invalid TLD, here ".cam", recommended by DNS-HOWTO-5.html for testing]
[root at vcserver1 AD.VICE]# host 203.162.0.18
18.0.162.203.in-addr.arpa. domain name pointer webproxy.vnd.net.
18.0.162.203.in-addr.arpa. domain name pointer webproxy.vnn.vn.
Everything else *seems* to be working fast and fine: local, domestic and overseas url/address resolving for mail, ftp, web,...
QUESTION: Finally, could anyone kindly offer this newbie some corrections or suggestions to improve this configuration?
We've got strong suspicions we've boggled ourselves in docs & details and gone a bit over the top on what we've included, possibly even including a number of redundancies or inconsistencies.
Notes:
* We ripped a lot of this configuration from a few key references, the Bv9ARM*.html docs, Bind9 Secured, www.boran.com/security/sp/bind9_20010430.html and Linux Step-by-Step, www.linux.nf/bind.html, plus bits from the bind9-users list.
* The whole of VietNam is firewalled off from the rest of Internet and all DNS queries must go through one ISP/IAP's DNS servers, listed below. Only smtp, pop3, http, ftp and telnet ports are officially available to dial-up clients for IPs outside VietNam -- even traceroute, ssh and news ports seem blocked.
Gratefully,
AD Marshall
========= Log Output ================================================
More information about the bind-users
mailing list