Views and no answers ...

Bob bob at bjerremose.com
Thu Jul 28 18:55:04 UTC 2011


You also have these acl's, which I find quite useful:

allow-query {acl-list}
allow-query-cache {acl-list}
allow-recursion {acl-list}

As I recall, all of them are valid inside a view.

You could also try to throw in some debug logging.
Here is what I do for troubleshooting:

#> rndc querylog
#> rndc trace 3

Then I tail all the relevant logfiles.


Mvh. / Regards

Bob

On 2011-07-28 18:31, Thomas Schweikle wrote:
> Am 28.07.2011 01:18, schrieb Bob:
>> These two views are identical in any way I can see, so the fault may
>> be in an included configuration file that is not included in your
>> message.
>>
>> Look for allow-query, allow-recursion or allow-cache statements in
>> your other config files.
>
> Did this. The only "allow" I could find was "allow-transfer".
>
> The only two parts I left out where "options", the included keys and
> "logging":
>
> !options {
> !        directory       "/var/tmp/named";
> !        pid-file        "/var/run/named/named.pid";
> !        dump-file       "/var/run/named/named_dump.db";
> !        statistics-file "/var/run/named/named.stats";
> !        listen-on       { any; };
> !        #listen-on-v6   { any; };
> !
> !        recursion yes;
> !        auth-nxdomain no;
> !};
>
> !include "/etc/named/mskey.key";
> !include "/etc/named/bind.keys";
> !include "/etc/bind/key.rndc";
>
> mskey.key:
> !key mskey {
> !  algorithm hmac-md5;
> !  secret ".....................";
> !};
>
> bind.keys:
> !managed-keys {
> !        # NOTE: This key is current as of October 2009.
> !        # If it fails to initialize correctly, it may have expired;
> !        # see https://www.isc.org/solutions/dlv for a replacement.
> !        dlv.isc.org. initial-key 257 3 5
> !"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
> !brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
> !1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
> !ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
> !Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
> !QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
> !TDN0YUuWrBNh";
> !};
>
> key.rndc:
> !key "xompukey" {
> !        algorithm hmac-md5;
> !        secret "............................................";
> !};
>
>
> !logging {
> !        channel security_log {
> !                file "/var/log/named/security.log";
> !                severity info;
> !                print-time yes;
> !        };
> !        channel update_log {
> !                file "/var/log/named/update.log";
> !                severity info;
> !                print-time yes;
> !        };
> !        channel query_log {
> !                file "/var/log/named/query.log";
> !                severity debug 3;
> !                print-time yes;
> !        };
> !        channel debug_log {
> !                file "/var/log/named/debug.log";
> !                severity info;
> !                print-time yes;
> !        };
> !        category update { update_log; };
> !        category queries { query_log; };
> !        category default { debug_log; };
> !        category security { security_log; };
> !        category unmatched { null; };
> !};
>
>
> calling "dig +trace google.com" on systems located 192.168.180.0/23:
> !;<<>>  DiG 9.7.3<<>>  +trace google.com
> !;; global options: +cmd
> !.                       518400  IN      NS      e.root-servers.net.
> !.                       518400  IN      NS      f.root-servers.net.
> !.                       518400  IN      NS      h.root-servers.net.
> !.                       518400  IN      NS      i.root-servers.net.
> !.                       518400  IN      NS      m.root-servers.net.
> !.                       518400  IN      NS      d.root-servers.net.
> !.                       518400  IN      NS      a.root-servers.net.
> !.                       518400  IN      NS      g.root-servers.net.
> !.                       518400  IN      NS      b.root-servers.net.
> !.                       518400  IN      NS      c.root-servers.net.
> !.                       518400  IN      NS      l.root-servers.net.
> !.                       518400  IN      NS      j.root-servers.net.
> !.                       518400  IN      NS      k.root-servers.net.
> !;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
> !0 ms
> !
> !com.                    172800  IN      NS      c.gtld-servers.net.
> !com.                    172800  IN      NS      j.gtld-servers.net.
> !com.                    172800  IN      NS      l.gtld-servers.net.
> !com.                    172800  IN      NS      e.gtld-servers.net.
> !com.                    172800  IN      NS      f.gtld-servers.net.
> !com.                    172800  IN      NS      h.gtld-servers.net.
> !com.                    172800  IN      NS      a.gtld-servers.net.
> !com.                    172800  IN      NS      g.gtld-servers.net.
> !com.                    172800  IN      NS      k.gtld-servers.net.
> !com.                    172800  IN      NS      b.gtld-servers.net.
> !com.                    172800  IN      NS      i.gtld-servers.net.
> !com.                    172800  IN      NS      m.gtld-servers.net.
> !com.                    172800  IN      NS      d.gtld-servers.net.
> !;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in
> !100 ms
> !
> !google.com.             172800  IN      NS      ns2.google.com.
> !google.com.             172800  IN      NS      ns1.google.com.
> !google.com.             172800  IN      NS      ns3.google.com.
> !google.com.             172800  IN      NS      ns4.google.com.
> !;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in
> !161 ms
> !
> !google.com.             300     IN      A       209.85.148.103
> !google.com.             300     IN      A       209.85.148.99
> !google.com.             300     IN      A       209.85.148.104
> !google.com.             300     IN      A       209.85.148.147
> !google.com.             300     IN      A       209.85.148.106
> !google.com.             300     IN      A       209.85.148.105
> !;; Received 124 bytes from 216.239.38.10#53(ns4.google.com) in
> !95 ms
>
>
> calling "dig +trace google.com" on systems located 192.168.112.0/23:
> !;<<>>  DiG 9.7.3<<>>  +trace google.com
> !;; global options: +cmd
> !.                       518400  IN      NS      l.root-servers.net.
> !.                       518400  IN      NS      g.root-servers.net.
> !.                       518400  IN      NS      d.root-servers.net.
> !.                       518400  IN      NS      i.root-servers.net.
> !.                       518400  IN      NS      k.root-servers.net.
> !.                       518400  IN      NS      c.root-servers.net.
> !.                       518400  IN      NS      j.root-servers.net.
> !.                       518400  IN      NS      a.root-servers.net.
> !.                       518400  IN      NS      e.root-servers.net.
> !.                       518400  IN      NS      f.root-servers.net.
> !.                       518400  IN      NS      b.root-servers.net.
> !.                       518400  IN      NS      h.root-servers.net.
> !.                       518400  IN      NS      m.root-servers.net.
> !;; Received 228 bytes from 192.168.180.28#53(ns.example.de) in 24 !ms
> !
> !;; connection timed out; no servers could be reached
>
>
> Any of the servers can be reached from both subnets:
> !# ping a.gtld-servers.net
> !PING a.gtld-servers.net (192.5.6.30) 56(84) bytes of data.
> !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=1 ttl=117
> !time=127 ms
> !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=2 ttl=117
> !time=128 ms
>
> and on the other subnet (using ip-address):
> !$ ping 192.5.6.30
> !PING 192.5.6.30 (192.5.6.30) 56(84) bytes of data.
> !64 bytes from 192.5.6.30: icmp_req=1 ttl=118 time=129 ms
> !64 bytes from 192.5.6.30: icmp_req=2 ttl=118 time=129 ms
> !64 bytes from 192.5.6.30: icmp_req=3 ttl=118 time=129 ms
>
>
> ????? --- I am a littlebit lost at the moment ...
>
>> When using views, I often find it more manageable to move such
>> options inside the view definition.
>>
>> Mvh. / Regards
>> Bob
>>
>> On 2011-07-25 16:24, Thomas Schweikle wrote:
>>> Hi!
>>>
>>> I have set up a view for one site. It is bound to change answers as
>>> necessary for different IP-ranges. It works as far as I could see.
>>> But with one ip-range there is a problem ...
>>>
>>> I can query internal addresses:
>>> !user at kvm2~# host intweb.example.de
>>> !web.example.de has address 192.168.180.46
>>>
>>> But external ones do not work:
>>> !user at kvm2:~# host google.com
>>> !user at kvm2:~#
>>>
>>> The host I am trying on has address 192.168.112.4 and I've set up my
>>> view as:
>>> !view "ex" {
>>> !        match-clients { 192.168.112.0/23; };
>>> !        recursion yes;
>>> !
>>> !        include "/etc/named/master/rootns.conf";
>>> !        include "/etc/named/master/localhost.conf";
>>> !        include "/etc/named/master/empty.conf";
>>> !
>>> !        zone "example.de." {
>>> !                type master;
>>> !                allow-transfer { key "mskey"; };
>>> !                notify no;
>>> !                file "/etc/named/zhz/fwd.example";
>>> !        };
>>> !        zone "112.168.192.in-addr.arpa." {
>>> !                type master;
>>> !                allow-transfer { key "mskey"; };
>>> !                notify no;
>>> !                file "/etc/named/zin/rev.192.168.1";
>>> !        };
>>> !};
>>>
>>> !view "in" {
>>> !        match-clients { 192.168.180.0/23; };
>>> !        recursion yes;
>>> !
>>> !        include "/etc/named/master/rootns.conf";
>>> !        include "/etc/named/master/localhost.conf";
>>> !        include "/etc/named/master/empty.conf";
>>> !
>>> !        zone "example.de." {
>>> !                type master;
>>> !                allow-transfer { key "mskey"; };
>>> !                notify no;
>>> !                file "/etc/named/zhz/fwd.example";
>>> !        };
>>> !        zone "112.168.192.in-addr.arpa." {
>>> !                type master;
>>> !                allow-transfer { key "mskey"; };
>>> !                notify no;
>>> !                file "/etc/named/zin/rev.192.168.1";
>>> !        };
>>> !};
>>>
>>> Any idea why the server resolves internal names, but no external
>>> ones to view "ex", while it does answer internal and external names
>>> to view "in"?
>>> I've set up query logging, but this just tells me queries are
>>> correctly processed. But not why no answer was sent.
>>>
>>> In the server logs I can watch queries from 192.168.180.0/23 tagged
>>> with "in" and such from 192.168.112.0/23 with "ex". Addresses
>>> defined by my server are served to both clients "in" and "ex".
>>> Addresses from others like google.com are only served to clients
>>> from "in" not to clients from "ex" (server answers NXDOMAIN).
>>>
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>



More information about the bind-users mailing list