bind refusing update [never mind]
Dan Egli
dan at newideatest.site
Sat Dec 19 07:08:07 UTC 2020
I guess sometimes you just need to look at it in a differnet way. I
never noticed it was using the 10.0.2.15 IP to try to update. That's
going to be blocked because I don't have the outside world enabled for
this server. So let me go ask on the DHCP list why it's insisting on
using that interface.
On 12/18/2020 11:59 PM, Dan Egli wrote:
> I'm really stumped as to what's going on. I'm trying to get dhcpd to
> automatically update name records for my internal network. This is NOT
> going to the public internet by any means. It's just an internal
> network. But every time either I or dhcpd try to add a record, named
> refuses to allow it. I'm getting a message in the log that says
> refused due to allow-query:
>
> 19-Dec-2020 06:49:19.299 update-security: error: client
> @0x7fa610000cd0 10.0.2.15#49948: update 'eglifamily.name/IN' denied
> due to allow-query
>
> What's causing this, and how do I fix it? I'm including my named.conf
> and dhcpd.con files below. Can anyone help me?
>
> dhcpd.conf:
> default-lease-time 300;
> max-lease-time 43200;
>
> ddns-update-style interim;
>
> authoritative;
> log-facility local1;
>
>
> allow booting;
>
> subnet 10.0.2.0 netmask 255.255.255.0 {
> # no services at all! That's the llnk from the ISP. Don't touch it!
> }
>
>
> subnet 192.168.10.0 netmask 255.255.255.0 {
> range 192.168.10.128 192.168.10.254;
> if exists user-class and option user-class = "iPXE" {
> filename "pxelinux.efi";
> } else {
> filename "pxelinux.0";
> }
> next-server 192.168.10.3;
> option domain-name-servers 192.168.10.2, 8.8.8.8;
> option domain-name "eglifamily.name";
> option routers 192.168.10.1;
>
> }
>
> host fixed-1 {
> hardware ethernet 08:00:27:D5:AA:3C;
> fixed-address 192.168.10.64;
> option host-name "ethereum-1";
> ddns-hostname "ethereum-1.eglifamily.name";
> }
>
> named.conf:
> /*
> * Refer to the named.conf(5) and named(8) man pages, and the
> documentation
> * in /usr/share/doc/bind-* for more details.
> * Online versions of the documentation can be found here:
> * https://kb.isc.org/article/AA-01031
> *
> * If you are going to set up an authoritative server, make sure you
> * understand the hairy details of how DNS works. Even with simple
> mistakes,
> * you can break connectivity for affected parties, or cause huge
> amounts of
> * useless Internet traffic.
> */
>
> acl "xfer" {
> /* Deny transfers by default except for the listed hosts.
> * If we have other name servers, place them here.
> */
> none;
> };
>
> /*
> * You might put in here some ips which are allowed to use the cache or
> * recursive queries
> */
> acl "trusted" {
> 192.168.10.0/24;
> 127.0.0.0/8;
> ::1/128;
> };
>
> acl "myself" {
> 127.0.0.0/24;
> ::1/128;
> };
>
> options {
> directory "/var/bind";
> pid-file "/run/named/named.pid";
>
> /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
> //bindkeys-file "/etc/bind/bind.keys";
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> minimal-responses yes;
>
>
> listen-on-v6 { none; }; // for now
> listen-on { 192.168.10.2; 127.0.0.1; };
>
> allow-query {
> /*
> * Accept queries from our "trusted" ACL. We will
> * allow anyone to query our master zones below.
> * This prevents us from becoming a free DNS server
> * to the masses.
> */
> trusted;
> };
>
> allow-query-cache {
> /* Use the cache for the "trusted" ACL. */
> trusted;
> };
>
> allow-recursion {
> /* Only trusted addresses are allowed to use
> recursion. */
> trusted;
> };
>
> allow-transfer {
> /* Zone tranfers are denied by default. */
> none;
> };
>
> allow-update {
> myself;
> };
>
> /*
> * If you've got a DNS server around at your upstream provider,
> enter its
> * IP address here, and enable the line below. This will make
> you benefit
> * from its cache, thus reduce overall DNS traffic in the
> Internet.
> *
> * Uncomment the following lines to turn on DNS forwarding, and
> change
> * and/or update the forwarding ip address(es):
> */
> /*
> forward first;
> forwarders {
> // 123.123.123.123; // Your ISP NS
> // 124.124.124.124; // Your ISP NS
> // 4.2.2.1; // Level3 Public DNS
> // 4.2.2.2; // Level3 Public DNS
> 8.8.8.8; // Google Open DNS
> 8.8.4.4; // Google Open DNS
> };
>
> */
>
> // dnssec-enable yes;
> // named-checkconf says above line is bad
> //dnssec-validation yes;
>
> /*
> * As of bind 9.8.0:
> * "If the root key provided has expired,
> * named will log the expiration and validation will not work."
> */
> dnssec-validation auto;
>
> /* if you have problems and are behind a firewall: */
> //query-source address * port 53;
> };
>
>
> logging {
> channel default_log {
> file "/var/log/named/named.log" versions 5 size 50M;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
>
> category default { default_log; };
> category general { default_log; };
> };
>
>
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys
> { "rndc-key"; };
> };
>
> #zone "." in {
> # type hint;
> # file "/var/bind/named.cache";
> #};
>
> zone "localhost" IN {
> type master;
> file "pri/localhost.zone";
> notify no;
> };
>
> zone "eglifamily.name" {
> type master;
> file "pri/eglifamily.zone";
> notify yes;
> };
>
>
> zone "10.168.192.in-addr.arpa" {
> type master;
> file "pri/10.168.192.arpa.zone";
> notify yes;
> };
>
> include "/var/lib/samba/bind-dns/named.conf";
>
>
> The samba file only contains the lines needed to load the dynamically
> loaded zone modules (bind9_dlz).
>
--
Dan Egli
From my Test Server
More information about the bind-users
mailing list