query-source/transfer-source have no effect (bind 9.2.1)
Monu Ogbe
monu at houxou.com
Mon Jan 5 15:58:14 UTC 2004
Hello Mark,=20
Understanding that 'dig' does not read /etc/named.conf is just the steer
I needed. =20
As the peer name servers that reject our connections are not operated by
us, I have requested that a colleague send me extracts from his logs.
In the meantime fingers crossed that I don't have a problem after all!
:-)
Again, very many thanks.=20
Monu Ogbe
>-----Original Message-----
>From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
>Sent: 04 January 2004 23:50
>To: Monu Ogbe
>Cc: bind-users at isc.org
>Subject: Re: query-source/transfer-source have no effect (bind 9.2.1)=20
>
>
>
>> Hello,
>>=20
>> My name server is called 'ns1.dns.ournet.com' which maps to the IP
>> address '192.168.240.56/23' (eth0:1). Multiple IP addresses are
aliased
>> to eth0 on the server.
>>=20
>> Since a recent upgrade from RedHat 7.3/Bind 8 to Redhat 9/Bind 9.2.1,
I
>> have been unable to get the name server to perform queries and
transfers
>> on the addresses specified in the query-source and transfer-source
>> options. Instead, the server defaults to performing queries and
>> transfers using the primary IP address assigned to eth0.
>
>BIND 9.2.1 is old. Why upgrade to a old version?
>
>-rw-r--r-- 1 marka marka 201 Nov 25 2001 bind-9.2.0/version
>-rw-r--r-- 1 marka marka 202 Mar 29 2002 bind-9.2.1/version
>-rw-r--r-- 1 marka marka 206 Feb 17 2003 bind-9.2.2/version
>-rw-r--r-- 1 marka marka 202 Oct 9 17:00 bind-9.2.3/version
>
>> The following IP addresses are configured on the name server:
>>=20
>> eth0 inet addr:192.168.240.90 Bcast:192.168.241.255
>> Mask:255.255.254.0
>> eth0:0 inet addr:192.168.240.61 Bcast:192.168.241.255
>> Mask:255.255.254.0
>> eth0:1 inet addr:192.168.240.56 Bcast:192.168.241.255
>> Mask:255.255.254.0
>> lo inet addr:127.0.0.1 Mask:255.0.0.0
>>=20
>> The options statement in /etc/named.conf is as follows:
>>=20
>> options {
>> listen-on { 192.168.240.56; };
>> query-source address 192.168.240.56 port 53;
>> transfer-source 192.168.240.56;
>> directory "/var/named";
>> notify yes;
>> also-notify {
>> 192.168.240.57;
>> 192.168.244.249;
>> 192.168.244.252;
>> };
>> allow-transfer {
>> 192.168.240.57;
>> };
>> /*
>> * If there is a firewall between you and nameservers you want
>> * to talk to, you might need to uncomment the query-source
>> * directive below. Previous versions of BIND always asked
>> * questions using port 53, but BIND 8.1 uses an unprivileged
>> * port by default.
>> */
>> //query-source address 192.168.240.56 port 53;
>> };
>>=20
>> The symptoms are that peer servers reject our requests because they
>> expect these to come from 192.168.240.56 instead of which the queries
>> and transfer requests come from 192.168.240.90. =3D20
>
>What exactly is being rejected? Log messages would be
> useful to see.
>
>Also you don't have a notify-source specified.
>=20
>> tcpdumps of queries and transfer requests show this to be true; such
>> that performing a dig from the server to a peer:
>>=20
>> # dig @192.168.244.227 test.ournet.com -t any
>>=20
>> produces the following (unexpected) tcpdump output:
>>=20
>> tcpdump: listening on eth0
>> 15:16:21.797540 192.168.240.90.35218 > 192.168.244.227.53: 35824+
ANY?
>> test.ournet.com. (33) (DF)
>> 15:16:26.798564 192.168.240.90.35218 > 192.168.244.227.53: 35824+
ANY?
>> test.ournet.com. (33) (DF)
>>=20
>> On the other-hand, I AM able to force a query to take place from a
>> specified address using dig's -b option; and:
>>=20
>> # dig @192.168.244.227 test.ournet.com -b192.168.240.56 -t any
>>=20
>> produces the following (expected) tcpdump output:
>>=20
>> tcpdump: listening on eth0
>> 15:20:57.553985 192.168.240.56.35219 > 192.168.244.227.53: 65062+
ANY?
>> test.ournet.com. (33) (DF)
>> 15:21:02.564697 192.168.240.56.35219 > 192.168.244.227.53: 65062+
ANY?
>> test.ournet.com. (33) (DF)
>>=20
>> I'm flummoxed by this, and would grately appreciate a steer.
>
>What makes you think that dig looks at named.conf?=20
> The traces above is exactly what is to be expected
>192.168.240.90 is used unless a query source is forced.
>=20
>> Many thanks in advance,=3D20
>>=20
>> Monu Ogbe
>> -----------------------------------------------------------
>> www.houxou.com
>> -----------------------------------------------------------
>>=20
>--
>Mark Andrews, Internet Software Consortium
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at isc.org
More information about the bind-users
mailing list