help! Can't get two nameservers to run!
Mathias Körber
mathias at koerber.org
Thu Sep 7 02:13:05 UTC 2000
Not much help here but a few points:
What OS are you running? An ineffective kill -9 usually
means some driver problem in that OS.
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Tom Jennings
> Sent: Thursday, September 07, 2000 10:00 AM
> To: bind-users at isc.org
> Subject: help! Can't get two nameservers to run!
>=20
>=20
>=20
> OK I admit I'm getting a little panicky... I'm desperately trying
> to run two copies of named, to work around the known subdomain
> leakage problem in 8.2.2. v9 solves it, but is too buggy to put in
> production just yet.
>=20
> My nameserver box has two ethernet cards. I want to run:
>=20
> * An outside nameserver, primary for one zone, listens on ethernet1
> only, allows all queries and few axfrs. Recursion and glue is off.
> I want it to have no knowledge of anything but it's one domain,
> DOMAIN.COM. This is our public nameserver.
>=20
> * An inside nameserver, primary for a bunch of sub-domains and
> secondary for a bunch of domains. It listens on ethernet0 and
> 127.0.0.1, allows query inside (10/8, etc), a few axfrs. Recursion
> is on, glue off.
>=20
> I start the nameservers inside, then outside, and get the errors
> below.
>=20
> ? queries to ethernet1 are resolved by the inside nameserver, the
> outside nameserver seems inert. (eg. I kill -9 the outside server
> and it still answers queries?)=20
sounds like the other nameserver is answering those for you?
Have you tried turning on query logging (to two different directories)
and seeing which NS logs which queries?
>=20
> ? The second copy of bind generates this error:
> named[4342]: ctl_server: bind: Address already in use
> but says its listening on the appropriate interface, but it acts
> like the "inside" server, loaded first, is bound to that address.
>=20
> I know also this means ndc's pipe to named is AFU (by the second
> invokation I suppose) but the O'Reilly book says nothing about
> setting up ndc, and I'm fine with manually signalling the thing.
>=20
> I don't see any reason to chroot each copy; is there one?
> [tomj at ns1 DNS]# ps -ax | egrep named
> 4300 ? S 0:00 /usr/sbin/named /etc/named.conf.inside
> 4343 ? S 0:00 /usr/sbin/named /etc/named.conf.outside
>=20
>=20
>=20
>=20
> LOG
>=20
>=20
> Starting "inside" server first:
>=20
> Sep 6 18:53:24 ns1 named[4299]: starting. named 8.2.2-P5 Mon F =
[deleted]
> ... loading zones...
> Sep 6 18:53:24 ns1 named[4299]: listening on [127.0.0.1].53 (lo)
> Sep 6 18:53:24 ns1 named[4299]: listening on [10.4.0.13].53 (eth0)
> Sep 6 18:53:24 ns1 named[4299]: Forwarding source address is=20
> [0.0.0.0].2239
> Sep 6 18:53:24 ns1 named[4300]: Ready to answer queries.
>=20
> Starting "outside" server:
> Sep 6 18:54:26 ns1 named[4342]: starting. named 8.2.2-P5 Mon=20
> Feb [deleted]
> ...loading zones...
> Sep 6 18:54:26 ns1 named[4342]: ctl_server: bind: Address already in =
use
> Sep 6 18:54:26 ns1 named[4342]: listening on [10.4.0.14].53 (eth1)
> Sep 6 18:54:26 ns1 named[4342]: Forwarding source address is=20
> [0.0.0.0].2240
> Sep 6 18:54:26 ns1 named[4343]: Ready to answer queries.
>=20
>=20
>=20
>=20
>=20
> CONFIGS: heavily clipped here; ACLs not shown (they work)
>=20
> inside:
>=20
> options {
> fetch-glue no; // be less wasteful,
> recursion yes; // be helpful,
>=20
> pid-file "/home/DOMAIN/DNS/run/named-inside.pid";=20
> listen-on { 127.0.0.1; 10.4.0.13; }; // eg. =
ns1.net.DOMAIN.com,
>=20
> directory "/home/DOMAIN/DNS";
> };
>=20
> zone "DOMAIN.com" {
> type master;
> file "DOMAIN.com";
> allow-query { any; };
> allow-transfer { list of inside hosts; };
> also-notify { list of inside hosts; };
> };
I'd also specifically set the query-source address on each to its
IP address, so that replies are bound to go to the correct server..
>=20
>=20
>=20
> Outside:
>=20
> options {
> fetch-glue no; // do no favors,
> recursion no; // and only this one =
zone,
> pid-file "/home/DOMAIN/DNS/run/named.pid.outside";=20
> listen-on { 10.4.0.14; }; // the second=20
> ethernet only!
> };
>=20
> zone "DOMAIN.com" {
> type master;
> allow-transfer { list of outside hosts; };
> also-notify { list of outside hosts; };
> file "DOMAIN.com";
> };
>=20
>=20
>=20
> ---
> INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY=20
> CONVERSATION
>=20
>=20
>=20
More information about the bind-users
mailing list