newbie struggles....
Mark Page
mark at weballistics.com
Fri Apr 9 09:53:54 UTC 2004
thanks for responding - the problem turns out to be that the
/etc/named.conf on fedora is not read by BIND at startup if running in
chroot jail (despite what /var/log/messages says) - moved it to
/var/named/chroot/etc and it now works.
Bit stupid really, but there you go.
On Wed, 2004-04-07 at 14:59, phn at icke-reklam.ipsec.nu wrote:
> Mark Page <mark at weballistics.com> wrote:
> > Hi all,
>
> > I've been trying to set up an authoratitive server for my domain name
> > using BIND 9.2.2.P3 on fedora core 1 with the help of the O'reilly book,
> > but with no joy.
>
> Ok, i'll answer "interleaved". But first i'm not clears about
> your topology. In the nameservers located outside your NAT-device ?
> Hiding ip-addresses will interfere with understanding your problem,
> just like hiding your real domain.
>
> Another thing, you should implement "split-dns" so your rfc1918
> addresses are hidden from Internet(while usable from inside)
>
>
> > My network set up is like this :-
>
> > Internet <--> firewall <--> DMZ (172.16/16)
> > " <--> LAN (192.168.4/24)
>
>
> > I have a domain name which I've delegated the authority for via the
> > domain name registry's web-site, e.g.
>
> > MYDOMAIN.co.uk xx.yy.182.113 ns0.MYDOMAIN.co.uk
> > xx.yy.182.114 ns1.MYDOMAIN.co.uk
>
>
> > I have named running on 172.16.0.20 with the hostname PROD1 and use NAT
> > to map to 'real' ip address of xx.yy.182.113.
>
>
> > my resolv.conf:-
>
> On which machine ? The dns server or a client box ?
> > ----------------
> > [root at prod1 named]# more /etc/resolv.conf
> > domain MYDOMAIN.co.uk
> > #nameserver 127.0.0.1
> > nameserver 172.16.0.20
>
>
>
> > my named.conf:-
> > ---------------
> > options {
> > directory "/var/named";
>
> > // Uncommenting this might help if you have to go through a
> > // firewall and things are not working out. But you probably
> > // need to talk to your firewall admin.
>
> > query-source address * port 53;
>
> The above is unneeded, remove. ( unless your firewall is really stupid)
>
> > };
>
> > controls {
> > inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> > };
>
> > zone "." {
> > type hint;
> > file "db.cache";
> > };
>
> > zone "MYDOMAIN.co.uk" {
> > type master;
> > file "db.MYDOMAIN.co.uk";
> > };
>
>
> > zone "16.172.in-addr.arpa" {
> > type master;
> > file "db.172.16";
> > };
>
> > zone "4.168.192.in-addr.arpa" {
> > type master;
> > file "db.192.168.4";
> > };
>
> > zone "0.0.127.in-addr.arpa" {
> > type master;
> > file "db.127.0.0";
> > };
>
> > include "/etc/rndc.key";
>
>
> > the reverse DNS for my static block is looked after by my ISPs
> > nameservers and the forward addresses do match. The other in-addr.arpa.
> > zone files are left out but they look fine.
>
> Yes, you need to resolve rfc1918 addresses if your clients should not
> suffer long delays.
>
>
> > my db.MYDOMAIN.co.uk:-
> > -----------------------
> > $TTL 3h
> > MYDOMAIN.co.uk. IN SOA prod1.MYDOMAIN.co.uk.
> > mark.MYDOMAIN.co.uk. (
> > 1 ; Serial
> > 3h ; Refresh every 3 hours
> > 1h ; Retry
> > 1w ; Expires 1 week
> > 1h ) ; negative chaing ttl
> > ;nameservers
> > MYDOMAIN.co.uk. IN NS ns0.MYDOMAIN.co.uk.
> > MYDOMAIN.co.uk. IN NS ns1.MYDOMAIN.co.uk.
>
> > ;hosts
> > localhost.MYDOMAIN.co.uk. IN A 127.0.0.1
>
> > ;
> > ; Internet hosts
> > ;
> > ns0.MYDOMAIN.co.uk. IN A xx.yy.182.113
> > ns1.MYDOMAIN.co.uk. IN A xx.yy.182.114
> > www.MYDOMAIN.co.uk. IN A xx.yy.182.115
> > beta.MYDOMAIN.co.uk. IN A xx.yy.182.116
> > router.MYDOMAIN.co.uk. IN A xx.yy.182.118
> > gateway.MYDOMAIN.co.uk. IN A xx.yy.182.117
>
> > ;
> > ; LAN hosts
> > ;
> > ;dev.MYDOMAIN.co.uk. IN A 192.168.4.37
> > ;windy.MYDOMAIN.co.uk. IN A 192.168.4.10
> > ;lan-fw.MYDOMAIN.co.uk. IN A 192.16.4.77
>
> > ;
> > ; DMZ hosts
> > ;
> > prod1.MYDOMAIN.co.uk. IN A 172.16.0.20
> > ;dmz-fw.MYDOMAIN.co.uk. IN A 172.16.0.10
>
>
> > with this configuration I can only do lookups (forward and reverse) for
> > ns0.MYDOMAIN.co.uk and ns1.MYDOMAIN.co.uk (and only using the FQDN). e.g. :-
>
>
> You probably only see delegation data.
>
>
> > -------
> > [root at prod1 named]# dig ns0.MYDOMAIN.co.uk
>
> > ; <<>> DiG 9.2.2-P3 <<>> ns0.MYDOMAIN.co.uk
> > ;; global options: printcmd
> > ;; Got answer:
> > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092
> > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
>
> > ;; QUESTION SECTION:
> > ;ns0.MYDOMAIN.co.uk. IN A
>
> > ;; ANSWER SECTION:
> > ns0.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.113
>
> > ;; AUTHORITY SECTION:
> > MYDOMAIN.co.uk. 172800 IN NS ns0.MYDOMAIN.co.uk.
> > MYDOMAIN.co.uk. 172800 IN NS ns1.MYDOMAIN.co.uk.
>
> > ;; ADDITIONAL SECTION:
> > ns1.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.114
>
> > ;; Query time: 2 msec
> > ;; SERVER: 172.16.0.20#53(172.16.0.20)
> > ;; WHEN: Wed Apr 7 13:57:22 2004
> > ;; MSG SIZE rcvd: 104
>
>
> > All lookups for say, www.MYDOMAIN.co.uk is NXDOMAIN. I can't even
> > resolve localhost, or the nameservers DMZ hostname PROD1. but I can
> > resolve other internet addresses fine.
>
> > I've commented out my LAN and DMZ to keep everything as minimal as
> > possible. but when prod1.MYDOMAIN.co.uk. is commented out the above dig
> > will time out. I would appreciate any help given.
>
>
> > Regards, -Mark.
>
> > p.s. this is not how I expect my final config to be, i.e. no security
> > etc - I just want to get basic lookups for my domain working first so
> > please don't hassle me too much. :)
>
> One key issue is your interaction with firewall/nat device. Start
> working on dns-servers and when they work ok, see that other server(s)
> and clients do what's intended.
>
>
>
>
>
More information about the bind-users
mailing list