bind refusing update

Dan Egli dan at newideatest.site
Sat Dec 19 06:59:33 UTC 2020


I'm really stumped as to what's going on. I'm trying to get dhcpd to 
automatically update name records for my internal network. This is NOT 
going to the public internet by any means. It's just an internal 
network. But every time either I or dhcpd try to add a record, named 
refuses to allow it. I'm getting a message in the log that says refused 
due to allow-query:

19-Dec-2020 06:49:19.299 update-security: error: client @0x7fa610000cd0 
10.0.2.15#49948: update 'eglifamily.name/IN' denied due to allow-query

What's causing this, and how do I fix it? I'm including my named.conf 
and dhcpd.con files below. Can anyone help me?

dhcpd.conf:
default-lease-time 300;
max-lease-time 43200;

ddns-update-style interim;

authoritative;
log-facility local1;


allow booting;

subnet 10.0.2.0 netmask 255.255.255.0 {
# no services at all! That's the llnk from the ISP. Don't touch it!
}


subnet 192.168.10.0 netmask 255.255.255.0 {
         range 192.168.10.128 192.168.10.254;
         if exists user-class and option user-class = "iPXE" {
         filename "pxelinux.efi";
         } else {
         filename "pxelinux.0";
         }
         next-server 192.168.10.3;
         option domain-name-servers 192.168.10.2, 8.8.8.8;
         option domain-name "eglifamily.name";
         option routers 192.168.10.1;

}

host fixed-1 {
         hardware ethernet 08:00:27:D5:AA:3C;
         fixed-address 192.168.10.64;
         option host-name "ethereum-1";
         ddns-hostname "ethereum-1.eglifamily.name";
}

named.conf:
/*
  * Refer to the named.conf(5) and named(8) man pages, and the documentation
  * in /usr/share/doc/bind-* for more details.
  * Online versions of the documentation can be found here:
  * https://kb.isc.org/article/AA-01031
  *
  * If you are going to set up an authoritative server, make sure you
  * understand the hairy details of how DNS works. Even with simple 
mistakes,
  * you can break connectivity for affected parties, or cause huge 
amounts of
  * useless Internet traffic.
  */

acl "xfer" {
         /* Deny transfers by default except for the listed hosts.
          * If we have other name servers, place them here.
          */
         none;
};

/*
  * You might put in here some ips which are allowed to use the cache or
  * recursive queries
  */
acl "trusted" {
         192.168.10.0/24;
         127.0.0.0/8;
         ::1/128;
};

acl "myself" {
         127.0.0.0/24;
         ::1/128;
};

options {
         directory "/var/bind";
         pid-file "/run/named/named.pid";

         /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
         //bindkeys-file "/etc/bind/bind.keys";
         tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
         minimal-responses yes;


         listen-on-v6 { none; };  // for now
         listen-on { 192.168.10.2; 127.0.0.1; };

         allow-query {
                 /*
                  * Accept queries from our "trusted" ACL.  We will
                  * allow anyone to query our master zones below.
                  * This prevents us from becoming a free DNS server
                  * to the masses.
                  */
                 trusted;
         };

         allow-query-cache {
                 /* Use the cache for the "trusted" ACL. */
                 trusted;
         };

         allow-recursion {
                 /* Only trusted addresses are allowed to use recursion. */
                 trusted;
         };

         allow-transfer {
                 /* Zone tranfers are denied by default. */
                 none;
         };

         allow-update {
                 myself;
         };

         /*
         * If you've got a DNS server around at your upstream provider, 
enter its
         * IP address here, and enable the line below. This will make 
you benefit
         * from its cache, thus reduce overall DNS traffic in the Internet.
         *
         * Uncomment the following lines to turn on DNS forwarding, and 
change
         *  and/or update the forwarding ip address(es):
         */
/*
         forward first;
         forwarders {
         //      123.123.123.123;        // Your ISP NS
         //      124.124.124.124;        // Your ISP NS
         //      4.2.2.1;                // Level3 Public DNS
         //      4.2.2.2;                // Level3 Public DNS
                 8.8.8.8;                // Google Open DNS
                 8.8.4.4;                // Google Open DNS
         };

*/

//      dnssec-enable yes;
//      named-checkconf says above line is bad
         //dnssec-validation yes;

         /*
          * As of bind 9.8.0:
          * "If the root key provided has expired,
          * named will log the expiration and validation will not work."
          */
         dnssec-validation auto;

         /* if you have problems and are behind a firewall: */
         //query-source address * port 53;
};


logging {
         channel default_log {
                 file "/var/log/named/named.log" versions 5 size 50M;
                 print-time yes;
                 print-severity yes;
                 print-category yes;
         };

         category default { default_log; };
         category general { default_log; };
};


include "/etc/bind/rndc.key";
controls {
         inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { 
"rndc-key"; };
};

#zone "." in {
#       type hint;
#       file "/var/bind/named.cache";
#};

zone "localhost" IN {
         type master;
         file "pri/localhost.zone";
         notify no;
};

zone "eglifamily.name" {
         type master;
         file "pri/eglifamily.zone";
         notify yes;
};


zone "10.168.192.in-addr.arpa" {
         type master;
         file "pri/10.168.192.arpa.zone";
         notify yes;
};

include "/var/lib/samba/bind-dns/named.conf";


The samba file only contains the lines needed to load the dynamically 
loaded zone modules (bind9_dlz).

-- 
Dan Egli
 From my Test Server



More information about the bind-users mailing list