Views and no answers ...
Thomas Schweikle
tps at vr-web.de
Thu Jul 28 16:31:17 UTC 2011
Am 28.07.2011 01:18, schrieb Bob:
> These two views are identical in any way I can see, so the fault may
> be in an included configuration file that is not included in your
> message.
>
> Look for allow-query, allow-recursion or allow-cache statements in
> your other config files.
Did this. The only "allow" I could find was "allow-transfer".
The only two parts I left out where "options", the included keys and
"logging":
!options {
! directory "/var/tmp/named";
! pid-file "/var/run/named/named.pid";
! dump-file "/var/run/named/named_dump.db";
! statistics-file "/var/run/named/named.stats";
! listen-on { any; };
! #listen-on-v6 { any; };
!
! recursion yes;
! auth-nxdomain no;
!};
!include "/etc/named/mskey.key";
!include "/etc/named/bind.keys";
!include "/etc/bind/key.rndc";
mskey.key:
!key mskey {
! algorithm hmac-md5;
! secret ".....................";
!};
bind.keys:
!managed-keys {
! # NOTE: This key is current as of October 2009.
! # If it fails to initialize correctly, it may have expired;
! # see https://www.isc.org/solutions/dlv for a replacement.
! dlv.isc.org. initial-key 257 3 5
!"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
!brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
!1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
!ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
!Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
!QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
!TDN0YUuWrBNh";
!};
key.rndc:
!key "xompukey" {
! algorithm hmac-md5;
! secret "............................................";
!};
!logging {
! channel security_log {
! file "/var/log/named/security.log";
! severity info;
! print-time yes;
! };
! channel update_log {
! file "/var/log/named/update.log";
! severity info;
! print-time yes;
! };
! channel query_log {
! file "/var/log/named/query.log";
! severity debug 3;
! print-time yes;
! };
! channel debug_log {
! file "/var/log/named/debug.log";
! severity info;
! print-time yes;
! };
! category update { update_log; };
! category queries { query_log; };
! category default { debug_log; };
! category security { security_log; };
! category unmatched { null; };
!};
calling "dig +trace google.com" on systems located 192.168.180.0/23:
!; <<>> DiG 9.7.3 <<>> +trace google.com
!;; global options: +cmd
!. 518400 IN NS e.root-servers.net.
!. 518400 IN NS f.root-servers.net.
!. 518400 IN NS h.root-servers.net.
!. 518400 IN NS i.root-servers.net.
!. 518400 IN NS m.root-servers.net.
!. 518400 IN NS d.root-servers.net.
!. 518400 IN NS a.root-servers.net.
!. 518400 IN NS g.root-servers.net.
!. 518400 IN NS b.root-servers.net.
!. 518400 IN NS c.root-servers.net.
!. 518400 IN NS l.root-servers.net.
!. 518400 IN NS j.root-servers.net.
!. 518400 IN NS k.root-servers.net.
!;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
!0 ms
!
!com. 172800 IN NS c.gtld-servers.net.
!com. 172800 IN NS j.gtld-servers.net.
!com. 172800 IN NS l.gtld-servers.net.
!com. 172800 IN NS e.gtld-servers.net.
!com. 172800 IN NS f.gtld-servers.net.
!com. 172800 IN NS h.gtld-servers.net.
!com. 172800 IN NS a.gtld-servers.net.
!com. 172800 IN NS g.gtld-servers.net.
!com. 172800 IN NS k.gtld-servers.net.
!com. 172800 IN NS b.gtld-servers.net.
!com. 172800 IN NS i.gtld-servers.net.
!com. 172800 IN NS m.gtld-servers.net.
!com. 172800 IN NS d.gtld-servers.net.
!;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in
!100 ms
!
!google.com. 172800 IN NS ns2.google.com.
!google.com. 172800 IN NS ns1.google.com.
!google.com. 172800 IN NS ns3.google.com.
!google.com. 172800 IN NS ns4.google.com.
!;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in
!161 ms
!
!google.com. 300 IN A 209.85.148.103
!google.com. 300 IN A 209.85.148.99
!google.com. 300 IN A 209.85.148.104
!google.com. 300 IN A 209.85.148.147
!google.com. 300 IN A 209.85.148.106
!google.com. 300 IN A 209.85.148.105
!;; Received 124 bytes from 216.239.38.10#53(ns4.google.com) in
!95 ms
calling "dig +trace google.com" on systems located 192.168.112.0/23:
!; <<>> DiG 9.7.3 <<>> +trace google.com
!;; global options: +cmd
!. 518400 IN NS l.root-servers.net.
!. 518400 IN NS g.root-servers.net.
!. 518400 IN NS d.root-servers.net.
!. 518400 IN NS i.root-servers.net.
!. 518400 IN NS k.root-servers.net.
!. 518400 IN NS c.root-servers.net.
!. 518400 IN NS j.root-servers.net.
!. 518400 IN NS a.root-servers.net.
!. 518400 IN NS e.root-servers.net.
!. 518400 IN NS f.root-servers.net.
!. 518400 IN NS b.root-servers.net.
!. 518400 IN NS h.root-servers.net.
!. 518400 IN NS m.root-servers.net.
!;; Received 228 bytes from 192.168.180.28#53(ns.example.de) in 24 !ms
!
!;; connection timed out; no servers could be reached
Any of the servers can be reached from both subnets:
!# ping a.gtld-servers.net
!PING a.gtld-servers.net (192.5.6.30) 56(84) bytes of data.
!64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=1 ttl=117
!time=127 ms
!64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=2 ttl=117
!time=128 ms
and on the other subnet (using ip-address):
!$ ping 192.5.6.30
!PING 192.5.6.30 (192.5.6.30) 56(84) bytes of data.
!64 bytes from 192.5.6.30: icmp_req=1 ttl=118 time=129 ms
!64 bytes from 192.5.6.30: icmp_req=2 ttl=118 time=129 ms
!64 bytes from 192.5.6.30: icmp_req=3 ttl=118 time=129 ms
????? --- I am a littlebit lost at the moment ...
> When using views, I often find it more manageable to move such
> options inside the view definition.
>
> Mvh. / Regards
> Bob
>
> On 2011-07-25 16:24, Thomas Schweikle wrote:
>> Hi!
>>
>> I have set up a view for one site. It is bound to change answers as
>> necessary for different IP-ranges. It works as far as I could see.
>> But with one ip-range there is a problem ...
>>
>> I can query internal addresses:
>> !user at kvm2~# host intweb.example.de
>> !web.example.de has address 192.168.180.46
>>
>> But external ones do not work:
>> !user at kvm2:~# host google.com
>> !user at kvm2:~#
>>
>> The host I am trying on has address 192.168.112.4 and I've set up my
>> view as:
>> !view "ex" {
>> ! match-clients { 192.168.112.0/23; };
>> ! recursion yes;
>> !
>> ! include "/etc/named/master/rootns.conf";
>> ! include "/etc/named/master/localhost.conf";
>> ! include "/etc/named/master/empty.conf";
>> !
>> ! zone "example.de." {
>> ! type master;
>> ! allow-transfer { key "mskey"; };
>> ! notify no;
>> ! file "/etc/named/zhz/fwd.example";
>> ! };
>> ! zone "112.168.192.in-addr.arpa." {
>> ! type master;
>> ! allow-transfer { key "mskey"; };
>> ! notify no;
>> ! file "/etc/named/zin/rev.192.168.1";
>> ! };
>> !};
>>
>> !view "in" {
>> ! match-clients { 192.168.180.0/23; };
>> ! recursion yes;
>> !
>> ! include "/etc/named/master/rootns.conf";
>> ! include "/etc/named/master/localhost.conf";
>> ! include "/etc/named/master/empty.conf";
>> !
>> ! zone "example.de." {
>> ! type master;
>> ! allow-transfer { key "mskey"; };
>> ! notify no;
>> ! file "/etc/named/zhz/fwd.example";
>> ! };
>> ! zone "112.168.192.in-addr.arpa." {
>> ! type master;
>> ! allow-transfer { key "mskey"; };
>> ! notify no;
>> ! file "/etc/named/zin/rev.192.168.1";
>> ! };
>> !};
>>
>> Any idea why the server resolves internal names, but no external
>> ones to view "ex", while it does answer internal and external names
>> to view "in"?
>> I've set up query logging, but this just tells me queries are
>> correctly processed. But not why no answer was sent.
>>
>> In the server logs I can watch queries from 192.168.180.0/23 tagged
>> with "in" and such from 192.168.112.0/23 with "ex". Addresses
>> defined by my server are served to both clients "in" and "ex".
>> Addresses from others like google.com are only served to clients
>> from "in" not to clients from "ex" (server answers NXDOMAIN).
>>
>>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Thomas
More information about the bind-users
mailing list