Name Server Question

Wed Jan 3 05:37:04 UTC 2007

In article <end4f3$1oug$1 at sf1.isc.org>, seekuel <seekuel at gmail.com> 
wrote:

> Sir,
> I did install a caching-nameserver because we lack the resources. This
> server is also used as a proxy server and an ftp server.
> 
> As you can see it is not tidy and still needs more configuration.

The problem is that you have a view configured.  If you use views, 
everything has to be in views, and anything that is outside the views is 
ignored.  But your view has recursion disabled.

> 
> Thanks
> 
> -----------------------------------
> Below is the named.conf entry
> -----------------------------------
> //
> // named.conf for Red Hat caching-nameserver
> //
> 
> options {
>     directory "/var/named";
>     dump-file "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>     version "NO IDEA";
> //    recursion no;
>     /*
>      * If there is a firewall between you and nameservers you want
>      * to talk to, you might need to uncomment the query-source
>      * directive below.  Previous versions of BIND always asked
>      * questions using port 53, but BIND 8.1 uses an unprivileged
>      * port by default.
>      */
>      // query-source address * port 53;
> };
> 
> //
> // a caching only nameserver config
> //
> controls {
>     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
> 
> zone "." IN {
>     type hint;
>     file "named.ca";
> };
> 
> zone "localdomain" IN {
>     type master;
>     file "localdomain.zone";
>     allow-update { none; };
> };
> 
> zone "localhost" IN {
>     type master;
>     file "localhost.zone";
>     allow-update { none; };
> };
> 
> zone "0.0.127.in-addr.arpa" IN {
>     type master;
>     file "named.local";
>     allow-update { none; };
> };
> 
> zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> IN {
>         type master;
>     file "named.ip6.local";
>     allow-update { none; };
> };
> 
> zone "255.in-addr.arpa" IN {
>     type master;
>     file "named.broadcast";
>     allow-update { none; };
> };
> 
> zone "0.in-addr.arpa" IN {
>     type master;
>     file "named.zero";
>     allow-update { none; };
> };
> 
> include "/etc/rndc.key";
> // caching ends here
> 
> // name server starts here
> view "trusted" {
>    zone "booom.com.ph" IN {
>         type master;
>         file "masters/booom.com.ph";
>         allow-update { none; };
>         };
>     zone "60.177.203.in-addr.arpa" {
>         type master;
>         file "masters/booom.com.ph.rev";
>     allow-update { none; };
>       };
>     zone "jac.ph" IN {
>         type master;
>         file "masters/jac.ph";
>         allow-update { none; };
>         };
>    zone "booom.internal" {
>     type master;
>     file "masters/booom.internal";
>     };
> 
>     zone "1.16.172.in-addr.arpa" {
>         type master;
>         file "masters/booom.internal.rev";
>         allow-update { none; };
>     };
>    recursion no;
> };
> -----------------------------------
> -----------------------------------
> 
> On 1/2/07, Danny Mayer <mayer at gis.net> wrote:
> >
> > seekuel wrote:
> > > Sir,
> > >
> > > Is there any way to determine this issue? UDP port 53 is open but TCP is
> > closed.
> > >
> >
> > Both need to be open. DNS responses for queries like Google are unlikely
> > to fit into a UDP packet unless it's responding with a larger UDP packet
> > size. That means that it does retries with TCP when it gets a truncated
> > flag.
> >
> > > On 12/30/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> > >> In article <en3jqh$1vp9$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> > >> wrote:
> > >>
> > >>> Hello group,
> > >>> I am new to BIND and I've configured a centos 4.4 box with bind,
> > >>> bind-chroot, caching-nameserver installed. This box functions an
> > >>> authoritative name server for our domain.
> > >>>
> >
> > You don't need or want caching if it's just authorative for the domain.
> >
> > >>> I am confuse. This server is an authoritative server for our domain
> > and
> > >> when
> > >>> our work station uses its public ip as the dns that workstation cannot
> > >>> resolve other domains. This is also true in the server it self. If I
> > edit
> > >>> /etc/resolv.conf to 127.0.0.1 or its public ip the server cannot
> > resolve
> > >> to
> > >>> other domains say google.com. When I use our ISP's dns in
> > /etc/resolv.conf
> > >>> then it can resolve to other domains.
> > >>>
> >
> > Then you need to check to see if it's actually receiving the queries.
> > Did you turn on query logging to see if it gets them? Does it work if
> > you query directly with dig?
> >
> > >>> This are some of my questions. In an authoritative name server, why is
> > it
> > >>> that even a caching-nameserver is installed and change
> > /etc/resolv.conf to
> > >>> the server's ip this server cannot resolve to other domain but it can
> > >>> resolve our domain.
> >
> > A nameserver that is only authorative will only respond to queries for
> > domains that it owns. If you want it to act as a nameserver for lookups
> > for other domains it needs to be set up to allow recursion, but you also
> > want to restrict that to only your own systems.
> >
> > Is there something wrong with the configurations? Im
> > >>> willing to attach the configuration if needed.
> >
> > You need to post your named.conf file. Please do not edit it as it
> > prevents people from seeing what's really the problem.
> >
> > Danny
> >
> 
> 
> Respectfully yours,
> Sandeil

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***