help! Can't get two nameservers to run!

Tom Jennings tomj at wps.com
Thu Sep 7 17:45:48 UTC 2000 

Thanks! Umm, I found the problem, it wasn't named at all, but
operator-error... My delegated nameserver is behind a PIX firewall,
and when I changed the static translation to point to the new
'outside' interface (in RFC1918 land) I forgot to 'clear xlate',
and even though I could ping it, the external address was pointing
to the inside, resolving servers interface! Duh!

The cure: a night's sleep and a fresh look. Forest, trees, etc.

Thanks to all for the tips, they are in fact helpful.



> From: Mathias K=F6rber <mathias at koerber.org>
> Not much help here but a few points:
> What OS are you running? An ineffective kill -9 usually
> means some driver problem in that OS.

Sorry, I was unclear. kill -9 works, and kills the delegated server
listening on the outside interface. However, queries are still
answered, evidently by the other copy of bind running, the resolving
server tied to localhost.




On Wed, 6 Sep 2000, Kevin Darcy wrote:
> The "ctl_server" error message is specific to the "ndc" control channel. =
If you
> want to get rid of it, you should configure separate channels for each in=
stance
> via the "controls" statement.
>=20
> But, other than "ndc" functionality, it shouldn't prevent the nameserver
> instances from working. Aren't they?

I was hoping it was only the ndc control channel... I can fix that
at my leisure!

tomj



>=20
>=20
> - Kevin
>=20
> Tom Jennings wrote:
>=20
> > OK I admit I'm getting a little panicky... I'm desperately trying
> > to run two copies of named, to work around the known subdomain
> > leakage problem in 8.2.2. v9 solves it, but is too buggy to put in
> > production just yet.
> >
> > My nameserver box has two ethernet cards. I want to run:
> >
> > * An outside nameserver, primary for one zone, listens on ethernet1
> > only, allows all queries and few axfrs. Recursion and glue is off.
> > I want it to have no knowledge of anything but it's one domain,
> > DOMAIN.COM. This is our public nameserver.
> >
> > * An inside nameserver, primary for a bunch of sub-domains and
> > secondary for a bunch of domains. It listens on ethernet0 and
> > 127.0.0.1, allows query inside (10/8, etc), a few axfrs. Recursion
> > is on, glue off.
> >
> > I start the nameservers inside, then outside, and get the errors
> > below.
> >
> > ? queries to ethernet1 are resolved by the inside nameserver, the
> > outside nameserver seems inert. (eg. I kill -9 the outside server
> > and it still answers queries?)
> >
> > ? The second copy of bind generates this error:
> > named[4342]: ctl_server: bind: Address already in use
> > but says its listening on the appropriate interface, but it acts
> > like the "inside" server, loaded first, is bound to that address.
> >
> > I know also this means ndc's pipe to named is AFU (by the second
> > invokation I suppose) but the O'Reilly book says nothing about
> > setting up ndc, and I'm fine with manually signalling the thing.
> >
> > I don't see any reason to chroot each copy; is there one?
> > [tomj at ns1 DNS]# ps -ax | egrep named
> >  4300 ?        S      0:00 /usr/sbin/named /etc/named.conf.inside
> >  4343 ?        S      0:00 /usr/sbin/named /etc/named.conf.outside
> >
> > LOG
> >
> > Starting "inside" server first:
> >
> > Sep  6 18:53:24 ns1 named[4299]: starting.  named 8.2.2-P5 Mon F [delet=
ed]
> > ... loading zones...
> > Sep  6 18:53:24 ns1 named[4299]: listening on [127.0.0.1].53 (lo)
> > Sep  6 18:53:24 ns1 named[4299]: listening on [10.4.0.13].53 (eth0)
> > Sep  6 18:53:24 ns1 named[4299]: Forwarding source address is [0.0.0.0]=
=2E2239
> > Sep  6 18:53:24 ns1 named[4300]: Ready to answer queries.
> >
> > Starting "outside" server:
> > Sep  6 18:54:26 ns1 named[4342]: starting.  named 8.2.2-P5 Mon Feb [del=
eted]
> > ...loading zones...
> > Sep  6 18:54:26 ns1 named[4342]: ctl_server: bind: Address already in u=
se
> > Sep  6 18:54:26 ns1 named[4342]: listening on [10.4.0.14].53 (eth1)
> > Sep  6 18:54:26 ns1 named[4342]: Forwarding source address is [0.0.0.0]=
=2E2240
> > Sep  6 18:54:26 ns1 named[4343]: Ready to answer queries.
> >
> > CONFIGS: heavily clipped here; ACLs not shown (they work)
> >
> > inside:
> >
> > options {
> >         fetch-glue no;                          // be less wasteful,
> >         recursion yes;                          // be helpful,
> >
> >         pid-file  "/home/DOMAIN/DNS/run/named-inside.pid";
> >         listen-on { 127.0.0.1; 10.4.0.13; };    // eg. ns1.net.DOMAIN.c=
om,
> >
> >         directory "/home/DOMAIN/DNS";
> > };
> >
> > zone "DOMAIN.com" {
> >         type master;
> >         file "DOMAIN.com";
> >         allow-query { any; };
> >         allow-transfer { list of inside hosts; };
> >         also-notify { list of inside hosts; };
> > };
> >
> > Outside:
> >
> > options {
> >         fetch-glue no;                          // do no favors,
> >         recursion no;                           // and only this one zo=
ne,
> >         pid-file  "/home/DOMAIN/DNS/run/named.pid.outside";
> >         listen-on { 10.4.0.14; };               // the second ethernet =
only!
> > };
> >
> > zone "DOMAIN.com" {
> >         type master;
> >         allow-transfer { list of outside hosts; };
> >         also-notify { list of outside hosts; };
> >         file "DOMAIN.com";
> > };
> >
> > ---
> > INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY CONVE=
RSATION
>=20
>=20
>=20
>=20
>=20

---
INFORMATION GLADLY GIVEN BUT SAFETY REQUIRES AVOIDING UNNECESSARY CONVERSAT=
ION

More information about the bind-users mailing list