Name Server Question
seekuel
seekuel at gmail.com
Thu Jan 4 05:37:22 UTC 2007
Sir,
I tried enabling recursion. As of now the configuration of /etc/resolv.conf
uses 127.0.0.1. The internal workstation can also resolve other domain by
using our DNS server but now this server is an open DNS. I think this is not
safe.
Is there a way that my local users can resolve other domain without making
the server open DNS?
Thanks and more power
On 1/3/07, Barry Margolin <barmar at alum.mit.edu> wrote:
>
> In article <end4f3$1oug$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> wrote:
>
> > Sir,
> > I did install a caching-nameserver because we lack the resources. This
> > server is also used as a proxy server and an ftp server.
> >
> > As you can see it is not tidy and still needs more configuration.
>
> The problem is that you have a view configured. If you use views,
> everything has to be in views, and anything that is outside the views is
> ignored. But your view has recursion disabled.
>
> >
> > Thanks
> >
> > -----------------------------------
> > Below is the named.conf entry
> > -----------------------------------
> > //
> > // named.conf for Red Hat caching-nameserver
> > //
> >
> > options {
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > version "NO IDEA";
> > // recursion no;
> > /*
> > * If there is a firewall between you and nameservers you want
> > * to talk to, you might need to uncomment the query-source
> > * directive below. Previous versions of BIND always asked
> > * questions using port 53, but BIND 8.1 uses an unprivileged
> > * port by default.
> > */
> > // query-source address * port 53;
> > };
> >
> > //
> > // a caching only nameserver config
> > //
> > controls {
> > inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> > };
> >
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> >
> > zone "localdomain" IN {
> > type master;
> > file "localdomain.zone";
> > allow-update { none; };
> > };
> >
> > zone "localhost" IN {
> > type master;
> > file "localhost.zone";
> > allow-update { none; };
> > };
> >
> > zone "0.0.127.in-addr.arpa" IN {
> > type master;
> > file "named.local";
> > allow-update { none; };
> > };
> >
> > zone "
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> > IN {
> > type master;
> > file "named.ip6.local";
> > allow-update { none; };
> > };
> >
> > zone "255.in-addr.arpa" IN {
> > type master;
> > file "named.broadcast";
> > allow-update { none; };
> > };
> >
> > zone "0.in-addr.arpa" IN {
> > type master;
> > file "named.zero";
> > allow-update { none; };
> > };
> >
> > include "/etc/rndc.key";
> > // caching ends here
> >
> > // name server starts here
> > view "trusted" {
> > zone "booom.com.ph" IN {
> > type master;
> > file "masters/booom.com.ph";
> > allow-update { none; };
> > };
> > zone "60.177.203.in-addr.arpa" {
> > type master;
> > file "masters/booom.com.ph.rev";
> > allow-update { none; };
> > };
> > zone "jac.ph" IN {
> > type master;
> > file "masters/jac.ph";
> > allow-update { none; };
> > };
> > zone "booom.internal" {
> > type master;
> > file "masters/booom.internal";
> > };
> >
> > zone "1.16.172.in-addr.arpa" {
> > type master;
> > file "masters/booom.internal.rev";
> > allow-update { none; };
> > };
> > recursion no;
> > };
> > -----------------------------------
> > -----------------------------------
> >
> > On 1/2/07, Danny Mayer <mayer at gis.net> wrote:
> > >
> > > seekuel wrote:
> > > > Sir,
> > > >
> > > > Is there any way to determine this issue? UDP port 53 is open but
> TCP is
> > > closed.
> > > >
> > >
> > > Both need to be open. DNS responses for queries like Google are
> unlikely
> > > to fit into a UDP packet unless it's responding with a larger UDP
> packet
> > > size. That means that it does retries with TCP when it gets a
> truncated
> > > flag.
> > >
> > > > On 12/30/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> > > >> In article <en3jqh$1vp9$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> > > >> wrote:
> > > >>
> > > >>> Hello group,
> > > >>> I am new to BIND and I've configured a centos 4.4 box with bind,
> > > >>> bind-chroot, caching-nameserver installed. This box functions an
> > > >>> authoritative name server for our domain.
> > > >>>
> > >
> > > You don't need or want caching if it's just authorative for the
> domain.
> > >
> > > >>> I am confuse. This server is an authoritative server for our
> domain
> > > and
> > > >> when
> > > >>> our work station uses its public ip as the dns that workstation
> cannot
> > > >>> resolve other domains. This is also true in the server it self. If
> I
> > > edit
> > > >>> /etc/resolv.conf to 127.0.0.1 or its public ip the server cannot
> > > resolve
> > > >> to
> > > >>> other domains say google.com. When I use our ISP's dns in
> > > /etc/resolv.conf
> > > >>> then it can resolve to other domains.
> > > >>>
> > >
> > > Then you need to check to see if it's actually receiving the queries.
> > > Did you turn on query logging to see if it gets them? Does it work if
> > > you query directly with dig?
> > >
> > > >>> This are some of my questions. In an authoritative name server,
> why is
> > > it
> > > >>> that even a caching-nameserver is installed and change
> > > /etc/resolv.conf to
> > > >>> the server's ip this server cannot resolve to other domain but it
> can
> > > >>> resolve our domain.
> > >
> > > A nameserver that is only authorative will only respond to queries for
> > > domains that it owns. If you want it to act as a nameserver for
> lookups
> > > for other domains it needs to be set up to allow recursion, but you
> also
> > > want to restrict that to only your own systems.
> > >
> > > Is there something wrong with the configurations? Im
> > > >>> willing to attach the configuration if needed.
> > >
> > > You need to post your named.conf file. Please do not edit it as it
> > > prevents people from seeing what's really the problem.
> > >
> > > Danny
> > >
> >
> >
> > Respectfully yours,
> > Sandeil
>
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
>
>
>
More information about the bind-users
mailing list