query-source/transfer-source have no effect (bind 9.2.1)

Monu Ogbe monu at houxou.com
Mon Jan 5 15:58:14 UTC 2004 

Hello Mark,=20

Understanding that 'dig' does not read /etc/named.conf is just the steer
I needed. =20

As the peer name servers that reject our connections are not operated by
us, I have requested that a colleague send me extracts from his logs.
In the meantime fingers crossed that I don't have a problem after all!
:-)

Again, very many thanks.=20

Monu Ogbe

>-----Original Message-----
>From: Mark.Andrews at isc.org [mailto:Mark.Andrews at isc.org]
>Sent: 04 January 2004 23:50
>To: Monu Ogbe
>Cc: bind-users at isc.org
>Subject: Re: query-source/transfer-source have no effect (bind 9.2.1)=20
>
>
>
>> Hello,
>>=20
>> My name server is called 'ns1.dns.ournet.com' which maps to the IP
>> address '192.168.240.56/23' (eth0:1).  Multiple IP addresses are
aliased
>> to eth0 on the server.
>>=20
>> Since a recent upgrade from RedHat 7.3/Bind 8 to Redhat 9/Bind 9.2.1,
I
>> have been unable to get the name server to perform queries and
transfers
>> on the addresses specified in the query-source and transfer-source
>> options.  Instead, the server defaults to performing queries and
>> transfers using the primary IP address assigned to eth0.
>
	>BIND 9.2.1 is old.  Why upgrade to a old version?
>
>-rw-r--r--  1 marka  marka  201 Nov 25  2001 bind-9.2.0/version
>-rw-r--r--  1 marka  marka  202 Mar 29  2002 bind-9.2.1/version
>-rw-r--r--  1 marka  marka  206 Feb 17  2003 bind-9.2.2/version
>-rw-r--r--  1 marka  marka  202 Oct  9 17:00 bind-9.2.3/version
 >
>> The following IP addresses are configured on the name server:
>>=20
>> eth0      inet addr:192.168.240.90  Bcast:192.168.241.255
>> Mask:255.255.254.0
>> eth0:0    inet addr:192.168.240.61  Bcast:192.168.241.255
>> Mask:255.255.254.0
>> eth0:1    inet addr:192.168.240.56  Bcast:192.168.241.255
>> Mask:255.255.254.0
>> lo        inet addr:127.0.0.1  Mask:255.0.0.0
>>=20
>> The options statement in /etc/named.conf is as follows:
>>=20
>> options {
>>         listen-on { 192.168.240.56; };
>>         query-source address 192.168.240.56 port 53;
>>         transfer-source 192.168.240.56;
>>         directory "/var/named";
>>         notify yes;
>>         also-notify {
>>                 192.168.240.57;
>>                 192.168.244.249;
>>                 192.168.244.252;
>>         };
>>         allow-transfer {
>>                 192.168.240.57;
>>         };
>>         /*
>>         * If there is a firewall between you and nameservers you want
>>         * to talk to, you might need to uncomment the query-source
>>         * directive below.  Previous versions of BIND always asked
>>         * questions using port 53, but BIND 8.1 uses an unprivileged
>>         * port by default.
>>         */
>>         //query-source address 192.168.240.56 port 53;
>> };
>>=20
>> The symptoms are that peer servers reject our requests because they
>> expect these to come from 192.168.240.56 instead of which the queries
>> and transfer requests come from 192.168.240.90. =3D20
>
	>What exactly is being rejected?  Log messages would be
>	useful to see.
>
	>Also you don't have a notify-source specified.
>=20
>> tcpdumps of queries and transfer requests show this to be true; such
>> that performing a dig from the server to a peer:
>>=20
>> 	# dig @192.168.244.227 test.ournet.com -t any
>>=20
>> produces the following (unexpected) tcpdump output:
>>=20
>> tcpdump: listening on eth0
>> 15:16:21.797540 192.168.240.90.35218 > 192.168.244.227.53:  35824+
ANY?
>> test.ournet.com. (33) (DF)
>> 15:16:26.798564 192.168.240.90.35218 > 192.168.244.227.53:  35824+
ANY?
>> test.ournet.com. (33) (DF)
>>=20
>> On the other-hand, I AM able to force a query to take place from a
>> specified address using dig's -b option; and:
>>=20
>> 	# dig @192.168.244.227 test.ournet.com -b192.168.240.56 -t any
>>=20
>> produces the following (expected) tcpdump output:
>>=20
>> tcpdump: listening on eth0
>> 15:20:57.553985 192.168.240.56.35219 > 192.168.244.227.53:  65062+
ANY?
>> test.ournet.com. (33) (DF)
>> 15:21:02.564697 192.168.240.56.35219 > 192.168.244.227.53:  65062+
ANY?
>> test.ournet.com. (33) (DF)
>>=20
>> I'm flummoxed by this, and would grately appreciate a steer.
>
	>What makes you think that dig looks at named.conf?=20
>	The traces above is exactly what is to be expected
	>192.168.240.90 is used unless a query source is forced.
>=20
>> Many thanks in advance,=3D20
>>=20
>> Monu Ogbe
>> -----------------------------------------------------------
>> www.houxou.com
>> -----------------------------------------------------------
>>=20
>--
>Mark Andrews, Internet Software Consortium
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at isc.org

More information about the bind-users mailing list