BIND9 Internal Reverse Look-ups Fail
michael peters
mdpeters67 at gmail.com
Sun Mar 21 00:13:16 UTC 2010
On Sat, Mar 20, 2010 at 7:11 PM, michael peters <mdpeters67 at gmail.com>wrote:
> Mar 20 19:07:37 catapult named[29579]: starting BIND 9.6.1-P1 -u bind
> Mar 20 19:07:37 catapult named[29579]: built with '--prefix=/usr'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bi
> nd' '--localstatedir=/var' '--enable-threads' '--enable-largefile'
> '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr'
> '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no'
> '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes'
> '--with
> -dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6'
> 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymb
> olic-functions' 'CPPFLAGS=' 'CXXFLAGS=-g -O2' 'FFLAGS=-g -O2'
> Mar 20 19:07:37 catapult named[29579]: adjusted limit on open files from
> 1024 to 1048576
> Mar 20 19:07:37 catapult named[29579]: found 4 CPUs, using 4 worker threads
> Mar 20 19:07:37 catapult named[29579]: using up to 4096 sockets
> Mar 20 19:07:37 catapult named[29579]: loading configuration from
> '/etc/bind/named.conf'
> Mar 20 19:07:37 catapult named[29579]: using default UDP/IPv4 port range:
> [1024, 65535]
> Mar 20 19:07:37 catapult named[29579]: using default UDP/IPv6 port range:
> [1024, 65535]
> Mar 20 19:07:37 catapult named[29579]: listening on IPv6 interfaces, port
> 53
> Mar 20 19:07:37 catapult named[29579]: listening on IPv4 interface lo,
> 127.0.0.1#53
> Mar 20 19:07:37 catapult named[29579]: listening on IPv4 interface eth0,
> 172.16.0.140#53
> Mar 20 19:07:37 catapult named[29579]: zone 'lazarusalliance.com' allows
> updates by IP address, which is insecure
> Mar 20 19:07:37 catapult named[29579]: zone '0.253.150.10.in-addr.arpa'
> allows updates by IP address, which is insecure
> Mar 20 19:07:37 catapult named[29579]: zone '0.0.16.172.in-addr.arpa'
> allows updates by IP address, which is insecure
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone:
> 254.169.IN-ADDR.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone:
> 2.0.192.IN-ADDR.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone:
> 255.255.255.255.IN-ADDR.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone:
> 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone:
> 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone: D.F.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone: 8.E.F.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone: 9.E.F.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone: A.E.F.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: automatic empty zone: B.E.F.IP6.ARPA
> Mar 20 19:07:37 catapult named[29579]: command channel listening on
> 127.0.0.1#953
> Mar 20 19:07:37 catapult named[29579]: zone 0.in-addr.arpa/IN: loaded
> serial 1
> Mar 20 19:07:37 catapult named[29579]: zone 0.253.150.10.in-addr.arpa/IN:
> loaded serial 2010032001
> Mar 20 19:07:37 catapult named[29579]: zone 127.in-addr.arpa/IN: loaded
> serial 1
> Mar 20 19:07:37 catapult named[29579]: /etc/bind/172.16.0.0.rev:11:
> ignoring out-of-zone data (140.0.16.172.in-addr.arpa)
> Mar 20 19:07:37 catapult named[29579]: /etc/bind/172.16.0.0.rev:12:
> ignoring out-of-zone data (141.0.16.172.in-addr.arpa)
> Mar 20 19:07:37 catapult named[29579]: zone 0.0.16.172.in-addr.arpa/IN:
> loaded serial 2010032000
> Mar 20 19:07:37 catapult named[29579]: zone 255.in-addr.arpa/IN: loaded
> serial 1
> Mar 20 19:07:37 catapult named[29579]: zone lazarusalliance.com/IN: loaded
> serial 2010032003
> Mar 20 19:07:37 catapult named[29579]: zone localhost/IN: loaded serial 2
> Mar 20 19:07:37 catapult named[29579]: running
>
> ************************************************
>
> root at catapult:/etc/bind# dig @172.16.0.140 253.150.10.in-addr.arpa SOA +aa
> +norec
>
> ; <<>> DiG 9.6.1-P1 <<>> @172.16.0.140 253.150.10.in-addr.arpa SOA +aa
> +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5824
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;253.150.10.in-addr.arpa. IN SOA
>
> ;; AUTHORITY SECTION:
> 10.in-addr.arpa. 84879 IN NS BLACKHOLE-2.IANA.ORG.
> 10.in-addr.arpa. 84879 IN NS BLACKHOLE-1.IANA.ORG.
>
> ;; ADDITIONAL SECTION:
> BLACKHOLE-1.IANA.ORG. 2080 IN A 192.175.48.6
> BLACKHOLE-2.IANA.ORG. 2080 IN A 192.175.48.42
>
> ;; Query time: 0 msec
> ;; SERVER: 172.16.0.140#53(172.16.0.140)
> ;; WHEN: Sat Mar 20 18:59:47 2010
> ;; MSG SIZE rcvd: 133
>
> ************************************************
>
> root at catapult:/etc/bind# dig @172.16.0.140 30.253.150.10.in-addr.arpa PTR
> +aa +norec
>
> ; <<>> DiG 9.6.1-P1 <<>> @172.16.0.140 30.253.150.10.in-addr.arpa PTR +aa
> +norec
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55310
> ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;30.253.150.10.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 10.in-addr.arpa. 84849 IN NS BLACKHOLE-1.IANA.ORG.
> 10.in-addr.arpa. 84849 IN NS BLACKHOLE-2.IANA.ORG.
>
> ;; ADDITIONAL SECTION:
> BLACKHOLE-1.IANA.ORG. 2050 IN A 192.175.48.6
> BLACKHOLE-2.IANA.ORG. 2050 IN A 192.175.48.42
>
> ;; Query time: 0 msec
> ;; SERVER: 172.16.0.140#53(172.16.0.140)
> ;; WHEN: Sat Mar 20 19:00:17 2010
> ;; MSG SIZE rcvd: 136
>
> root at catapult:/etc/bind#
>
> ************************************************
>
> root at catapult:/etc/bind# more 10.150.253.0.rev
> $TTL 86400
> @ IN SOA catapult.lazarusalliance.com.
> postmaster.lazarusalliance.com. (
> 2010032001
> 10800
> 900
> 604800
> 3600 )
> ;
> @ IN NS catapult.lazarusalliance.com.
>
> 41 IN PTR castor.lazarusalliance.com.
> 30 IN PTR lazarusalliance.com.
> 75 IN PTR birdseye.lazarusalliance.com.
> 186 IN PTR equinox.lazarusalliance.com.
> 187 IN PTR pollux.lazarusalliance.com.
> 185 IN PTR solstice.lazarusalliance.com.
> 30 IN PTR lazarusalliance.com.
> 30 IN PTR www.lazarusalliance.com.
>
> ************************************************
>
> root at catapult:/etc/bind# more named.conf
> acl Internals {
> 172.16.0.0/16;
> 10.150.253.0/24;
> };
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
> };
> key rndc-key {
> algorithm hmac-md5;
> secret "********************************";
> };
>
> ************************************************
>
> root at catapult:/etc/bind# more named.conf.local
> //
> // Do any local configuration here
> //
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> //include "/etc/bind/zones.rfc1918";
>
> zone "lazarusalliance.com" in {
> type master;
> file "/etc/bind/lazarusalliance.com.hosts";
> allow-update {
> any;
> };
> allow-transfer {
> any;
> };
> allow-query {
> any;
> };
> };
> zone "0.253.150.10.in-addr.arpa" in {
> type master;
> file "/etc/bind/10.150.253.0.rev";
> };
> zone "0.0.16.172.in-addr.arpa" in {
> type master;
> file "/etc/bind/172.16.0.0.rev";
> };
> root at catapult:/etc/bind#
>
> ************************************************
>
> root at catapult:/etc/bind# more named.conf.default-zones
> // prime the server with knowledge of the root servers
> zone "." {
> type hint;
> file "/etc/bind/db.root";
> };
>
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
>
> zone "localhost" {
> type master;
> file "/etc/bind/db.local";
> };
>
> zone "127.in-addr.arpa" {
> type master;
> file "/etc/bind/db.127";
> notify no;
> };
>
> zone "0.in-addr.arpa" {
> type master;
> file "/etc/bind/db.0";
> };
>
> zone "255.in-addr.arpa" {
> type master;
> file "/etc/bind/db.255";
> };
>
> ************************************************
>
> root at catapult:/etc/bind# more named.conf.options
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses
> replacing
> // the all-0's placeholder.
>
> // forwarders {
> // 0.0.0.0;
> // };
>
> auth-nxdomain no; # conform to RFC1035
> listen-on-v6 { any; };
> allow-transfer {
> any;
> };
> allow-query {
> any;
> };
> allow-recursion {
> any;
> };
> };
>
> ************************************************
>
>
>
>
>
>
> On Sat, Mar 20, 2010 at 6:58 PM, Doug Barton <dougb at dougbarton.us> wrote:
>
>> On 03/20/10 16:46, michael peters wrote:
>> > I've been reading documentation, searching the archives, searched Google
>> > for the answer, but have found nothing that solves the problem.
>> >
>> > I have an Ubuntu 9.10 system with BIND 9.6.1 installed for my internal
>> > DNS system.
>>
>> You'll want to update to at least 9.6.2 to get all the latest
>> security/bugfix updates, and 9.6.2-P1 if you're doing DNSSEC validation.
>>
>> > External forward and reverse work fine, Internal forward
>> > works fine but it fails on every PTR record. I've used zone and
>> > configuration tools to check the files and all get returned without
>> error.
>> >
>> > Here is an example:
>>
>> http://dougbarton.us/DNS/bind-users-FAQ.html#nslookup-evil
>>
>> > ** server can't find 30.253.150.10.in-addr.arpa.: NXDOMAIN
>>
>> It would help if you posted the zone statement for
>> 253.150.10.in-addr.arpa from named.conf at minimum. If possible posting
>> the zone file too might make it easier to help debug your problem.
>>
>> Meanwhile, what do the following commands return for you?
>>
>> dig @172.16.0.140 253.150.10.in-addr.arpa SOA +aa +norec
>>
>> dig @172.16.0.140 30.253.150.10.in-addr.arpa PTR +aa +norec
>>
>> And on the server, named-checkconf and a named-checkzone for
>> 253.150.10.in-addr.arpa.
>>
>> And of course, are there any errors in your logs when you load named
>> that look relevant?
>>
>> Doug
>>
>> --
>>
>> ... and that's just a little bit of history repeating.
>> -- Propellerheads
>>
>> Improve the effectiveness of your Internet presence with
>> a domain name makeover! http://SupersetSolutions.com/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20100320/71b3c718/attachment.html>
More information about the bind-users
mailing list