How do I find my mistake?

Kevin Darcy kcd at daimlerchrysler.com
Tue Sep 21 23:59:19 UTC 2004 

Wes Groleau wrote:

>I wanted to set up a caching server, not so much for
>the sake of caching, but I have some processes that
>refuse to run if they can't talk to a nameserver
>(even if they don't have anything to say, they just
>like the security of knowing it's there).  But....
>
>Sep 19 09:17:59 named[257]: starting BIND 9.2.2
>Sep 19 09:17:59 named[257]: using 1 CPU
>Sep 19 09:18:00 named[257]: loading configuration from '/etc/named.conf'
>Sep 19 09:18:00 named[257]: listening on IPv4 interface lo0, 127.0.0.1#53
>Sep 19 09:18:00 named[257]: listening on IPv4 interface en0, <my LAN IP>#53
>Sep 19 09:18:00 named[257]: none:0: open: /etc/rndc.key: file not found
>Sep 19 09:18:00 named[257]: couldn't add command channel 127.0.0.1#953: 
>file not found
>Sep 19 09:18:00 named[257]: none:0: open: /private/etc/rndc.key: file 
>not found
>Sep 19 09:18:00 named[257]: couldn't add command channel ::1#953: file 
>not found
>
>   None of my config files mention this.  Can I disable it?
>   If not, what do I put in it?
>
If you want to be able to control your nameserver remotely (e.g. 
reloading it, or just reloading/refreshing a particular zone, turning on 
debugging, dumping stats or the cache, etc.), then you need to generate 
and install an RNDC key. If you don't care about any of that, then 
specify "controls { };" in your named.conf and that should get rid of 
the error messages.

>Sep 19 09:18:00 named[257]: /private/etc/named.conf:13: unknown logging 
>category 'cname' ignored
>
>    I presume this is harmless.  Comes from a command someone told me
>    to add "to cut down on useless log items"
>
I'm not sure how _adding_ a logging category "cut[s] down" on anything. 
If you want to get rid of this error message, get rid of the reference 
to the bogus category.

>Sep 19 09:18:02 named[257]: zone 0.0.127.in-addr.arpa/IN: loaded serial 
>1997022700
>Sep 19 09:18:02 named[257]: zone localhost/IN: loaded serial 42
>Sep 19 09:18:02 named[257]: running
>
>OK, so in spite of the errors, it claims to be running.
>
>But even though the first line of /etc/resolv.conf
>points to 127.0.0.1, I still get
>
>Sep 19 03:15:58 (squid): Could not find any nameservers.        Please 
>check your /etc/resolv.conf file        or use the 'dns_nameservers' 
>option in squid.conf.
>Sep 19 03:15:58 squid[323]: Squid Parent: child process 325 exited due 
>to signal 6
>
Don't know much about squid. If you do lookups from the command line, 
e.g. using "dig", do they work? What are the *exact* contents of your 
/etc/resolv.conf file? Maybe you screwed up the syntax.

>Also, when I connect PPP, I get messages suggesting
>that the server is listening for requests from outside.
>
The default behavior is to listen on all available interfaces. Did you 
just want it to listen on the loopback interface? If so, then you need 
to specify a "listen-on" in your named.conf file.

>Is there a way with ipfw to ensure it receives no requests
>while still allowing it to make requests and get answers?
>
Sure. DNS queries have a destination port of 53. Just block all incoming 
UDP or TCP packets with a destination port of 53. You can also implement 
source-address-based security within the nameserver itself with 
"allow-query" or (if you just want to drop the packet without sending a 
nice refusal response back) the "blackhole" option.

>It's been ages since I read the BIND and DNS book--and
>I really didn't study it, just read it.
>
Maybe you should read it in greater depth this time.

- Kevin

More information about the bind-users mailing list