Name Server Question
seekuel
seekuel at gmail.com
Fri Jan 5 15:57:57 UTC 2007
Sir,
Thanks for all the help. The server is functioning as an authoritative-name
server and a caching-name server at the same time and its not an open DNS.
Respectfully,
Sandeil
On 1/5/07, seekuel <seekuel at gmail.com> wrote:
>
> Sir,
>
> Thanks for all the great inputs. I'll try again today.
>
> Respectfully,
> Sandeil
>
> On 1/4/07, jm < jm at hcn.com.au> wrote:
> >
> > In the options section of your named.conf you can add a line like:
> >
> > allow-recursion { 127.0.0.1; 192.168.0/24 ; 10/8; };
> >
> > Obviously replacing the subnets with ones appropriate for you.
> >
> > Cheers,
> >
> > Jason
> >
> > seekuel wrote:
> > > Sir,
> > > I tried enabling recursion. As of now the configuration of
> > /etc/resolv.conf
> > > uses 127.0.0.1. The internal workstation can also resolve other domain
> > by
> > > using our DNS server but now this server is an open DNS. I think this
> > is not
> > > safe.
> > >
> > > Is there a way that my local users can resolve other domain without
> > making
> > > the server open DNS?
> > >
> > > Thanks and more power
> > >
> > > On 1/3/07, Barry Margolin < barmar at alum.mit.edu> wrote:
> > >
> > >> In article <end4f3$1oug$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> > >> wrote:
> > >>
> > >>
> > >>> Sir,
> > >>> I did install a caching-nameserver because we lack the resources.
> > This
> > >>> server is also used as a proxy server and an ftp server.
> > >>>
> > >>> As you can see it is not tidy and still needs more configuration.
> > >>>
> > >> The problem is that you have a view configured. If you use views,
> > >> everything has to be in views, and anything that is outside the views
> > is
> > >> ignored. But your view has recursion disabled.
> > >>
> > >>
> > >>> Thanks
> > >>>
> > >>> -----------------------------------
> > >>> Below is the named.conf entry
> > >>> -----------------------------------
> > >>> //
> > >>> // named.conf for Red Hat caching-nameserver
> > >>> //
> > >>>
> > >>> options {
> > >>> directory "/var/named";
> > >>> dump-file "/var/named/data/cache_dump.db";
> > >>> statistics-file "/var/named/data/named_stats.txt";
> > >>> version "NO IDEA";
> > >>> // recursion no;
> > >>> /*
> > >>> * If there is a firewall between you and nameservers you want
> > >>> * to talk to, you might need to uncomment the query-source
> > >>> * directive below. Previous versions of BIND always asked
> > >>> * questions using port 53, but BIND 8.1 uses an unprivileged
> > >>> * port by default.
> > >>> */
> > >>> // query-source address * port 53;
> > >>> };
> > >>>
> > >>> //
> > >>> // a caching only nameserver config
> > >>> //
> > >>> controls {
> > >>> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> > >>> };
> > >>>
> > >>> zone "." IN {
> > >>> type hint;
> > >>> file "named.ca";
> > >>> };
> > >>>
> > >>> zone "localdomain" IN {
> > >>> type master;
> > >>> file "localdomain.zone";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> zone "localhost" IN {
> > >>> type master;
> > >>> file "localhost.zone";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> zone "0.0.127.in-addr.arpa" IN {
> > >>> type master;
> > >>> file "named.local";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> zone "
> > >>>
> > >>
> > 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa "
> > >>
> > >>> IN {
> > >>> type master;
> > >>> file "named.ip6.local";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> zone " 255.in-addr.arpa" IN {
> > >>> type master;
> > >>> file "named.broadcast";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> zone " 0.in-addr.arpa" IN {
> > >>> type master;
> > >>> file "named.zero";
> > >>> allow-update { none; };
> > >>> };
> > >>>
> > >>> include "/etc/rndc.key";
> > >>> // caching ends here
> > >>>
> > >>> // name server starts here
> > >>> view "trusted" {
> > >>> zone "booom.com.ph" IN {
> > >>> type master;
> > >>> file "masters/booom.com.ph";
> > >>> allow-update { none; };
> > >>> };
> > >>> zone "60.177.203.in-addr.arpa " {
> > >>> type master;
> > >>> file "masters/booom.com.ph.rev";
> > >>> allow-update { none; };
> > >>> };
> > >>> zone " jac.ph" IN {
> > >>> type master;
> > >>> file "masters/jac.ph";
> > >>> allow-update { none; };
> > >>> };
> > >>> zone " booom.internal" {
> > >>> type master;
> > >>> file "masters/booom.internal";
> > >>> };
> > >>>
> > >>> zone "1.16.172.in-addr.arpa" {
> > >>> type master;
> > >>> file "masters/booom.internal.rev";
> > >>> allow-update { none; };
> > >>> };
> > >>> recursion no;
> > >>> };
> > >>> -----------------------------------
> > >>> -----------------------------------
> > >>>
> > >>> On 1/2/07, Danny Mayer <mayer at gis.net> wrote:
> > >>>
> > >>>> seekuel wrote:
> > >>>>
> > >>>>> Sir,
> > >>>>>
> > >>>>> Is there any way to determine this issue? UDP port 53 is open but
> > >>>>>
> > >> TCP is
> > >>
> > >>>> closed.
> > >>>>
> > >>>> Both need to be open. DNS responses for queries like Google are
> > >>>>
> > >> unlikely
> > >>
> > >>>> to fit into a UDP packet unless it's responding with a larger UDP
> > >>>>
> > >> packet
> > >>
> > >>>> size. That means that it does retries with TCP when it gets a
> > >>>>
> > >> truncated
> > >>
> > >>>> flag.
> > >>>>
> > >>>>
> > >>>>> On 12/30/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> > >>>>>
> > >>>>>> In article < en3jqh$1vp9$1 at sf1.isc.org>, seekuel <
> > seekuel at gmail.com>
> > >>>>>> wrote:
> > >>>>>>
> > >>>>>>
> > >>>>>>> Hello group,
> > >>>>>>> I am new to BIND and I've configured a centos 4.4 box with bind,
> > >>>>>>> bind-chroot, caching-nameserver installed. This box functions an
> > >>>>>>> authoritative name server for our domain.
> > >>>>>>>
> > >>>>>>>
> > >>>> You don't need or want caching if it's just authorative for the
> > >>>>
> > >> domain.
> > >>
> > >>>>>>> I am confuse. This server is an authoritative server for our
> > >>>>>>>
> > >> domain
> > >>
> > >>>> and
> > >>>>
> > >>>>>> when
> > >>>>>>
> > >>>>>>> our work station uses its public ip as the dns that workstation
> > >>>>>>>
> > >> cannot
> > >>
> > >>>>>>> resolve other domains. This is also true in the server it self.
> > If
> > >>>>>>>
> > >> I
> > >>
> > >>>> edit
> > >>>>
> > >>>>>>> /etc/resolv.conf to 127.0.0.1 or its public ip the server cannot
> > >>>>>>>
> > >>>> resolve
> > >>>>
> > >>>>>> to
> > >>>>>>
> > >>>>>>> other domains say google.com. When I use our ISP's dns in
> > >>>>>>>
> > >>>> /etc/resolv.conf
> > >>>>
> > >>>>>>> then it can resolve to other domains.
> > >>>>>>>
> > >>>>>>>
> > >>>> Then you need to check to see if it's actually receiving the
> > queries.
> > >>>> Did you turn on query logging to see if it gets them? Does it work
> > if
> > >>>> you query directly with dig?
> > >>>>
> > >>>>
> > >>>>>>> This are some of my questions. In an authoritative name server,
> > >>>>>>>
> > >> why is
> > >>
> > >>>> it
> > >>>>
> > >>>>>>> that even a caching-nameserver is installed and change
> > >>>>>>>
> > >>>> /etc/resolv.conf to
> > >>>>
> > >>>>>>> the server's ip this server cannot resolve to other domain but
> > it
> > >>>>>>>
> > >> can
> > >>
> > >>>>>>> resolve our domain.
> > >>>>>>>
> > >>>> A nameserver that is only authorative will only respond to queries
> > for
> > >>>> domains that it owns. If you want it to act as a nameserver for
> > >>>>
> > >> lookups
> > >>
> > >>>> for other domains it needs to be set up to allow recursion, but you
> > >>>>
> > >> also
> > >>
> > >>>> want to restrict that to only your own systems.
> > >>>>
> > >>>> Is there something wrong with the configurations? Im
> > >>>>
> > >>>>>>> willing to attach the configuration if needed.
> > >>>>>>>
> > >>>> You need to post your named.conf file. Please do not edit it as it
> > >>>> prevents people from seeing what's really the problem.
> > >>>>
> > >>>> Danny
> > >>>>
> > >>>>
> > >>> Respectfully yours,
> > >>> Sandeil
> > >>>
> > >> --
> > >> Barry Margolin, barmar at alum.mit.edu
> > >> Arlington, MA
> > >> *** PLEASE post questions in newsgroups, not directly to me ***
> > >> *** PLEASE don't copy me on replies, I'll read them in the group ***
> > >>
> > >>
> > >>
> > >>
> > >
> > >
> > >
> > >
> > >
> >
> >
> >
>
More information about the bind-users
mailing list