Need expert bind config advice
Kevin Darcy
kcd at daimlerchrysler.com
Wed Nov 14 03:30:24 UTC 2001
Why are you using "@localhost" in the "dig" command line, but not in the "host" command line? Your /etc/resolv.conf already specifies 127.0.0.1 as the first nameserver, so I'd leave "@localhost" off altogether. I think "dig" might be having trouble resolving the name "localhost" (see comment on searchlist below), and that might be causing it to time out.
Do you really even need "localhost" to resolve in DNS? Unless you have some specific application that requires it, I wouldn't bother.
Do you understand how the "search" directive in /etc/resolv.conf works? The elements of the search list are *appended* to an unqualified name to give your resolver some educated guesses as to what the real name is. Given the name "foo", your current configuration causes the resolver to look up "foo.localhost", "foo.vdc-hn01.vnn.vn", and then "foo.hcm-server1-vnn.vn". I doubt that this is
what you want. For that matter, consider ditching the searchlist altogether -- things work more quickly, efficiently and with no possibility of accidental searchlist matches when resolvers use fully-qualified names for everything.
What is the purpose of the "ns.8.168.192.in-addr.arpa" A record?
- Kevin
AD Marshall wrote:
> Long explanation, context, some useful references, and just two short "QUESTION"s below --
>
> Our simple aim is to set up a secure, relatively performance-and-maintenance-efficient configuration for BIND that we can easily adapt to many small-to-medium-sized LANs in VietNam for secure, dial-on-demand/kill-on-idle Internet sharing and later adapt to broadband.
>
> On our testing/learning box (using RH7.1, bind-9.1.3-1, dial-up ISP Internet access, serving only one Win2K and one Win98 workstation, forwarding on using iptables), we've been getting the seemingly incorrect /var/log/messages entries that follow below from the network-BIND-DNS configuration files we're using (these, /etc/hosts to zone files in /var/named/, follow after the log entries).
>
> With logging set in named.conf to include "category queries { named_info; };", /var/log/messages shows named going through recursive queries for "hcm.vnvnn". This seems wrong since ".vn" is VietNam's country suffix and "hcm.vnn.vn" is our ISP. For POP3 apps, we use the IP for "mail.vnn.vn", 203.162.0.9.)
>
> QUESTION: Have we configured something wrong that is causing the queries for "hcm.vnvnn"? If yes, how can we correct it? If no, how is the reversal of the TLD and the ISP's domain explained?
>
> We also not sure if we can do reverse lookups. Using "dig @localhost 127.0.0.1" or "dig @localhost 192.168.8.3", both respond with ";; connection timed out; no servers could be reached". But using "host" does apparently work:
> [root at vcserver1 AD.VICE]# host 127.0.0.1
> 1.0.0.127.in-addr.arpa. domain name pointer localhost.
> [root at vcserver1 AD.VICE]# host 192.168.8.3
> 3.8.168.192.in-addr.arpa. domain name pointer vcws01.viceconsulting.cam.
> [Note: Invalid TLD, here ".cam", recommended by DNS-HOWTO-5.html for testing]
> [root at vcserver1 AD.VICE]# host 203.162.0.18
> 18.0.162.203.in-addr.arpa. domain name pointer webproxy.vnd.net.
> 18.0.162.203.in-addr.arpa. domain name pointer webproxy.vnn.vn.
>
> Everything else *seems* to be working fast and fine: local, domestic and overseas url/address resolving for mail, ftp, web,...
>
> QUESTION: Finally, could anyone kindly offer this newbie some corrections or suggestions to improve this configuration?
>
> We've got strong suspicions we've boggled ourselves in docs & details and gone a bit over the top on what we've included, possibly even including a number of redundancies or inconsistencies.
>
> Notes:
> * We ripped a lot of this configuration from a few key references, the Bv9ARM*.html docs, Bind9 Secured, www.boran.com/security/sp/bind9_20010430.html and Linux Step-by-Step, www.linux.nf/bind.html, plus bits from the bind9-users list.
> * The whole of VietNam is firewalled off from the rest of Internet and all DNS queries must go through one ISP/IAP's DNS servers, listed below. Only smtp, pop3, http, ftp and telnet ports are officially available to dial-up clients for IPs outside VietNam -- even traceroute, ssh and news ports seem blocked.
>
> Gratefully,
> AD Marshall
>
> ========= Log Output ================================================
>
> >From #tail -f -n20 /var/log/messages :
>
> Nov 7 22:49:41 vcserver1 named[707]: Nov 07 22:49:41.368 network: info: listening on IPv4 interface ppp0, 203.162.51.101#53
> Nov 7 22:49:41 vcserver1 named[707]: Nov 07 22:49:41.369 network: info: no longer listening on 203.162.51.161#53
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.556 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.557 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.localhost IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.559 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.vdc-hn01.vnn.vn IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.560 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.hcm-server1-vnn.vn IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.566 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn IN MX
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.567 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.localhost IN MX
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.568 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.vdc-hn01.vnn.vn IN MX
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.569 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.hcm-server1-vnn.vn IN MX
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.570 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.571 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.localhost IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.571 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.vdc-hn01.vnn.vn IN ANY
> Nov 7 22:49:47 vcserver1 named[707]: Nov 07 22:49:47.572 queries: info: client 127.0.0.1#1088: query: hcm.vnnvn.hcm-server1-vnn.vn IN ANY
> Nov 7 22:50:20 vcserver1 named[707]: Nov 07 22:50:20.903 queries: info: client 192.168.8.3#1454: query: mail.hostonce.org IN A
> Nov 7 22:50:24 vcserver1 named[707]: Nov 07 22:50:24.912 queries: info: client 192.168.8.3#1454: query: mail.hostonce.org IN A
> Nov 7 22:50:29 vcserver1 pppd[1803]: Terminating on signal 15.
> <cut>
>
> Configuration Files
> ===================
>
> [root at vcserver1 0.installed]# cat /etc/hosts
> # TEST LOCAL DOMAIN: viceconsulting.cam, not .cOm!!!!
> # Change before using registered domain name
> 127.0.0.1 localhost.localdomain localhost
> 192.168.8.1 vcserver1.viceconsulting.cam vcserver1
> 192.168.8.3 vcws01.viceconsulting.cam vcws01
> 192.168.8.9 vcmob01.viceconsulting.cam vcmob01
> #eof
>
> [root at vcserver1 0.installed]# cat /etc/resolv.conf
> search localhost vdc-hn01.vnn.vn hcm-server1-vnn.vn
> nameserver 127.0.0.1
> nameserver 203.162.0.11
> nameserver 203.162.4.1
>
> [root at vcserver1 0.installed]# cat /etc/named.conf
> // based on
> // "/var/www/html/DNS/bind9secured/bind/named.conf.primary"
> // "/var/www/html/DNS/linux.nf/bind.html", for logging
> // "/usr/share/doc/bind-9.1.3/doc/arm/Bv9ARM.html"
>
> acl "nameservers" {
> localhost;
> // my primary
> 192.168.8.1;
> // Internet & ISP:
> 203.162.0.11; //vdc-hn01.vnn.vn
> 203.162.4.1; //hcm-server1.vnn.vn
> };
>
> options {
> directory "/var/named";
> // query-source address * port 53;
> pid-file "/var/run/named/named.pid";
> stacksize 30M;
> datasize 20M;
> auth-nxdomain yes; // v9 wants this?
> dump-file "/var/tmp/named_dump.db";
> allow-transfer { nameservers; }; // this limits ALL zones
> transfer-format many-answers; // faster transfers
> version "This is not a [VICE]-8"; // hide BIND version
> forwarders { 203.162.0.11; 203.162.4.1; };
> };
>
> controls {
> inet 127.0.0.1
> port 953
> allow { localhost; }
> keys { key_rndc; };
> };
>
> logging {
> channel named_info {
> syslog;
> print-category yes;
> print-severity yes;
> print-time yes;
> };
> // Processing of client requests
> category client { named_info; };
> // named.conf parsing and processing
> category config { named_info; };
> // This is the default for any category not specifically defined
> category default { named_info; };
> // The catch-all -- anything without a category of its own
> category general { named_info; };
> // Comment out if you don't want to know about any lame server
> category lame-servers { named_info; };
> // The NOTIFY protocol
> category notify { named_info; };
> // Network operations
> category network { named_info; };
> // DNS resolution like recursive lookups, etc
> category resolver { named_info; };
> // Approval and denial of requests
> category security { named_info; };
> // Dynamic updates
> category update { named_info; };
> // Queries. Duh?
> category queries { named_info; };
> // Zone transfers received
> category xfer-in { named_info; };
> // Zone transfers sent
> category xfer-out { named_info; };
> };
>
> /////////////////// default zones //////////////////////////
>
> // this is the main file for the domain name server. Each line gives
> // the file where is stored the name table for a particular domain.
>
> // a caching only nameserver config
>
> // localhost loopback
> zone "localhost" IN {
> type master;
> file "localhost.zone";
> allow-update { none; };
> };
>
> // reverse mapping of loopback address
> zone "0.0.127.in-addr.arpa" IN {
> type master;
> file "localhost.rev";
> notify no;
> allow-update { none; };
> };
>
> //////////////// primaries //////////////////////
> // Transfer ACLs are governered globally above
>
> zone "viceconsulting.cam" {
> type master;
> file "viceconsulting.cam";
> allow-update { none; };
> };
>
> // reverse mapping -- using
> // info from example file "rev.192.168.128" in bind9secured
> //
> zone "8.168.192.in-addr.arpa" IN {
> type master;
> file "rev.192.168.8";
> };
>
> // Validation Key Section
> // NOTE: "key" statement not included in
> // "/var/www/html/DNS/bind9secured/bind/named.conf.primary"
> //
>
> key key_rndc {
> algorithm hmac-md5;
> secret "<cut>";
> };
>
> //eof
>
> [root at vcserver1 named]# cat /etc/rndc.conf
> /*
> * Based on - Sample rndc configuration file, bind-9.1.0 rpm
> */
>
> options {
> default-server localhost;
> default-key key_rndc;
> };
>
> //server localhost {
> // key key_rndc;
> //};
>
> key key_rndc {
> algorithm hmac-md5;
> secret "<cut>";
> };
> // eof
>
> [root at vcserver1 named]# cat local* vice* rev* >/root/bind/zones
>
> [root at vcserver1 bind]# cat /root/bind/zones
> $TTL 86400
> @ IN SOA localhost. root.localhost. (
> 200108200 ; Serial
> 28800 ; Refresh
> 14400 ; Retry
> 3600000 ; Expire
> 86400 ) ; Minimum
> IN NS localhost.
>
> 1 IN PTR localhost.
> ; eof
>
> $TTL 86400
> $ORIGIN localhost.
> @ 1D IN SOA @ root (
> 42 ; serial (d. adams)
> 3H ; refresh
> 15M ; retry
> 1W ; expiry
> 1D ) ; minimum
>
> 1D IN NS @
> 1D IN A 127.0.0.1
> ; eof
>
> $TTL 86400
> @ IN SOA vcserver1.viceconsulting.cam. root.viceconsulting.cam. (
> 2001102001 ; Serial number YYYYMMDDSN
> 28800 ; Refresh every 8 hours
> 14400 ; Retry every 4 hours
> 3600000 ; Expire after 42 days
> 3600 ) ; Minimum TTL (Time to live)
> ; Nameservers
> IN NS ns.viceconsulting.cam.
> IN MX 10 mail.viceconsulting.cam.
> ns IN A 192.168.8.1
> mail IN A 192.168.8.1
> www IN A 192.168.8.1
>
> ; Local lan
> vcserver1 IN A 192.168.8.1
> vcws01 IN A 192.168.8.3
> vcmob01 IN A 192.168.8.9
> ; eof
>
> ; /var/named/viceconsulting.cam, NOT .cOm
> ;
> $TTL 86400 ; Default TTL in secs (1 day)
>
> @ IN SOA vcserver1.viceconsulting.cam. root.viceconsulting.cam. (
> 2001102001 ; Serial number YYYYMMDDSN
> 28800 ; Refresh every 8 hours
> 14400 ; Retry every 4 hours
> 3600000 ; Expire after 42 days
> 3600 ) ; Minimum TTL (Time to live)
>
> ; Descriptions of name servers for this domain
> IN NS ns.viceconsulting.cam.
> ns IN A 192.168.8.1
> ; Reverse lookups
> 1 PTR vcserver1.viceconsulting.cam.
> 3 PTR vcws01.viceconsulting.cam.
> 9 PTR vcmob01.viceconsulting.cam.
> ; eof
> <end>
> *--------------------------------------------------*
> AD Marshall, VietInfoComm&Edu [VICE]-8 Consulting
> Vietnam Information Communications & Education
> Post: 8A/G8 Don Dat, Q.1, TpHCM, VietNam
> eMail: mailto:ad.vice at paradoxcafe.com
> Web: http://paradoxcafe.net
> Cell: +84 (0)903871313
More information about the bind-users
mailing list