Problem with secondary DNS not responding on lookups
Ronald I. Nutter
ronald_nutter at georgetowncollege.edu
Mon Oct 25 20:42:49 UTC 2004
I am running Bind 9.2.2 on RH EL3. I am trying to use the following
template that I got from
http://www.cymru.com/Documents/secure-bind.template.html. When I put
this named.conf in place, I can get any dns resolution to take place. I
tried using nslookup on the local machine as well as the primary dns
server, pointing it to the linux box I am working on, neither system
will resolve anything I give it. If I go back to my old file, it works
but I am a wide open dns system for the world. I have retyped the
config file. The only error I am getting on startup is that there are
no records in the 0.0.127.in-addr-arpa file, which there arent at this
point. Named does start up and stay running but I can resolve anything
against it. I am trying to put up a secondary DNS system that will be
as safe as can be reasonably done. I would appreciate any pointers
based on my file here as to where the problem is or how to do further
troubleshooting.
Thanks,
Ron
acl "xfer" {
none;
68.208.176.3/32;
};
acl "trusted" {
68.208.176.0/24;
68.208.177.0/24;
localhost;
};
acl "bogon" {
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
41.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
73.0.0.0/8;
74.0.0.0/8;
75.0.0.0/8;
76.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
124.0.0.0/8;
125.0.0.0/8;
126.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
189.0.0.0/8;
190.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/8;
};
logging {
channel "default_syslog" {
// send most of the named messages to syslog
syslog local2;
severity debug;
};
channel "audit_log" {
// send security related messages to a seperate file
file "/var/named/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/var/named";
pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
// memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interfaces state {UP|DOWN}.
interface-interval 0;
allow-transfer {
// Zone transfers limited to members of the
// "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything to the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." in {
// Link in the root server hint file
type hint;
file "db.cache";
};
zone "0.0.127.in-addr-arpa" in {
// Allow queries for the 127/8 network, but no some zone
transfers
// Every name server, both slave and master, will be a
master
// for this zone.
type master;
file "db.127.0.0";
allow-query {
any;
};
allow-transfer {
none;
};
};
};
// Create a view for external DNS clients
view "external-in" in {
// Our external (untrusted) view. We permit any client to
access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
zone "georgetowncollege.edu" in {
type slave;
file "georgetowncollege.edu.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "ethic.org" in {
type slave;
file "ethic.org.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "fskentucky.org" in {
type slave;
file "fskentucky.org.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "gfumc.com" in {
type slave;
file "gfumc.com.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "kacrao.com" in {
type slave;
file "kacrao.com.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "ka4kyi.com" in {
type slave;
file "ka4kyi.com.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "nacu.org" in {
type slave;
file "nacu.org.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "signsofhistory.com" in {
type slave;
file "signsofhistory.com.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
zone "themeetinghouse.net" in {
type slave;
file "themeetinghouse.net.bk";
masters { 68.208.176.2; };
allow-query { any; };
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow interal hosts to query our version number.
// This is a good idea for support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
allow-query { trusted; };
allow-transfer { none; };
};
};
More information about the bind-users
mailing list