BIND 9 with views recursion issues

FredrichManey fredrichmaney at gmail.com
Tue Nov 14 15:31:28 UTC 2006 

All,

I'm experiencing an extremely frustrating issue involving recursion in
a new BIND 9 installation.

Environment:
2 new Solaris 9 servers running bind 9.3.2 built from source. They are
configure with two views - internal and external - and are in a dual
master configuration. They are on RFC 1918 addresses behind a NAT
firewall and should only be accessible from the internal network (the
external view is being built with the intention of these machines
becoming 'hidden masters' for the public name servers on the outside of
the firewall).

Problem:
When trying to resolve some specific zones that are not in the cache, I
get server timeouts and non-existent zone responses. This does not
happen for all non-cached zone, but it does happen for all look ups of
the affected zones (tested using dig and nslookup, both locally and
from remote clients).


Here's the relevant parts of my named.conf file:

// BIND Option Statements
options {
   version "You have been logged and reported.";
   // All paths in this file are relative to this directory.
   directory "/named/";
   listen-on port 53 { any; };
   listen-on-v6 { none; };
   pid-file "var/named.pid";
   statistics-file "var/statistics";
   memstatistics-file "var/memstats";
   dump-file "var/named.dump";
   zone-statistics yes;
   auth-nxdomain no;     # conform to RFC1035
};

// Access Control Lists
acl rfc_1918        { 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
acl private_dns     { 10.3.8.100; 10.3.8.101; };
acl internal_dns    { 10.3.8.100; 10.3.8.101; };
acl external_dns    { 74.128.1.70; 74.128.1.71; };

// snip logging configuration

// internal view for internal hosts on inside network and dmz
view "internal" {
   // any host that doesn't match here falls through to the external
view
   match-clients { "rfc_1918"; };
   allow-query { "rfc_1918"; };
   allow-recursion { "rfc_1918"; };
   allow-transfer { "internal_dns"; };
   notify-source 10.3.8.100 port 53;
   query-source address 10.3.8.100 port 53;
   transfer-source 10.3.8.100 port 53;

   zone "." {
      type hint;
      file "db/internal/named.root";
   }
// snip internal view master and slave zone configurations;
};

// external view for external hosts and networks on the internet
view "external" {
   // any host that didn't match the internal view above
   match-clients { any; };
   allow-query { any; };
   allow-recursion { none; };   # recursion disabled for external
clients
   allow-transfer { "external_dns"; };
   notify-source 10.3.8.100 port 53;
   query-source address 10.3.8.100 port 53;
   transfer-source 10.3.8.100 port 53;

   zone "." {
      type hint;
      file "db/external/named.root";
   };
// snip external view master and slave zone configurations
};


Any help would be greatly appreciated. This is impacting production and
if I don't get resolved soon I'm going to be forced to go back Bind 8
without views because "bind 9 doesn't work and we are only going there
because it's the new thing".

fpsm

More information about the bind-users mailing list