Name Server Question
jm
jm at hcn.com.au
Thu Jan 4 06:30:31 UTC 2007
In the options section of your named.conf you can add a line like:
allow-recursion { 127.0.0.1; 192.168.0/24 ; 10/8; };
Obviously replacing the subnets with ones appropriate for you.
Cheers,
Jason
seekuel wrote:
> Sir,
> I tried enabling recursion. As of now the configuration of /etc/resolv.conf
> uses 127.0.0.1. The internal workstation can also resolve other domain by
> using our DNS server but now this server is an open DNS. I think this is not
> safe.
>
> Is there a way that my local users can resolve other domain without making
> the server open DNS?
>
> Thanks and more power
>
> On 1/3/07, Barry Margolin <barmar at alum.mit.edu> wrote:
>
>> In article <end4f3$1oug$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
>> wrote:
>>
>>
>>> Sir,
>>> I did install a caching-nameserver because we lack the resources. This
>>> server is also used as a proxy server and an ftp server.
>>>
>>> As you can see it is not tidy and still needs more configuration.
>>>
>> The problem is that you have a view configured. If you use views,
>> everything has to be in views, and anything that is outside the views is
>> ignored. But your view has recursion disabled.
>>
>>
>>> Thanks
>>>
>>> -----------------------------------
>>> Below is the named.conf entry
>>> -----------------------------------
>>> //
>>> // named.conf for Red Hat caching-nameserver
>>> //
>>>
>>> options {
>>> directory "/var/named";
>>> dump-file "/var/named/data/cache_dump.db";
>>> statistics-file "/var/named/data/named_stats.txt";
>>> version "NO IDEA";
>>> // recursion no;
>>> /*
>>> * If there is a firewall between you and nameservers you want
>>> * to talk to, you might need to uncomment the query-source
>>> * directive below. Previous versions of BIND always asked
>>> * questions using port 53, but BIND 8.1 uses an unprivileged
>>> * port by default.
>>> */
>>> // query-source address * port 53;
>>> };
>>>
>>> //
>>> // a caching only nameserver config
>>> //
>>> controls {
>>> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
>>> };
>>>
>>> zone "." IN {
>>> type hint;
>>> file "named.ca";
>>> };
>>>
>>> zone "localdomain" IN {
>>> type master;
>>> file "localdomain.zone";
>>> allow-update { none; };
>>> };
>>>
>>> zone "localhost" IN {
>>> type master;
>>> file "localhost.zone";
>>> allow-update { none; };
>>> };
>>>
>>> zone "0.0.127.in-addr.arpa" IN {
>>> type master;
>>> file "named.local";
>>> allow-update { none; };
>>> };
>>>
>>> zone "
>>>
>> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
>>
>>> IN {
>>> type master;
>>> file "named.ip6.local";
>>> allow-update { none; };
>>> };
>>>
>>> zone "255.in-addr.arpa" IN {
>>> type master;
>>> file "named.broadcast";
>>> allow-update { none; };
>>> };
>>>
>>> zone "0.in-addr.arpa" IN {
>>> type master;
>>> file "named.zero";
>>> allow-update { none; };
>>> };
>>>
>>> include "/etc/rndc.key";
>>> // caching ends here
>>>
>>> // name server starts here
>>> view "trusted" {
>>> zone "booom.com.ph" IN {
>>> type master;
>>> file "masters/booom.com.ph";
>>> allow-update { none; };
>>> };
>>> zone "60.177.203.in-addr.arpa" {
>>> type master;
>>> file "masters/booom.com.ph.rev";
>>> allow-update { none; };
>>> };
>>> zone "jac.ph" IN {
>>> type master;
>>> file "masters/jac.ph";
>>> allow-update { none; };
>>> };
>>> zone "booom.internal" {
>>> type master;
>>> file "masters/booom.internal";
>>> };
>>>
>>> zone "1.16.172.in-addr.arpa" {
>>> type master;
>>> file "masters/booom.internal.rev";
>>> allow-update { none; };
>>> };
>>> recursion no;
>>> };
>>> -----------------------------------
>>> -----------------------------------
>>>
>>> On 1/2/07, Danny Mayer <mayer at gis.net> wrote:
>>>
>>>> seekuel wrote:
>>>>
>>>>> Sir,
>>>>>
>>>>> Is there any way to determine this issue? UDP port 53 is open but
>>>>>
>> TCP is
>>
>>>> closed.
>>>>
>>>> Both need to be open. DNS responses for queries like Google are
>>>>
>> unlikely
>>
>>>> to fit into a UDP packet unless it's responding with a larger UDP
>>>>
>> packet
>>
>>>> size. That means that it does retries with TCP when it gets a
>>>>
>> truncated
>>
>>>> flag.
>>>>
>>>>
>>>>> On 12/30/06, Barry Margolin <barmar at alum.mit.edu> wrote:
>>>>>
>>>>>> In article <en3jqh$1vp9$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>> Hello group,
>>>>>>> I am new to BIND and I've configured a centos 4.4 box with bind,
>>>>>>> bind-chroot, caching-nameserver installed. This box functions an
>>>>>>> authoritative name server for our domain.
>>>>>>>
>>>>>>>
>>>> You don't need or want caching if it's just authorative for the
>>>>
>> domain.
>>
>>>>>>> I am confuse. This server is an authoritative server for our
>>>>>>>
>> domain
>>
>>>> and
>>>>
>>>>>> when
>>>>>>
>>>>>>> our work station uses its public ip as the dns that workstation
>>>>>>>
>> cannot
>>
>>>>>>> resolve other domains. This is also true in the server it self. If
>>>>>>>
>> I
>>
>>>> edit
>>>>
>>>>>>> /etc/resolv.conf to 127.0.0.1 or its public ip the server cannot
>>>>>>>
>>>> resolve
>>>>
>>>>>> to
>>>>>>
>>>>>>> other domains say google.com. When I use our ISP's dns in
>>>>>>>
>>>> /etc/resolv.conf
>>>>
>>>>>>> then it can resolve to other domains.
>>>>>>>
>>>>>>>
>>>> Then you need to check to see if it's actually receiving the queries.
>>>> Did you turn on query logging to see if it gets them? Does it work if
>>>> you query directly with dig?
>>>>
>>>>
>>>>>>> This are some of my questions. In an authoritative name server,
>>>>>>>
>> why is
>>
>>>> it
>>>>
>>>>>>> that even a caching-nameserver is installed and change
>>>>>>>
>>>> /etc/resolv.conf to
>>>>
>>>>>>> the server's ip this server cannot resolve to other domain but it
>>>>>>>
>> can
>>
>>>>>>> resolve our domain.
>>>>>>>
>>>> A nameserver that is only authorative will only respond to queries for
>>>> domains that it owns. If you want it to act as a nameserver for
>>>>
>> lookups
>>
>>>> for other domains it needs to be set up to allow recursion, but you
>>>>
>> also
>>
>>>> want to restrict that to only your own systems.
>>>>
>>>> Is there something wrong with the configurations? Im
>>>>
>>>>>>> willing to attach the configuration if needed.
>>>>>>>
>>>> You need to post your named.conf file. Please do not edit it as it
>>>> prevents people from seeing what's really the problem.
>>>>
>>>> Danny
>>>>
>>>>
>>> Respectfully yours,
>>> Sandeil
>>>
>> --
>> Barry Margolin, barmar at alum.mit.edu
>> Arlington, MA
>> *** PLEASE post questions in newsgroups, not directly to me ***
>> *** PLEASE don't copy me on replies, I'll read them in the group ***
>>
>>
>>
>>
>
>
>
>
>
More information about the bind-users
mailing list