dual internal/external chrooted bind w/third server and logging
Mark Andrews
Mark_Andrews at isc.org
Thu May 17 21:51:30 UTC 2007
>
> OK, bear with me - I may be asking for the impossible here.
>
> I've got BIND 9.4.0 (soon to be 9.4.1) running on a host here with both
> public and RFC1918 interfaces; there is a chrooted BIND setup that deals
> out DNS for both public zones (via the public IP) and private (via the
> private IP), following more or less the instructions Dave Lugo posted here:
>
> http://www.etherboy.com/dns/chrootdns.html
>
> I'm not using views, because the public side and private side should have
> their own unique configuration, listener, etc. already.
>
> I have another zone (subdomain of a public zone) I'd like to use as a
> logging channel for a service I'm playing with; without going into much
> detail, suffice it to say that I want to do DNS "callbacks" from a mail
> server/spam filtering/scoring system I've set up, such that I can log
> the remote (sending) IP, whether the message in question was accepted or
> rejected, and what spam score and threshold the message received, as a
> way to generate data for a DNSBL.
>
> To this end, I've set up - in addition to the BIND process(es) that
> serve the public and private zones - a third server process, running on
> 127.0.0.2, with verbose logging turned on. The public server is
> configured to forward inbound requests for the subdomains in question to
> the private server, a la
>
> zone "testlog.enemieslist.com" in {
> type forward;
> forward only;
> forwarders { 127.0.0.2 port 54; };
> };
>
> (yeah, it's running on port 54 in order to debug whether the requests
> were being handled by the right server - I'll probably change it back
> to 53, as it made no practical difference).
>
> The NS for testlog.enemieslist.com is ns3.enemieslist.com, which has
> the IP of the public interface, which is master for enemieslist.com
> and configured to forward requests for the testlog subdomain to the
> "local" logging server.
>
> So, for instance, I'd like my MTA to be able to let me know it had
> rejected a message from 192.168.255.0, with a score of 5 and a spam
> threshold of 4 for the recipient, by way of a DNS lookup of e.g.
>
> 192.168.255.0.4.5.testlog.enemieslist.com
>
> The zone for testlog is wildcarded to always return 127.0.0.1 for any
> query:
>
> *.testlog.enemieslist.com. IN A 127.0.0.1
>
> So, I should get a result of 127.0.0.1 from this query.
>
> Unfortunately, what I get is:
>
> schampeo at habanero:1003 $ dig +trace 192.168.255.0.4.5.testlog.enemieslist.com
> @ns3.enemieslist.com
>
> ; <<>> DiG 9.2.3 <<>> +trace 192.168.255.0.4.5.testlog.enemieslist.com @ns3.e
> nemieslist.com
> ;; global options: printcmd
> . 363999 IN NS L.ROOT-SERVERS.NET.
> . 363999 IN NS K.ROOT-SERVERS.NET.
> . 363999 IN NS M.ROOT-SERVERS.NET.
> . 363999 IN NS I.ROOT-SERVERS.NET.
> . 363999 IN NS G.ROOT-SERVERS.NET.
> . 363999 IN NS C.ROOT-SERVERS.NET.
> . 363999 IN NS E.ROOT-SERVERS.NET.
> . 363999 IN NS H.ROOT-SERVERS.NET.
> . 363999 IN NS B.ROOT-SERVERS.NET.
> . 363999 IN NS J.ROOT-SERVERS.NET.
> . 363999 IN NS D.ROOT-SERVERS.NET.
> . 363999 IN NS A.ROOT-SERVERS.NET.
> . 363999 IN NS F.ROOT-SERVERS.NET.
> ;; Received 436 bytes from 216.187.232.190#53(ns3.enemieslist.com) in 70 ms
>
> com. 172800 IN NS a.gtld-servers.net.
> com. 172800 IN NS b.gtld-servers.net.
> com. 172800 IN NS c.gtld-servers.net.
> com. 172800 IN NS d.gtld-servers.net.
> com. 172800 IN NS e.gtld-servers.net.
> com. 172800 IN NS f.gtld-servers.net.
> com. 172800 IN NS g.gtld-servers.net.
> com. 172800 IN NS h.gtld-servers.net.
> com. 172800 IN NS i.gtld-servers.net.
> com. 172800 IN NS j.gtld-servers.net.
> com. 172800 IN NS k.gtld-servers.net.
> com. 172800 IN NS l.gtld-servers.net.
> com. 172800 IN NS m.gtld-servers.net.
> ;; Received 491 bytes from 198.32.64.12#53(L.ROOT-SERVERS.NET) in 66 ms
>
> enemieslist.com. 172800 IN NS dns01.hesketh.net.
> enemieslist.com. 172800 IN NS dns02.hesketh.net.
> ;; Received 142 bytes from 192.5.6.30#53(a.gtld-servers.net) in 37 ms
>
> testlog.enemieslist.com. 1800 IN NS ns3.enemieslist.com.
> ;; Received 93 bytes from 216.187.232.190#53(dns01.hesketh.net) in 44 ms
>
> <snip 30 more of these>
>
> testlog.enemieslist.com. 1800 IN NS ns3.enemieslist.com.
> dig: Too many lookups
>
> I suspect it may be an authority problem, but I can't seem to wrap my
> head around where and how to fix it. How should I configure the SOA and
> any NS records inside the "local" testlog zone? I want it to be able to
> answer authoritatively for anything in testlog.enemieslist.com, though
> to be fair as long as it's logging the queries it doesn't matter that
> much to me; there's no action taken on the querying side in any case.
>
> Any pointers? Why is the NS for testlog.enemieslist.com not answering
> queries and logging them, like I believe it should be?
>
> TIA,
> Steve
>
> --
> hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2553 w: http://hesketh.com/
> antispam news, solutions for sendmail, exim, postfix: http://enemieslist.com/
Your configuration won't work because "forward" zone affect where
*recursive* queries are directed. Remote servers make non-recursive
queries (as does dig +trace).
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list