Problem with BIND 9 and OpenBSD 3.4
G.T.
ethan_t at sbcglobal.net
Mon Dec 8 04:01:18 UTC 2003
I figured I'd finally get around to upgrading OpenBSD to 3.4 from 3.2 and
left BIND for last since I figured it would be trivial to get going. I'd
never had any problems with BIND 4 or 8 in the past but I sure am having
trouble now. Queries from my internal network (listed in the acl clients)
work fine. Here's my named.conf with only the rndc.key changed (let me
know if you'd like to see my zone files, too):
root at grits:/var/named# cat etc/named.conf
// $OpenBSD: named-dual.conf,v 1.4 2003/02/27 14:44:04 todd Exp $
// Update this list to include only the networks for which you want
// to execute recursive queries. The default setting allows all hosts
// on any IPv4 networks for which the system has an interface, and
// the IPv6 localhost address.
//
acl clients {
192.168/16;
localhost;
::1;
};
options {
version ""; // remove this to allow version queries
listen-on { any; };
listen-on-v6 { any; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "3nURT98M+8U2C52AJNzCBQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
category lame-servers { null; };
};
view "internal" {
match-clients { clients; };
match-recursive-only yes;
// Standard zones
//
zone "." {
type hint;
file "standard/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "master/192.168.1.rev";
};
zone "2fortheroad.net" IN {
type master;
file "master/private.net";
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
type master;
file "standard/loopback6.arpa";
allow-transfer { localhost; };
};
zone
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
type master;
file "standard/loopback6.int";
allow-transfer { localhost; };
};
};
view "authoritative" {
match-clients { !clients; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Master zones
zone "2fortheroad.net" {
type master;
file "master/2fortheroad.net";
allow-transfer { any; };
};
};
When I turn querylog on I see queries in the logs but the external clients
get query REFUSED.
I've turned off pf and still get the same results. However, here is the
output of pfctl -s rules:
root at grits:/var/named# pfctl -s rules
scrub in all fragment reassemble
block drop in quick on sis0 inet from 127.0.0.0/8 to any
block drop in quick on sis0 inet from 192.168.0.0/16 to any
block drop in quick on sis0 inet from 172.16.0.0/12 to any
block drop in quick on sis0 inet from 10.0.0.0/8 to any
block drop out quick on sis0 inet from any to 127.0.0.0/8
block drop out quick on sis0 inet from any to 192.168.0.0/16
block drop out quick on sis0 inet from any to 172.16.0.0/12
block drop out quick on sis0 inet from any to 10.0.0.0/8
block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port = auth
block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port =
netbios-ns
block drop in quick on sis0 inet proto udp from any to 67.127.23.18 port =
netbios-ns
block drop in log on sis0 all
pass in on sis0 inet proto icmp from any to 67.127.23.18 keep state
pass in on sis0 inet proto tcp from any to 67.127.23.18 port = www flags
S/SA keep state
pass in on sis0 inet proto tcp from any to 67.127.23.18 port = domain keep
state
pass in on sis0 inet proto udp from any to 67.127.23.18 port = domain keep
state
pass in on sis0 inet proto tcp from any to 67.127.23.18 port = smtp flags
S/SA keep state
block drop out on sis0 all
pass out on sis0 inet proto tcp all flags S/SA keep state
pass out on sis0 proto icmp all keep state
pass out on sis0 proto udp all keep state
Thanks for looking and thanks for any help,
Greg
--
"Destroy your safe and happy lives before it is too late,
the battles we fought were long and hard,
just not to be consumed by rock n' roll..." - The Mekons
More information about the bind-users
mailing list