Problems with a BIND server
Robert Moskowitz
rgm at htt-consult.com
Wed Oct 14 21:24:37 UTC 2009
Barry Margolin wrote:
> In article <mailman.696.1255498841.14796.bind-users at lists.isc.org>,
> Robert Moskowitz <rgm at htt-consult.com> wrote:
>
>
>> Barry Margolin wrote:
>>
>>> In article <mailman.693.1255466849.14796.bind-users at lists.isc.org>,
>>> Robert Moskowitz <rgm at htt-consult.com> wrote:
>>>
>>>
>>>
>>>> I have been running BIND here on my net for quite a few years time and
>>>> run 2 views on my main server, for internal and external users. I also
>>>> have a separate BIND server on a test bed that uses a test TLD of htt.
>>>> It has worked well for the past year.
>>>>
>>>> Now I have installed an Amahi server (amahi.org) and it is running its
>>>> own BIND server with dynamic updates, as it is supporting NetBios
>>>> clients. My Amahi server is set up for home.htt and works for systems
>>>> on its subnet (it also runs DHCPD). I want access to the various Amahi
>>>> apps to other systems here so I first:
>>>>
>>>> Set up my main server to be a slave for my test htt domain in its
>>>> internal view.
>>>>
>>>> That is working well and I can get all the DNS information supported
>>>> there (both hosts in htt and its sub-zone of mobile.htt). Fine so far.
>>>>
>>>> Then I added a couple records to the zone file in htt to delegate home.htt:
>>>>
>>>> home.htt. IN NS amahi.home.htt.
>>>> amahi.home.htt. IN A 192.168.1.2
>>>>
>>>> And nothing.
>>>>
>>>> I am NOT getting any information on the home.htt. sub-zone. If I run
>>>> 'nslookup - 192.168.1.2' I get all the information in the DNS, but
>>>> neither of my internal BIND servers are getting information. Almost as
>>>> if the Amahi server is not honoring requests from other BIND servers or
>>>> perhaps not on its net.
>>>>
>>>>
>>> Are you sure they're sending the queries to it? Have you done a packet
>>> capture to see what's being sent?
>>>
>>>
>> Well I did some more testing. Here are some results when host is run on
>> my main DNS server which is a slave server for htt.
>>
>
> Can you post the named.conf file for the server you're querying, not the
> server that hosts the subdomain?
In pieces. First named.conf:
cat named.conf
//
include "/etc/named.acl";
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;
listen-on-v6 {any; };
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
view "internal"
{
match-clients { httnets; };
match-destinations { httnets; };
recursion yes;
//notify no; # disable AA notifies?
// all views must contain the root hints zone:
include "/etc/named.root.hints";
include "/etc/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
include "/etc/named.internal";
};
/*key ddns_key
*{
* algorithm hmac-md5;
* secret "use /usr/sbin/dns-keygen to generate TSIG keys";
*};
*/
view "external"
{
match-clients { any; };
match-destinations { any; };
recursion no;
// you'd probably want to deny recursion to external clients, so
you don't
// end up providing free DNS service to all takers
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
include "/etc/named.external";
};
include "/etc/rndc.key";
Now comes named.internal (I am ASSUMING that you don't need named.acl or
named.external):
# cat named.internal
zone "htt-consult.com" {
type master;
file "httin-consult.com.zone";
};
zone "128-26.67.83.208.in-addr.arpa" {
type master;
file "128-26.67.83.208.in-addr.arpa.zone";
};
zone "3.0.0.0.8.b.4.f.7.0.6.2.ip6.arpa" {
type master;
file "3.0.0.0.8.b.4.f.7.0.6.2.ip6.arpa.zone";
};
zone "labs.htt-consult.com" {
type master;
file "labs.htt-consult.com.hosts";
};
zone "mobile.htt-consult.com" {
type master;
file "mobile.htt-consult.com.hosts";
};
zone "test.htt-consult.com" {
type master;
file "test.htt-consult.com.hosts";
};
zone "128.168.192.in-addr.arpa" {
type master;
file "128.168.192.in-addr.arpa.zone";
};
zone "0-24.128.168.192.in-addr.arpa" {
type master;
file "0-24.128.168.192.in-addr.arpa.zone";
};
zone "communaljob.com" {
type master;
file "communaljob.com.hosts";
};
zone "htt" {
type slave;
file "slaves/bak.htt";
masters {192.168.128.35;
2607:f4b8:3:11:20c:96ff:fe40:cb63; };
};
> BTW, why are you using query source-port 53?
>
I don't know. It has been in there since forever. Carryover from BIND8?
>
>> # host wiki.home.htt
>> wiki.home.htt has address 192.168.1.2
>> Host wiki.home.htt not found: 2(SERVFAIL)
>> Host wiki.home.htt not found: 2(SERVFAIL)
>>
>> # host search.home.htt
>> Host search.home.htt not found: 2(SERVFAIL)
>>
>> The later should also have responded with the same IP address. And why
>> the two servfails? Here is records from a TCPDUMP of the first host
>> command:
>>
>> # grep 1.2 trace.1
>> 23:18:24.142341 IP 208.83.67.148.domain > 192.168.1.2.domain: 9401
>> [1au] A? wiki.home.htt. (42)
>> 23:18:24.144246 IP 192.168.1.2.domain > 208.83.67.148.domain: 9401*-
>> 1/1/1 A 192.168.128.2 (72)
>> 23:18:24.149357 IP 208.83.67.148.domain > 192.168.1.2.domain: 11640%
>> [1au] A? home.htt. (37)
>> 23:18:24.149786 IP 208.83.67.148.domain > 192.168.1.2.domain: 46350%
>> [1au] AAAA? home.htt. (37)
>> 23:18:24.150804 IP 192.168.1.2.domain > 208.83.67.148.domain: 11640*-
>> 0/1/1 (78)
>> 23:18:26.152190 IP 208.83.67.148.domain > 192.168.1.2.domain: 11257%
>> [1au] AAAA? home.htt. (37)
>> 23:18:26.152635 IP 208.83.67.148.domain > 192.168.1.2.domain: 22505%
>> [1au] AAAA? hda.home.htt. (41)
>> 23:18:26.153864 IP 192.168.1.2.domain > 208.83.67.148.domain: 11257*-
>> 0/1/1 (78)
>> 23:18:28.154700 IP 208.83.67.148.domain > 192.168.1.2.domain: 49416%
>> [1au] AAAA? hda.home.htt. (41)
>> 23:18:28.156390 IP 192.168.1.2.domain > 208.83.67.148.domain: 49416*-
>> 0/1/1 (82)
>>
>> And for the second command there were NO records to 192.168.1.2
>>
>> And on my notebook that uses 208.83.67.148 as its only nameserver, 'host
>> search.home.htt' has the following dump:
>>
>> # tcpdump -n -i eth1 port 53
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
>> 01:28:34.615393 IP 208.83.67.158.35220 > 208.83.67.148.domain: 4544+ A?
>> search.home.htt. (33)
>> 01:28:34.618864 IP 208.83.67.148.domain > 208.83.67.158.35220: 4544
>> ServFail 0/0/0 (33)
>>
>> So I am quite perplexed.
>>
>>
>>>
>>>
>>>> Here are the named.conf and zone files:
>>>>
>>>> # automatically generated file by hdactl
>>>> options {
>>>> listen-on-v6 port 53 { ::1; };
>>>> directory "/var/named";
>>>> dump-file "/var/named/data/cache_dump.db";
>>>> statistics-file "/var/named/data/named_stats.txt";
>>>> memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>> forward only;
>>>> forwarders { 208.67.222.222; 208.67.220.220; };
>>>> listen-on port 53 { 192.168.1.2; 127.0.0.1; };
>>>> };
>>>> logging {
>>>> channel default_debug {
>>>> file "data/named.run";
>>>> severity dynamic;
>>>> };
>>>> };
>>>> key "ddnskey" {
>>>> algorithm hmac-md5;
>>>> secret "----------------------";
>>>> };
>>>>
>>>> zone "home.htt" IN {
>>>> type master;
>>>> notify no;
>>>> file "dynamic/hda-n2a.conf";
>>>> allow-update { key ddnskey; };
>>>> check-names ignore;
>>>> };
>>>>
>>>> zone "1.168.192.in-addr.arpa" IN {
>>>> type master;
>>>> notify no;
>>>> file "dynamic/hda-a2n.conf";
>>>> allow-update { key ddnskey; };
>>>> check-names ignore;
>>>> };
>>>>
>>>>
>>>> and dynamic/hda-n2a.conf:
>>>>
>>>> $TTL 86400
>>>> @ IN SOA home.htt. root.home.htt. (
>>>> 0909130103 ; Serial
>>>> 28800 ; Refresh
>>>> 14400 ; Retry
>>>> 3600000 ; Expire
>>>> 86400 ) ; Minimum
>>>> IN NS home.htt.
>>>> IN MX 10 home.htt.
>>>> * IN MX 10 home.htt.
>>>>
>>>> h001 A 192.168.1.1
>>>> .
>>>> .
>>>> .
>>>> hda A 192.168.1.2
>>>> search A 192.168.1.2
>>>> setup A 192.168.1.2
>>>> calendar A 192.168.1.2
>>>> help A 192.168.1.2
>>>> wiki A 192.168.1.2
>>>>
>>>>
>>>> So any tips on what to look for to get this working?
>>>>
>>>> I shot the day digging, and I can do things with BIND, but I am not all
>>>> that skilled...
>>>>
>>>>
>>>
>
>
More information about the bind-users
mailing list