Bind 9.1 Question

Willis L. Sarka wlsarka at the-republic.org
Tue Jan 30 16:13:52 UTC 2001 

For what it's worth, I'm running Bind 9.1 on a RedHat 6.2 box, 2.4.0
kernel installed.  I have stopped named via rndc control (rndc stop), and
then started it with the following arguments:

/usr/local/sbin/named -u named -t /var/named

I'm running this chroot, obviously, and under user "named".  I don't
_know_ if that makes a difference, but it might.  From what I gather from
the documentation, Bind 9.x had problems running chroot under some 2.4
test kernels, but should be fine after 2.4.0-test9 or so (I'm using
2.4.0).  I also did the standard "./configure, make, make install" with
the bind 9.1 source, no special flags at all.

So, you see nothing wrong, per se, with my named.conf file then?  Perhaps
the information I've offered here will be of more assistance.

Thanks,
Will Sarka

On Tue, 30 Jan 2001 Mark.Andrews at nominum.com wrote:

>
> 	This is not reproducible.  i.e. I cut and pasted the acl
> 	and added the allow-* clauses to a working config and
> 	could query via 127.0.0.1.
>
> 	Are you 100% sure you have restarted named with this exact
> 	configuration?
>
> 	If it still exists after restarting named log a bug report
> 	with bing9-bugs at isc.org.
>
> 	Mark
>
> >
> > With dig, it gives the same type of responses.  Although 9.1 might not
> > support it, I was under the impression that nslookup use is decprecated,
> > not
> > completely removed all together.  I'm not too terribly familiar with dig,
> > but just typing "dig" at the prompt produces this:
> >
> >
> > [root at news doc]# dig
> >
> > ; <<>> DiG 9.1.0 <<>>
> > ;; global options:  printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28309
> > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> >
> > ;; QUESTION SECTION:
> > ;.				IN	NS
> >
> > ;; Query time: 10 msec
> > ;; SERVER: 127.0.0.1#53(127.0.0.1)
> > ;; WHEN: Tue Jan 30 00:11:57 2001
> > ;; MSG SIZE  rcvd: 17
> >
> >
> > Notice the "REFUSED" part still?  This is what I'm having trouble with...
> > Again, it's probably really braindead what I'm missing, but I'm not seeing
> > it.
> >
> > If anyone has a look at the named.conf snippet I sent earlier, please tell
> > me what option I'm missing or need to axe.
> >
> > W
> >
> > On Mon, 29 Jan 2001, Nguyen, Andy wrote:
> >
> > > nslookup is not supported in Bind 9.1.  Use dig instead.
> > >
> > > -----Original Message-----
> > > From: Willis L. Sarka [mailto:wlsarka at the-republic.org]
> > > Sent: Monday, January 29, 2001 5:50 PM
> > > To: bind-users at isc.org
> > > Subject: Bind 9.1 Question
> > >
> > >
> > >
> > > Greetings,
> > >
> > > I have Bind 9.1 up and running successfully, but I have one small problem.
> > > I can perform an nslookup query remotely (i.e. not on the smae machine
> > > that Bind is running on), and it works just fine.  However on the same
> > > machine that is running Bind 9.1, when I do a nslookup, I get a "refused"
> > > messages.  I'm sure this is probably something _really_ that I'm missing,
> > > but I've been stuck for a few hours, so here I am.
> > >
> > > Sample nslookup on machine running bind 9.1:
> > >
> > > [root at news /root]# nslookup
> > > Note:  nslookup is deprecated and may be removed from future releases.
> > > Consider using the `dig' or `host' programs instead.  Run nslookup with
> > > the `-sil[ent]' option to prevent this message from appearing.
> > > > news.bldr.rtone.com
> > > Server:		127.0.0.1
> > > Address:	127.0.0.1#53
> > >
> > > ** server can't find news.bldr.rtone.com.: REFUSED
> > > >
> > >
> > >
> > > Messages from the log files:
> > >
> > > Jan 29 22:45:13.983 security: client 127.0.0.1#2030: query denied
> > >
> > > Here is my named.conf:
> > >
> > > acl "internals" { 127.0.0.1; 172.16.0.0/20; 172.16.16.0/24; 172.16.5.0/24;
> > > 192.168.253.0/24;  };
> > >
> > > controls {
> > >         inet 127.0.0.1 allow { localhost; } keys { namedkey; };
> > > };
> > >
> > > key namedkey {
> > >         algorithm "hmac-md5";
> > >         secret "tP6O603HGrPW6bV59JV4vw==";
> > > };
> > >
> > > options {
> > >         auth-nxdomain no;
> > >         directory "/";
> > >         pid-file "named.pid";
> > >         allow-query { "internals"; };
> > >         allow-recursion { "internals"; };
> > >         allow-transfer { "internals"; };
> > > };
> > >
> > > logging {
> > >         channel namedlog {
> > >                 file "var/log/named.log" versions 5 size 2m;
> > >                 print-time yes;
> > >                 print-category yes;
> > >                 };
> > >         category xfer-out { namedlog; };
> > >         category panic { namedlog; };
> > >         category security { namedlog; };
> > >         category insist { namedlog; };
> > >         category response-checks { namedlog; };
> > > };
> > >
> > > //
> > > // a caching only nameserver config
> > > //
> > > zone "." {
> > >         type hint;
> > >         file "named.ca";
> > > };
> > >
> > > zone "0.0.127.in-addr.arpa" {
> > >         type master;
> > >         file "named.local";
> > > };
> > >
> > > zone "rtone.com" {
> > >         type master;
> > >         file "db.rtone.com";
> > > };
> > >
> > > zone "bldr.rtone.com" {
> > >         type master;
> > >         file "db.bldr.rtone.com";
> > > };
> > >
> > > zone "dnvr.rtone.com" {
> > >         type master;
> > >         file "db.dnvr.rtone.com";
> > > };
> > >
> > > zone "smartpoint.com" {
> > >         type master;
> > >         file "db.smartpoint.com";
> > > };
> > >
> > > .... more reverse zones, etc...
> > >
> > >
> > >
> > > I know the logging section needs work.
> > >
> > >
> > > Rndc is working just fine on the nameserver box, if that matters, and
> > > named starts and runs fine.
> > >
> > >
> > > Again, any help is appreciated.  This is the last step before I convert
> > > from Bind 8.2.2_P7 to Bind 9.1.  I'd like to never again worry about a
> > > Bind 8.x buffer overflow, or root exploit.
> > >
> > > Thanks,
> > > Will Sarka
> > >
> > >
> > >
> > >
> >
> > --
> > ---------------------------------------------
> > Those, who would give up essential liberty to
> > purchase a little temporary safety, deserve
> > neither liberty nor safety.
> >
> > -Ben Franklin
> > Historical Review of Constitution and
> > Government of Pennsylvania
> > ---------------------------------------------
> >
> >
> --
> Mark Andrews, Nominum Inc.
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
>

-- 
---------------------------------------------
Those, who would give up essential liberty to
purchase a little temporary safety, deserve
neither liberty nor safety.

-Ben Franklin
Historical Review of Constitution and
Government of Pennsylvania
---------------------------------------------

More information about the bind-users mailing list