Secondary fails to respond to queries
Robert Gahl
bgahl at bawcsa.org
Wed Feb 19 16:49:26 UTC 2003
I have two DNS servers to service our internal office DNS requests. The
secondary was set up to cover for the primary DNS server, since it is an
old machine, and finds CPU bandwidth hard to come by when a lot starts
happening on it. The secondary DNS server dutifully transfers records to
itself when the primary's files are updated, and if I do a query on the
secondary DNS server with the primary off-line, it dutifully resolves the
request.
The problem is that while it will do what it needs to resolve requests that
originate on the machine, it is "refusing" to respond to requests made on
it from other hardware in the office. Here is the named.conf file from the
secondary DNS server:
// DNS clients at fireclick.com
acl "trusted" {
localhost;
208.45.103.16/29; // Hosts at Fireclick Corporate (external)
63.146.119.64/26; // Hosts at Qwest Cabinet
64.210.184.128/28; // Hosts at Exodus
65.200.204.0/26; // Hosts at UUNet
192.168.0.0/24; // All 0 net (QA)
192.168.6.0/24; // All 6 net (ENG)
192.168.11.0/24; // All 24 net (ENG)
192.168.17.0/24; // All 17 net (VPN)
};
// Official zone transfer hosts
acl "fireclick-xfer" {
192.168.254.0/24; // Hosts at Fireclick Corporate
192.168.0.0/24; // All 0 net (QA)
192.168.11.0/24; // All 11 net (ENG)
192.168.17.0/24; // All 17 net (VPN)
63.145.119.64/26; // Hosts at Qwest
64.210.184.128/28; // Hosts at Exodus
65.200.204.0/26; // Hosts at UUNet
};
// Known fake source addresses shouldn't be replied to.
// For external queries, these should be blocked by Fireclick's
// border router.
acl "bogon" {
0.0.0.0/8; // Null address
1.0.0.0/8; // IANA reserved, popular fake
2.0.0.0/8;
192.0.2.0/24; // Test address
224.0.0.0/3; // Multicast address
// Enterprise networks may or may not be bogus
10.0.0.0/8;
172.16.0.0/12;
// 192.168.0.0/16; // Potential conflict with QA IPs - commented out
};
key "rndc-key" {
algorithm hmac-md5;
secret "jtxoOLDYAKBRQJofCGOHFw==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/etc/dns";
pid-file "/var/log/named.pid";
listen-on { 127.0.0.1; 192.168.254.11; };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
allow-query {
trusted;
};
allow-transfer {
none;
};
blackhole {
bogon;
};
};
//
// View settings are manditory for each class
//
view "internal" in {
match-clients { any; };
// Bootstrap the root.
zone "." in {
type hint;
file "root.cache";
};
// 127.0.0.0/24 - The loopback network
zone "0.0.127.in-addr.arpa" {
type master;
file "master/zone.127.0.0";
allow-query {
trusted;
};
// Every DNS server should be a master
// for 127.0.0.0/24
allow-transfer {
none;
};
};
zone "168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168";
masters {
192.168.254.1;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "254.168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168.254";
masters {
192.168.254.1;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "17.168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168.17";
masters {
192.168.254.1;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "11.168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168.11";
masters {
192.168.11.33;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "6.168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168.6";
masters {
192.168.11.33;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "slave/zone.192.168.0";
masters {
192.168.0.2;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "fireclick.com" {
type slave;
file "slave/zone.fireclick.com";
masters {
192.168.254.1;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "netflame.cc" {
type slave;
file "slave/zone.netflame.cc";
masters {
192.168.254.1;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "eng.fireclick.com" {
type slave;
file "slave/zone.eng.fireclick.com";
masters {
192.168.11.33;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
zone "qa.fireclick.com" {
type slave;
file "slave/zone.qa.fireclick.com";
masters {
192.168.0.2;
};
allow-query {
trusted;
};
allow-transfer {
localhost;
fireclick-xfer;
};
};
};
view "chaos" chaos {
match-clients { !127.0.0.1; !trusted; any; };
allow-query { none; };
// Bootstrap the root.
zone "." chaos {
type hint;
file "/dev/null";
};
// Control access to BIND version number to
// users at fireclick.com only.
// Ref: BUGTRAQ posting from LaMont Jones
// <lamont at CRANSTON.FC.HP.COM> on 1998-06-12.
zone "bind" chaos {
type master;
file "master/bind";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
===
Bob Gahl Bicycle (Ryan Vanguard) Mobile || @
ARPA/Internet: bgahl at bawcsa.org || !_ \
URL: http://www.bawcsa.org/bgahl/ || (*)-~--+--(*)
"Sahn joong moe low ful how jee yah ching wong" - "When the
mountain has no tigers, the monkey will also declare himself
king." Chinese Proverb
More information about the bind-users
mailing list