Problem with BIND 9 and OpenBSD 3.4

phn at icke-reklam.ipsec.nu phn at icke-reklam.ipsec.nu
Mon Dec 8 18:38:09 UTC 2003


G.T. <ethan_t at sbcglobal.net> wrote:
> I figured I'd finally get around to upgrading OpenBSD to 3.4 from 3.2 and 
> left BIND for last since I figured it would be trivial to get going.  I'd 
> never had any problems with BIND 4 or 8 in the past but I sure am having 
> trouble now.   Queries from my internal network (listed in the acl clients) 
> work fine.   Here's my named.conf with only the rndc.key changed (let me 
> know if you'd like to see my zone files, too):

> root at grits:/var/named# cat etc/named.conf
> // $OpenBSD: named-dual.conf,v 1.4 2003/02/27 14:44:04 todd Exp $

> // Update this list to include only the networks for which you want
> // to execute recursive queries. The default setting allows all hosts
> // on any IPv4 networks for which the system has an interface, and
> // the IPv6 localhost address.
> //
> acl clients {
>          192.168/16;
>          localhost;
>          ::1;
> };

> options {
>          version "";     // remove this to allow version queries

>          listen-on    { any; };
>          listen-on-v6 { any; };
> };

> key "rndc-key" {
>        algorithm hmac-md5;
>        secret "3nURT98M+8U2C52AJNzCBQ==";
> };

> controls {
>        inet 127.0.0.1 port 953
>                allow { 127.0.0.1; } keys { "rndc-key"; };
> };

> logging {
>          category lame-servers { null; };
> };

> view "internal" {
>          match-clients { clients; };
>          match-recursive-only yes;

>          // Standard zones
>          //
>          zone "." {
>                  type hint;
>                  file "standard/root.hint";
>          };

>          zone "localhost" {
>                  type master;
>                  file "standard/localhost";
>                  allow-transfer { localhost; };
>          };

>          zone "127.in-addr.arpa" {
>                  type master;
>                  file "standard/loopback";
>                  allow-transfer { localhost; };
>          };

>          zone "1.168.192.in-addr.arpa" IN {
>                  type master;
>                  file "master/192.168.1.rev";
>          };

>          zone "2fortheroad.net" IN {
>                  type master;
>                  file "master/private.net";
>          };


>          zone 
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
>                  type master;
>                  file "standard/loopback6.arpa";
>                  allow-transfer { localhost; };
>          };

>          zone 
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
>                  type master;
>                  file "standard/loopback6.int";
>                  allow-transfer { localhost; };
>          };
> };

> view "authoritative" {
>          match-clients { !clients; };
>          recursion no;
>          additional-from-auth no;
>          additional-from-cache no;

>          // Master zones

>          zone "2fortheroad.net" {
>                  type master;
>                  file "master/2fortheroad.net";
>                  allow-transfer { any; };
>          };

> };

> When I turn querylog on I see queries in the logs but the external clients 
>   get query REFUSED.

> I've turned off pf and still get the same results.  However, here is the 
> output of pfctl -s rules:

> root at grits:/var/named# pfctl -s rules
> scrub in all fragment reassemble
> block drop in quick on sis0 inet from 127.0.0.0/8 to any
> block drop in quick on sis0 inet from 192.168.0.0/16 to any
> block drop in quick on sis0 inet from 172.16.0.0/12 to any
> block drop in quick on sis0 inet from 10.0.0.0/8 to any
> block drop out quick on sis0 inet from any to 127.0.0.0/8
> block drop out quick on sis0 inet from any to 192.168.0.0/16
> block drop out quick on sis0 inet from any to 172.16.0.0/12
> block drop out quick on sis0 inet from any to 10.0.0.0/8
> block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port = auth
> block drop in quick on sis0 inet proto tcp from any to 67.127.23.18 port = 
> netbios-ns
> block drop in quick on sis0 inet proto udp from any to 67.127.23.18 port = 
> netbios-ns
> block drop in log on sis0 all
> pass in on sis0 inet proto icmp from any to 67.127.23.18 keep state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = www flags 
> S/SA keep state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = domain keep 
> state
> pass in on sis0 inet proto udp from any to 67.127.23.18 port = domain keep 
> state
> pass in on sis0 inet proto tcp from any to 67.127.23.18 port = smtp flags 
> S/SA keep state
> block drop out on sis0 all
> pass out on sis0 inet proto tcp all flags S/SA keep state
> pass out on sis0 proto icmp all keep state
> pass out on sis0 proto udp all keep state

> Thanks for looking and thanks for any help,
> Greg


> -- 
> "Destroy your safe and happy lives before it is too late,
> the battles we fought were long and hard,
> just not to be consumed by rock n' roll..." - The Mekons

My guess is twofold, something wrong with the zone 
2fortheroad.net in the authoritive view ( anything in the 
logfile ??)

Besides that, you could ease up the acl to the authorative 
ti 'any'; since your internal already is matched. Does that 
make any difference ?


-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.


More information about the bind-users mailing list