Still Having Intermittent Issues Resovling External Domains

Joel M Nimety jnimety at cybergnostic.com
Mon May 31 15:24:47 UTC 2004 

I am running bind chroot'd as user named.  I will turn up debugging.
tcpdumps during the outages show recursive requests going out but no
replies coming back.

Here is my config:


acl "xfer" {
	// Allow no transfers.  If we have other
	// name servers, place them here.
	// Note that in the Netherlands, for example,
	// the TLD servers 193.176.144.2 and 193.176.144.138
	// are allowed to perform zone tranfers
	// from the domains under .nl.
	none;
};

acl "trusted" {
	// Place our internal and DMZ subnets in here so that
	// intranet and DMZ clients may send DNS queries.  This
	// also prevents outside hosts from using our name server
	// as a resolver for other domains.
	10.0.0.0/8;
	192.168.0.0/16;
	172.16.0.0/12;
	localhost;
};

acl "bogon" {
	// Filter out the bogon networks.  These are networks
	// listed by IANA as test, RFC1918, Multicast, experi-
	// mental, etc.  If you see DNS queries or updates with
	// a source address within these networks, this is likely
	// of malicious origin. CAUTION: If you are using RFC1918
	// netblocks on your network, remove those netblocks from
	// this list of blackhole ACLs!
	0.0.0.0/8;
	1.0.0.0/8;
	2.0.0.0/8;
	5.0.0.0/8;
	7.0.0.0/8;
	// 10.0.0.0/8; // We use this.
	23.0.0.0/8;
	27.0.0.0/8;
	31.0.0.0/8;
	36.0.0.0/8;
	37.0.0.0/8;
	39.0.0.0/8;
	41.0.0.0/8;
	42.0.0.0/8;
	49.0.0.0/8;
	50.0.0.0/8;
	58.0.0.0/8;
	59.0.0.0/8;
	71.0.0.0/8;
	72.0.0.0/8;
	73.0.0.0/8;
	74.0.0.0/8;
	75.0.0.0/8;
	76.0.0.0/8;
	77.0.0.0/8;
	78.0.0.0/8;
	79.0.0.0/8;
	89.0.0.0/8;
	90.0.0.0/8;
	91.0.0.0/8;
	92.0.0.0/8;
	93.0.0.0/8;
	94.0.0.0/8;
	95.0.0.0/8;
	96.0.0.0/8;
	97.0.0.0/8;
	98.0.0.0/8;
	99.0.0.0/8;
	100.0.0.0/8;
	101.0.0.0/8;
	102.0.0.0/8;
	103.0.0.0/8;
	104.0.0.0/8;
	105.0.0.0/8;
	106.0.0.0/8;
	107.0.0.0/8;
	108.0.0.0/8;
	109.0.0.0/8;
	110.0.0.0/8;
	111.0.0.0/8;
	112.0.0.0/8;
	113.0.0.0/8;
	114.0.0.0/8;
	115.0.0.0/8;
	116.0.0.0/8;
	117.0.0.0/8;
	118.0.0.0/8;
	119.0.0.0/8;
	120.0.0.0/8;
	121.0.0.0/8;
	122.0.0.0/8;
	123.0.0.0/8;
	124.0.0.0/8;
	125.0.0.0/8;
	126.0.0.0/8;
	169.254.0.0/16;
	// 172.16.0.0/12; // We use this.
	173.0.0.0/8;
	174.0.0.0/8;
	175.0.0.0/8;
	176.0.0.0/8;
	177.0.0.0/8;
	178.0.0.0/8;
	179.0.0.0/8;
	180.0.0.0/8;
	181.0.0.0/8;
	182.0.0.0/8;
	183.0.0.0/8;
	184.0.0.0/8;
	185.0.0.0/8;
	186.0.0.0/8;
	187.0.0.0/8;
	189.0.0.0/8;
	190.0.0.0/8;
	192.0.2.0/24;
	// 192.168.0.0/16; // We use this.
	197.0.0.0/8;
	223.0.0.0/8;
	224.0.0.0/3;
};

logging {
	category lame-servers { null; };
};

// Set options for security
// We run BIND9 chroot'ed so all paths are relative to /var/lib/named.
options {
	directory "/var/cache/bind";
	statistics-file "/var/run/named.stats";
	pid-file "/var/run/named.pid";
	memstatistics-file "/var/named/named.memstats";
	dump-file "/var/adm/named.dump";
	zone-statistics yes;
	
	// We need to allow more recursive queries for spam and email.
	recursive-clients 5000;

	// We need to explicitly set the edns size so as not to confuse 		//
certain firewalls
         // edns-udp-size 512;
		
         // Force port 53;
         // query-source address * port 53;


	// Allow more simultaneous connections.
	// tcp-clients 500;
	
	// Prevent DoS attacks by generating bogus zone transfer
	// requests.  This will result in slower updates to the
	// slave servers (e.g. they will await the poll interval
	// before checking for updates).
	notify no;
	
	// Generate more efficient zone transfers.  This will place
	// multiple DNS records in a DNS message, instead of one per
	// DNS message.
	transfer-format many-answers;
	
	// Set the maximum zone transfer time to something more
	// reasonable.  In this case, we state that any zone transfer
	// that takes longer than 60 minutes is unlikely to ever
	// complete.  WARNING:  If you have very large zone files,
	// adjust this to fit your requirements.
	max-transfer-time-in 60;
	
	// We have no dynamic interfaces, so BIND shouldn't need to
	// poll for interface state {UP|DOWN}.
	interface-interval 0;
	
	allow-transfer {
		// Zone tranfers limited to members of the
		// "xfer" ACL.
		xfer;
	};
	
	allow-query {
		// Accept queries from our "trusted" ACL.  We will
		// allow anyone to query our master zones below.
		// This prevents us from becoming a free DNS server
		// to the masses.
		trusted;
	};
	
	blackhole {
		// Deny anything from the bogon networks as
		// detailed in the "bogon" ACL.
		bogon;
	};

	// conform to RFC1035
	auth-nxdomain no;

};

view "internal-in" in {
	// Our internal (trusted) view. We permit the internal networks
	// to freely access this view. We perform recursion for our
	// internal hosts, and retrieve data from the cache for them.
	
	match-clients { trusted; };
	recursion yes;
	additional-from-auth yes;
	additional-from-cache yes;
	
	zone "." {
		// prime the server with knowledge of the root servers
		type hint;
		file "/etc/bind/db.root";
	};

	// be authoritative for the localhost forward and reverse zones, and for
	// broadcast zones as per RFC 1912

	zone "localhost" {
		type master;
		file "/etc/bind/db.local";
		
		allow-query {
			any;
		};
	
		allow-transfer {
			none;
		};
	};

	zone "127.in-addr.arpa" {
		type master;
		file "/etc/bind/db.127";
		
		allow-query {
			any;
		};
	
		allow-transfer {
			none;
		};

	};

	zone "0.in-addr.arpa" {
		type master;
		file "/etc/bind/db.0";
	
		allow-query {
			any;
		};
	
		allow-transfer {
			none;
		};

	};

	zone "255.in-addr.arpa" {
		type master;
		file "/etc/bind/db.255";
	
		allow-query {
			any;
		};
	
		allow-transfer {
			none;
		};

	};
	
// more zones here, removed for brevity -- Joel
	
};

// Create a view for external DNS clients.
view "external-in" in {
	// Our external (untrusted) view. We permit any client to access
	// portions of this view. We do not perform recursion or cache
	// access for hosts using this view.
	
	match-clients { any; };
	recursion no;
	additional-from-auth no;
	additional-from-cache no;
	
	// Link in our zones
	zone "." in {
		type hint;
		file "/etc/bind/db.root";
	};
};

// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.

view "external-chaos" chaos {
	match-clients { any; };
	recursion no;
	
	zone "." {
		type hint;
		file "/dev/null";
	};
	
	zone "bind" {
		type master;
		file "/etc/bind/db.bind";
	
		allow-query {
			trusted;
		};
		allow-transfer {
			none;
		};
	};


};



Richard Maynard wrote:
 >> > We're experiencing intermittent issues resolving domain names.  Often
 >> > these domains are microsoft.com, cnn.com, etc.  We are running 3
 >> > identical servers and sometime they can go a week or two without any
 >> > trouble (othertimes only hours), then without warning one server will
 >> > be unable to perform a recursive lookup for a few domains.
 >
 >
 > Is bind running as a non root user? If so, is there anything that 
might be
 > changing the interfaces so bind can not rebind to them?
 >
 > Is there anything at all appearing in your bind logs? If not, do you have
 > the log level cranked up to see if perhaps you could get something?
 >
 >
 >>We are getting desperate.  I can provide tcpdumps and configs if
 >>necessary.
 >
 >
 > Configs are a good place to start so folks can take a look at how you 
expect
 > your server to start.
 >

-- 
Joel Nimety
Perimeter/Cybergnostic

More information about the bind-users mailing list