Views and no answers ...
Bob
bob at bjerremose.com
Thu Jul 28 18:55:04 UTC 2011
You also have these acl's, which I find quite useful:
allow-query {acl-list}
allow-query-cache {acl-list}
allow-recursion {acl-list}
As I recall, all of them are valid inside a view.
You could also try to throw in some debug logging.
Here is what I do for troubleshooting:
#> rndc querylog
#> rndc trace 3
Then I tail all the relevant logfiles.
Mvh. / Regards
Bob
On 2011-07-28 18:31, Thomas Schweikle wrote:
> Am 28.07.2011 01:18, schrieb Bob:
>> These two views are identical in any way I can see, so the fault may
>> be in an included configuration file that is not included in your
>> message.
>>
>> Look for allow-query, allow-recursion or allow-cache statements in
>> your other config files.
>
> Did this. The only "allow" I could find was "allow-transfer".
>
> The only two parts I left out where "options", the included keys and
> "logging":
>
> !options {
> ! directory "/var/tmp/named";
> ! pid-file "/var/run/named/named.pid";
> ! dump-file "/var/run/named/named_dump.db";
> ! statistics-file "/var/run/named/named.stats";
> ! listen-on { any; };
> ! #listen-on-v6 { any; };
> !
> ! recursion yes;
> ! auth-nxdomain no;
> !};
>
> !include "/etc/named/mskey.key";
> !include "/etc/named/bind.keys";
> !include "/etc/bind/key.rndc";
>
> mskey.key:
> !key mskey {
> ! algorithm hmac-md5;
> ! secret ".....................";
> !};
>
> bind.keys:
> !managed-keys {
> ! # NOTE: This key is current as of October 2009.
> ! # If it fails to initialize correctly, it may have expired;
> ! # see https://www.isc.org/solutions/dlv for a replacement.
> ! dlv.isc.org. initial-key 257 3 5
> !"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> !brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> !1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> !ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> !Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> !QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
> !TDN0YUuWrBNh";
> !};
>
> key.rndc:
> !key "xompukey" {
> ! algorithm hmac-md5;
> ! secret "............................................";
> !};
>
>
> !logging {
> ! channel security_log {
> ! file "/var/log/named/security.log";
> ! severity info;
> ! print-time yes;
> ! };
> ! channel update_log {
> ! file "/var/log/named/update.log";
> ! severity info;
> ! print-time yes;
> ! };
> ! channel query_log {
> ! file "/var/log/named/query.log";
> ! severity debug 3;
> ! print-time yes;
> ! };
> ! channel debug_log {
> ! file "/var/log/named/debug.log";
> ! severity info;
> ! print-time yes;
> ! };
> ! category update { update_log; };
> ! category queries { query_log; };
> ! category default { debug_log; };
> ! category security { security_log; };
> ! category unmatched { null; };
> !};
>
>
> calling "dig +trace google.com" on systems located 192.168.180.0/23:
> !;<<>> DiG 9.7.3<<>> +trace google.com
> !;; global options: +cmd
> !. 518400 IN NS e.root-servers.net.
> !. 518400 IN NS f.root-servers.net.
> !. 518400 IN NS h.root-servers.net.
> !. 518400 IN NS i.root-servers.net.
> !. 518400 IN NS m.root-servers.net.
> !. 518400 IN NS d.root-servers.net.
> !. 518400 IN NS a.root-servers.net.
> !. 518400 IN NS g.root-servers.net.
> !. 518400 IN NS b.root-servers.net.
> !. 518400 IN NS c.root-servers.net.
> !. 518400 IN NS l.root-servers.net.
> !. 518400 IN NS j.root-servers.net.
> !. 518400 IN NS k.root-servers.net.
> !;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
> !0 ms
> !
> !com. 172800 IN NS c.gtld-servers.net.
> !com. 172800 IN NS j.gtld-servers.net.
> !com. 172800 IN NS l.gtld-servers.net.
> !com. 172800 IN NS e.gtld-servers.net.
> !com. 172800 IN NS f.gtld-servers.net.
> !com. 172800 IN NS h.gtld-servers.net.
> !com. 172800 IN NS a.gtld-servers.net.
> !com. 172800 IN NS g.gtld-servers.net.
> !com. 172800 IN NS k.gtld-servers.net.
> !com. 172800 IN NS b.gtld-servers.net.
> !com. 172800 IN NS i.gtld-servers.net.
> !com. 172800 IN NS m.gtld-servers.net.
> !com. 172800 IN NS d.gtld-servers.net.
> !;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in
> !100 ms
> !
> !google.com. 172800 IN NS ns2.google.com.
> !google.com. 172800 IN NS ns1.google.com.
> !google.com. 172800 IN NS ns3.google.com.
> !google.com. 172800 IN NS ns4.google.com.
> !;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in
> !161 ms
> !
> !google.com. 300 IN A 209.85.148.103
> !google.com. 300 IN A 209.85.148.99
> !google.com. 300 IN A 209.85.148.104
> !google.com. 300 IN A 209.85.148.147
> !google.com. 300 IN A 209.85.148.106
> !google.com. 300 IN A 209.85.148.105
> !;; Received 124 bytes from 216.239.38.10#53(ns4.google.com) in
> !95 ms
>
>
> calling "dig +trace google.com" on systems located 192.168.112.0/23:
> !;<<>> DiG 9.7.3<<>> +trace google.com
> !;; global options: +cmd
> !. 518400 IN NS l.root-servers.net.
> !. 518400 IN NS g.root-servers.net.
> !. 518400 IN NS d.root-servers.net.
> !. 518400 IN NS i.root-servers.net.
> !. 518400 IN NS k.root-servers.net.
> !. 518400 IN NS c.root-servers.net.
> !. 518400 IN NS j.root-servers.net.
> !. 518400 IN NS a.root-servers.net.
> !. 518400 IN NS e.root-servers.net.
> !. 518400 IN NS f.root-servers.net.
> !. 518400 IN NS b.root-servers.net.
> !. 518400 IN NS h.root-servers.net.
> !. 518400 IN NS m.root-servers.net.
> !;; Received 228 bytes from 192.168.180.28#53(ns.example.de) in 24 !ms
> !
> !;; connection timed out; no servers could be reached
>
>
> Any of the servers can be reached from both subnets:
> !# ping a.gtld-servers.net
> !PING a.gtld-servers.net (192.5.6.30) 56(84) bytes of data.
> !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=1 ttl=117
> !time=127 ms
> !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=2 ttl=117
> !time=128 ms
>
> and on the other subnet (using ip-address):
> !$ ping 192.5.6.30
> !PING 192.5.6.30 (192.5.6.30) 56(84) bytes of data.
> !64 bytes from 192.5.6.30: icmp_req=1 ttl=118 time=129 ms
> !64 bytes from 192.5.6.30: icmp_req=2 ttl=118 time=129 ms
> !64 bytes from 192.5.6.30: icmp_req=3 ttl=118 time=129 ms
>
>
> ????? --- I am a littlebit lost at the moment ...
>
>> When using views, I often find it more manageable to move such
>> options inside the view definition.
>>
>> Mvh. / Regards
>> Bob
>>
>> On 2011-07-25 16:24, Thomas Schweikle wrote:
>>> Hi!
>>>
>>> I have set up a view for one site. It is bound to change answers as
>>> necessary for different IP-ranges. It works as far as I could see.
>>> But with one ip-range there is a problem ...
>>>
>>> I can query internal addresses:
>>> !user at kvm2~# host intweb.example.de
>>> !web.example.de has address 192.168.180.46
>>>
>>> But external ones do not work:
>>> !user at kvm2:~# host google.com
>>> !user at kvm2:~#
>>>
>>> The host I am trying on has address 192.168.112.4 and I've set up my
>>> view as:
>>> !view "ex" {
>>> ! match-clients { 192.168.112.0/23; };
>>> ! recursion yes;
>>> !
>>> ! include "/etc/named/master/rootns.conf";
>>> ! include "/etc/named/master/localhost.conf";
>>> ! include "/etc/named/master/empty.conf";
>>> !
>>> ! zone "example.de." {
>>> ! type master;
>>> ! allow-transfer { key "mskey"; };
>>> ! notify no;
>>> ! file "/etc/named/zhz/fwd.example";
>>> ! };
>>> ! zone "112.168.192.in-addr.arpa." {
>>> ! type master;
>>> ! allow-transfer { key "mskey"; };
>>> ! notify no;
>>> ! file "/etc/named/zin/rev.192.168.1";
>>> ! };
>>> !};
>>>
>>> !view "in" {
>>> ! match-clients { 192.168.180.0/23; };
>>> ! recursion yes;
>>> !
>>> ! include "/etc/named/master/rootns.conf";
>>> ! include "/etc/named/master/localhost.conf";
>>> ! include "/etc/named/master/empty.conf";
>>> !
>>> ! zone "example.de." {
>>> ! type master;
>>> ! allow-transfer { key "mskey"; };
>>> ! notify no;
>>> ! file "/etc/named/zhz/fwd.example";
>>> ! };
>>> ! zone "112.168.192.in-addr.arpa." {
>>> ! type master;
>>> ! allow-transfer { key "mskey"; };
>>> ! notify no;
>>> ! file "/etc/named/zin/rev.192.168.1";
>>> ! };
>>> !};
>>>
>>> Any idea why the server resolves internal names, but no external
>>> ones to view "ex", while it does answer internal and external names
>>> to view "in"?
>>> I've set up query logging, but this just tells me queries are
>>> correctly processed. But not why no answer was sent.
>>>
>>> In the server logs I can watch queries from 192.168.180.0/23 tagged
>>> with "in" and such from 192.168.112.0/23 with "ex". Addresses
>>> defined by my server are served to both clients "in" and "ex".
>>> Addresses from others like google.com are only served to clients
>>> from "in" not to clients from "ex" (server answers NXDOMAIN).
>>>
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
More information about the bind-users
mailing list