problem with named.conf

Matt Sickler crazyfordynamite at gmail.com
Wed Mar 28 03:57:19 UTC 2007 

I realize this now, perhaps I should just take "msk3.ath.cx" out of the
search path
On 3/27/07, Kevin Darcy <kcd at daimlerchrysler.com> wrote:
>
> In the time it took you to participate in this email thread, you could
> have easily replaced that wildcard record with 2 A records and thus
> eliminated your problem. I guess it wasn't really much of a time-saver eh?
>
> Wildcards should only be used with a full understanding of their effects
> and consequences. Wildcard address records (i.e. A or AAAA records) are
> particularly susceptible to "accidental" matches, as you have discovered.
>
>
>    - Kevin
>
>
> Matt Sickler wrote:
> > well, my website is msk3.ath.cx and i host a couple subdomains - using
> the
> > *.msk3.ath.cx was because /etc/hosts doesnt support wildcards
> > i think i added the search feature because I like to name my computers
> > "<5LetterName>.msk3.ath.cx" and refer to them as just "<5LetterName>"
> >
> > On 3/26/07, Kal Feher <kal.feher at melbourneit.com.au> wrote:
> >
> >> This is a function of the client software not BIND. Assuming you have a
> >> good
> >> reason for using a wildcard in your " msk3.ath.cx." zone, you'll need
> to
> >> remove the search suffix. But that isn't a very good way of *fixing*
> the
> >> problem.
> >>
> >> The thing to note here is that BIND *is* responding with a timeout.
> Your
> >> client machines are simply looking up a new address (search domains
> >> appended) and your wildcard record naturally matches these secondary
> >> lookups.
> >>
> >> Perhaps if you could enunciate why you have a wildcard, we could
> suggest
> >> something more appropriate?
> >>
> >>
> >> On 27/3/07 12:43 PM, "Matt Sickler" <crazyfordynamite at gmail.com> wrote:
> >>
> >>
> >>> is there any way to fix this so that when the link is down it responds
> >>>
> >> with
> >>
> >>> a timeout or something?
> >>> On 3/26/07, Dawn Connelly <dawn.connelly at gmail.com> wrote:
> >>>
> >>>> It looks like you are forwarding to DNS servers that are not on your
> >>>>
> >> LAN
> >>
> >>>> so when your network link is down, the requests you aren't
> >>>>
> >> authoritative for
> >>
> >>>> and don't have cache for are timing out. Since the requesting machine
> >>>>
> >> isn't
> >>
> >>>> getting an answer for the DNS record it's asking for, it's appending
> it
> >>>>
> >> with
> >>
> >>>> anything it has in it's search suffix. If they are querying for
> >>>> www.google.com, it doesn't get an answer so queries for
> >>>> www.google.com.msk3.ath.cx. Since you have a wildcard A record, it'll
> >>>> match everything that has been appended. The best way to show this is
> >>>>
> >> when
> >>
> >>>> your internet connection is down, do a query for < www.google.com
> >>>>
> >> .>  Make
> >>
> >>>> sure to do it once WITH a period at the end and once WITHOUT a period
> >>>>
> >> at the
> >>
> >>>> end. The one with a period will time out. The one without a period
> will
> >>>> append with the msk3.ath.cx domain and you'll get that wildcard
> answer.
> >>>>
> >>>> On 3/26/07, Matt Sickler <crazyfordynamite at gmail.com > wrote:
> >>>>
> >>>>> I have been trying to set up a local (LAN only) dns server that does
> >>>>> recursive lookups for domains it does not control (i think this is
> >>>>>
> >> what
> >>
> >>>>> i
> >>>>> mean...)  basically I want it to be authoritative for example.com -
> >>>>>
> >> but
> >>
> >>>>> resort to asking another dns server[s] for everything else (and
> caches
> >>>>> the
> >>>>> answer)
> >>>>> the problem with my config now is that whenever my internet
> connection
> >>>>> goes
> >>>>> down, for some reason the server returns 192.168.24.11 for any dns
> >>>>> request -
> >>>>> some have said this is because i set my servers to be on the "
> >>>>> msk3.ath.cx"
> >>>>> domain and it matches a "*.msk3.ath.cx. IN A 192.168.24.11" line in
> >>>>>
> >> the
> >>
> >>>>> msk3.ath.cx db....
> >>>>> perhaps there is a way to fix this?
> >>>>>
> >>>>> <config>
> >>>>> //
> >>>>> // named.conf for Red Hat caching-nameserver
> >>>>> //
> >>>>> /* this little bit is supposed to only allow my subnet to use it (
> >>>>> 192.168.24.0/24)
> >>>>> controls {
> >>>>>     inet 192.168.1.5 allow {
> >>>>>     192.168.24.0/24;
> >>>>>     localhost;
> >>>>>   } keys {
> >>>>>     rndckey;
> >>>>>   };
> >>>>> };
> >>>>> */
> >>>>>
> >>>>>
> >>>>> options {
> >>>>>     directory "/var/named";
> >>>>>     dump-file "/var/named/data/cache_dump.db";
> >>>>>     statistics-file "/var/named/data/named_stats.txt";
> >>>>>     /*
> >>>>>      * If there is a firewall between you and nameservers you want
> >>>>>      * to talk to, you might need to uncomment the query-source
> >>>>>      * directive below.  Previous versions of BIND always asked
> >>>>>      * questions using port 53, but BIND 8.1 uses an unprivileged
> >>>>>      * port by default.
> >>>>>      */
> >>>>>      // query-source address * port 53;
> >>>>>     forwarders {
> >>>>> // these are the servers id like it to ask if it doesnt have the
> >>>>>
> >> answer
> >>
> >>>>> // and cache results
> >>>>>         // OpenDNS
> >>>>>          208.67.222.222;
> >>>>>         208.67.220.220;
> >>>>>         // Alliance
> >>>>>         66.231.7.27;
> >>>>>         66.231.7.28;
> >>>>>     };
> >>>>> };
> >>>>> logging {
> >>>>>         channel default_debug {
> >>>>>                 file "data/named.run";
> >>>>>                 severity dynamic;
> >>>>>         };
> >>>>> };
> >>>>>
> >>>>> //
> >>>>> // a caching only nameserver config
> >>>>> //
> >>>>>
> >>>>> zone "24.168.192.IN-ADDR.ARPA." IN {
> >>>>>     type master;
> >>>>>     file "192.168.24.db";
> >>>>> };
> >>>>> zone "msk3.ath.cx." IN {
> >>>>>     type master;
> >>>>>     file " msk3.ath.cx.db";
> >>>>> };
> >>>>> zone "kisho.mine.nu." IN {
> >>>>>     type master;
> >>>>>     file "kisho.mine.nu.db";
> >>>>> };
> >>>>> zone "xitix.mine.nu ." IN {
> >>>>>     type master;
> >>>>>     file "xitix.mine.nu.db";
> >>>>> };
> >>>>> zone "." IN {
> >>>>>     type hint;
> >>>>>     file "named.ca";
> >>>>> };
> >>>>>
> >>>>> zone "localdomain" IN {
> >>>>>     type master;
> >>>>>     file "localdomain.zone";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> zone "localhost" IN {
> >>>>>     type master;
> >>>>>     file "localhost.zone";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> zone "0.0.127.in-addr.arpa" IN {
> >>>>>     type master;
> >>>>>     file "named.local";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> zone "
> >>>>>
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
> >>>>> IN {
> >>>>>     type master;
> >>>>>     file "named.ip6.local";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> zone "255.in-addr.arpa" IN {
> >>>>>     type master;
> >>>>>     file "named.broadcast";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> zone "0.in-addr.arpa" IN {
> >>>>>     type master;
> >>>>>     file "named.zero";
> >>>>>     allow-update { none; };
> >>>>> };
> >>>>>
> >>>>> include "/etc/rndc.key";
> >>>>> </config>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> --
> >> Kal Feher
> >> Team Leader
> >> Network Services and Production Support
> >> Melbourne IT Ltd
> >> Level 2, 120 King Street
> >> Melbourne Victoria 3000
> >> AUSTRALIA
> >> Ph:    + 61 3 8624 2326
> >> Mob:   + 61 400 072 569
> >> Website:   www.MelbourneIT.com.au
> >>
> >>
> >>
> >
> >
> >
> >
> >
> >
> >
>
>
>

More information about the bind-users mailing list