Name Server Question

seekuel seekuel at gmail.com
Fri Jan 5 00:45:04 UTC 2007


Sir,
Thanks for all the great inputs. I'll try again today.

Respectfully,
Sandeil

On 1/4/07, jm <jm at hcn.com.au> wrote:
>
> In the options section of your named.conf you can add a line like:
>
>         allow-recursion { 127.0.0.1; 192.168.0/24 ; 10/8; };
>
> Obviously replacing the subnets with ones appropriate for you.
>
> Cheers,
>
> Jason
>
> seekuel wrote:
> > Sir,
> > I tried enabling recursion. As of now the configuration of
> /etc/resolv.conf
> > uses 127.0.0.1. The internal workstation can also resolve other domain
> by
> > using our DNS server but now this server is an open DNS. I think this is
> not
> > safe.
> >
> > Is there a way that my local users can resolve other domain without
> making
> > the server open DNS?
> >
> > Thanks and more power
> >
> > On 1/3/07, Barry Margolin <barmar at alum.mit.edu> wrote:
> >
> >> In article <end4f3$1oug$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> >> wrote:
> >>
> >>
> >>> Sir,
> >>> I did install a caching-nameserver because we lack the resources. This
> >>> server is also used as a proxy server and an ftp server.
> >>>
> >>> As you can see it is not tidy and still needs more configuration.
> >>>
> >> The problem is that you have a view configured.  If you use views,
> >> everything has to be in views, and anything that is outside the views
> is
> >> ignored.  But your view has recursion disabled.
> >>
> >>
> >>> Thanks
> >>>
> >>> -----------------------------------
> >>> Below is the named.conf entry
> >>> -----------------------------------
> >>> //
> >>> // named.conf for Red Hat caching-nameserver
> >>> //
> >>>
> >>> options {
> >>>     directory "/var/named";
> >>>     dump-file "/var/named/data/cache_dump.db";
> >>>         statistics-file "/var/named/data/named_stats.txt";
> >>>     version "NO IDEA";
> >>> //    recursion no;
> >>>     /*
> >>>      * If there is a firewall between you and nameservers you want
> >>>      * to talk to, you might need to uncomment the query-source
> >>>      * directive below.  Previous versions of BIND always asked
> >>>      * questions using port 53, but BIND 8.1 uses an unprivileged
> >>>      * port by default.
> >>>      */
> >>>      // query-source address * port 53;
> >>> };
> >>>
> >>> //
> >>> // a caching only nameserver config
> >>> //
> >>> controls {
> >>>     inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> >>> };
> >>>
> >>> zone "." IN {
> >>>     type hint;
> >>>     file "named.ca";
> >>> };
> >>>
> >>> zone "localdomain" IN {
> >>>     type master;
> >>>     file "localdomain.zone";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> zone "localhost" IN {
> >>>     type master;
> >>>     file "localhost.zone";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> zone "0.0.127.in-addr.arpa" IN {
> >>>     type master;
> >>>     file "named.local";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> zone "
> >>>
> >> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> >>
> >>> IN {
> >>>         type master;
> >>>     file "named.ip6.local";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> zone "255.in-addr.arpa" IN {
> >>>     type master;
> >>>     file "named.broadcast";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> zone "0.in-addr.arpa" IN {
> >>>     type master;
> >>>     file "named.zero";
> >>>     allow-update { none; };
> >>> };
> >>>
> >>> include "/etc/rndc.key";
> >>> // caching ends here
> >>>
> >>> // name server starts here
> >>> view "trusted" {
> >>>    zone "booom.com.ph" IN {
> >>>         type master;
> >>>         file "masters/booom.com.ph";
> >>>         allow-update { none; };
> >>>         };
> >>>     zone "60.177.203.in-addr.arpa" {
> >>>         type master;
> >>>         file "masters/booom.com.ph.rev";
> >>>     allow-update { none; };
> >>>       };
> >>>     zone "jac.ph" IN {
> >>>         type master;
> >>>         file "masters/jac.ph";
> >>>         allow-update { none; };
> >>>         };
> >>>    zone "booom.internal" {
> >>>     type master;
> >>>     file "masters/booom.internal";
> >>>     };
> >>>
> >>>     zone "1.16.172.in-addr.arpa" {
> >>>         type master;
> >>>         file "masters/booom.internal.rev";
> >>>         allow-update { none; };
> >>>     };
> >>>    recursion no;
> >>> };
> >>> -----------------------------------
> >>> -----------------------------------
> >>>
> >>> On 1/2/07, Danny Mayer <mayer at gis.net> wrote:
> >>>
> >>>> seekuel wrote:
> >>>>
> >>>>> Sir,
> >>>>>
> >>>>> Is there any way to determine this issue? UDP port 53 is open but
> >>>>>
> >> TCP is
> >>
> >>>> closed.
> >>>>
> >>>> Both need to be open. DNS responses for queries like Google are
> >>>>
> >> unlikely
> >>
> >>>> to fit into a UDP packet unless it's responding with a larger UDP
> >>>>
> >> packet
> >>
> >>>> size. That means that it does retries with TCP when it gets a
> >>>>
> >> truncated
> >>
> >>>> flag.
> >>>>
> >>>>
> >>>>> On 12/30/06, Barry Margolin <barmar at alum.mit.edu> wrote:
> >>>>>
> >>>>>> In article <en3jqh$1vp9$1 at sf1.isc.org>, seekuel <seekuel at gmail.com>
> >>>>>> wrote:
> >>>>>>
> >>>>>>
> >>>>>>> Hello group,
> >>>>>>> I am new to BIND and I've configured a centos 4.4 box with bind,
> >>>>>>> bind-chroot, caching-nameserver installed. This box functions an
> >>>>>>> authoritative name server for our domain.
> >>>>>>>
> >>>>>>>
> >>>> You don't need or want caching if it's just authorative for the
> >>>>
> >> domain.
> >>
> >>>>>>> I am confuse. This server is an authoritative server for our
> >>>>>>>
> >> domain
> >>
> >>>> and
> >>>>
> >>>>>> when
> >>>>>>
> >>>>>>> our work station uses its public ip as the dns that workstation
> >>>>>>>
> >> cannot
> >>
> >>>>>>> resolve other domains. This is also true in the server it self. If
> >>>>>>>
> >> I
> >>
> >>>> edit
> >>>>
> >>>>>>> /etc/resolv.conf to 127.0.0.1 or its public ip the server cannot
> >>>>>>>
> >>>> resolve
> >>>>
> >>>>>> to
> >>>>>>
> >>>>>>> other domains say google.com. When I use our ISP's dns in
> >>>>>>>
> >>>> /etc/resolv.conf
> >>>>
> >>>>>>> then it can resolve to other domains.
> >>>>>>>
> >>>>>>>
> >>>> Then you need to check to see if it's actually receiving the queries.
> >>>> Did you turn on query logging to see if it gets them? Does it work if
> >>>> you query directly with dig?
> >>>>
> >>>>
> >>>>>>> This are some of my questions. In an authoritative name server,
> >>>>>>>
> >> why is
> >>
> >>>> it
> >>>>
> >>>>>>> that even a caching-nameserver is installed and change
> >>>>>>>
> >>>> /etc/resolv.conf to
> >>>>
> >>>>>>> the server's ip this server cannot resolve to other domain but it
> >>>>>>>
> >> can
> >>
> >>>>>>> resolve our domain.
> >>>>>>>
> >>>> A nameserver that is only authorative will only respond to queries
> for
> >>>> domains that it owns. If you want it to act as a nameserver for
> >>>>
> >> lookups
> >>
> >>>> for other domains it needs to be set up to allow recursion, but you
> >>>>
> >> also
> >>
> >>>> want to restrict that to only your own systems.
> >>>>
> >>>> Is there something wrong with the configurations? Im
> >>>>
> >>>>>>> willing to attach the configuration if needed.
> >>>>>>>
> >>>> You need to post your named.conf file. Please do not edit it as it
> >>>> prevents people from seeing what's really the problem.
> >>>>
> >>>> Danny
> >>>>
> >>>>
> >>> Respectfully yours,
> >>> Sandeil
> >>>
> >> --
> >> Barry Margolin, barmar at alum.mit.edu
> >> Arlington, MA
> >> *** PLEASE post questions in newsgroups, not directly to me ***
> >> *** PLEASE don't copy me on replies, I'll read them in the group ***
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
>
>




More information about the bind-users mailing list