Still Having Intermittent Issues Resovling External Domains
Joel M Nimety
jnimety at cybergnostic.com
Mon May 31 15:24:47 UTC 2004
I am running bind chroot'd as user named. I will turn up debugging.
tcpdumps during the outages show recursive requests going out but no
replies coming back.
Here is my config:
acl "xfer" {
// Allow no transfers. If we have other
// name servers, place them here.
// Note that in the Netherlands, for example,
// the TLD servers 193.176.144.2 and 193.176.144.138
// are allowed to perform zone tranfers
// from the domains under .nl.
none;
};
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
10.0.0.0/8;
192.168.0.0/16;
172.16.0.0/12;
localhost;
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
// 10.0.0.0/8; // We use this.
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
41.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
58.0.0.0/8;
59.0.0.0/8;
71.0.0.0/8;
72.0.0.0/8;
73.0.0.0/8;
74.0.0.0/8;
75.0.0.0/8;
76.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
124.0.0.0/8;
125.0.0.0/8;
126.0.0.0/8;
169.254.0.0/16;
// 172.16.0.0/12; // We use this.
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
189.0.0.0/8;
190.0.0.0/8;
192.0.2.0/24;
// 192.168.0.0/16; // We use this.
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
category lame-servers { null; };
};
// Set options for security
// We run BIND9 chroot'ed so all paths are relative to /var/lib/named.
options {
directory "/var/cache/bind";
statistics-file "/var/run/named.stats";
pid-file "/var/run/named.pid";
memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
// We need to allow more recursive queries for spam and email.
recursive-clients 5000;
// We need to explicitly set the edns size so as not to confuse //
certain firewalls
// edns-udp-size 512;
// Force port 53;
// query-source address * port 53;
// Allow more simultaneous connections.
// tcp-clients 500;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
allow-transfer {
// Zone tranfers limited to members of the
// "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
// conform to RFC1035
auth-nxdomain no;
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." {
// prime the server with knowledge of the root servers
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
allow-query {
any;
};
allow-transfer {
none;
};
};
// more zones here, removed for brevity -- Joel
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Link in our zones
zone "." in {
type hint;
file "/etc/bind/db.root";
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.bind";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
Richard Maynard wrote:
>> > We're experiencing intermittent issues resolving domain names. Often
>> > these domains are microsoft.com, cnn.com, etc. We are running 3
>> > identical servers and sometime they can go a week or two without any
>> > trouble (othertimes only hours), then without warning one server will
>> > be unable to perform a recursive lookup for a few domains.
>
>
> Is bind running as a non root user? If so, is there anything that
might be
> changing the interfaces so bind can not rebind to them?
>
> Is there anything at all appearing in your bind logs? If not, do you have
> the log level cranked up to see if perhaps you could get something?
>
>
>>We are getting desperate. I can provide tcpdumps and configs if
>>necessary.
>
>
> Configs are a good place to start so folks can take a look at how you
expect
> your server to start.
>
--
Joel Nimety
Perimeter/Cybergnostic
More information about the bind-users
mailing list