Date: Wed, 30 Jun 2010 09:49:40 +0100 From: krad <kraduk@googlemail.com> To: Chris Maness <chris@chrismaness.com> Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts Message-ID: <AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com> In-Reply-To: <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com> References: <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29 June 2010 07:20, Chris Maness <chris@chrismaness.com> wrote: > My named server used to resolve for external hosts. Recently I have > noticed that it no longer resolves names for resolvers not on the > local host. It works just fine for dig on the dns server itself. It > also works for domains that it has authority over. I also have it set > up to be a caching server on my network. Has the spec for the config > file changed or something? > > Here is the beginning of the the config file: > > cat named.conf > // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25 > 02:59:29 kensmith Exp $ > // > // Refer to the named.conf(5) and named(8) man pages, and the documentation > // in /usr/share/doc/bind9 for more details. > // > // If you are going to set up an authoritative server, make sure you > // understand the hairy details of how DNS works. Even with > // simple mistakes, you can break connectivity for affected parties, > // or cause huge amounts of useless Internet traffic. > > options { > // Relative to the chroot directory, if any > directory "/etc/namedb"; > pid-file "/var/run/named/pid"; > dump-file "/var/dump/named_dump.db"; > statistics-file "/var/stats/named.stats"; > allow-transfer { > 76.238.148.146; > }; > > // If named is being used only as a local resolver, this is a safe default. > // For named to be accessible to the network, comment this option, specify > // the proper IP address, or delete this option. > // listen-on { 127.0.0.1; }; > > // If you have IPv6 enabled on this system, uncomment this option for > // use as a local resolver. To give access to the network, specify > // an IPv6 address, or the keyword "any". > // listen-on-v6 { ::1; }; > > // These zones are already covered by the empty zones listed below. > // If you remove the related empty zones below, comment these lines out. > disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; > disable-empty-zone > "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; > disable-empty-zone > "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; > > // In addition to the "forwarders" clause, you can force your name > // server to never initiate queries of its own, but always ask its > // forwarders only, by enabling the following line: > // > // forward only; > > // If you've got a DNS server around at your upstream provider, enter > // its IP address here, and enable the line below. This will make you > // benefit from its cache, thus reduce overall DNS traffic in the Internet. > /* > forwarders { > 127.0.0.1; > }; > */ > /* > Modern versions of BIND use a random UDP port for each outgoing > query by default in order to dramatically reduce the possibility > of cache poisoning. All users are strongly encouraged to utilize > this feature, and to configure their firewalls to accommodate it. > > AS A LAST RESORT in order to get around a restrictive firewall > policy you can try enabling the option below. Use of this option > will significantly reduce your ability to withstand cache > poisoning > attacks, and should be avoided if at all possible. > > Replace NNNNN in the example with a number between 49160 and > 65530. > */ > // query-source address * port NNNNN; > }; > > // If you enable a local name server, don't forget to enter 127.0.0.1 > // first in your /etc/resolv.conf so this server will be queried. > // Also, make sure to enable it in /etc/rc.conf. > > // The traditional root hints mechanism. Use this, OR the slave zones > below. > zone "." { type hint; file "named.root"; }; > > /* Slaving the following zones from the root name servers has some > significant advantages: > 1. Faster local resolution for your users > 2. No spurious traffic will be sent from your network to the roots > 3. Greater resilience to any potential root server failure/DDoS > > On the other hand, this method requires more monitoring than the > hints file to be sure that an unexpected failure mode has not > incapacitated your server. Name servers that are serving a lot > of clients will benefit more from this approach than individual > hosts. Use with caution. > > To use this mechanism, uncomment the entries below, and comment > the hint zone above. > */ > /* > zone "." { > type slave; > file "slave/root.slave"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > > zone "0.0.127.IN-ADDR.ARPA" { > type master; > file "master/localhost.rev"; > }; > zone "in-addr.arpa" { > type slave; > file "slave/in-addr.arpa.slave"; > masters { > 192.5.5.241; // F.ROOT-SERVERS.NET. > }; > notify no; > }; > */ > > /* Serving the following zones locally will prevent any queries > for these zones leaving your network and going to the root > name servers. This has two significant advantages: > 1. Faster local resolution for your users > 2. No spurious traffic will be sent from your network to the roots > */ > // RFC 1912 > zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; > }; > zone "255.in-addr.arpa" { type master; file "master/empty.db"; }; > > // RFC 1912-style zone for IPv6 localhost address > zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; > }; > > // "This" Network (RFCs 1912 and 3330) > zone "0.in-addr.arpa" { type master; file "master/empty.db"; }; > > // Private Use Networks (RFC 1918) > zone "10.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; }; > > // Link-local/APIPA (RFCs 3330 and 3927) > zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; }; > > // TEST-NET for Documentation (RFC 3330) > zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; }; > > // Router Benchmark Testing (RFC 3330) > zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; }; > > // IANA Reserved - Old Class E Space > zone "240.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "241.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "242.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "243.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "244.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "245.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "246.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "247.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "248.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "249.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "250.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "251.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "252.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "253.in-addr.arpa" { type master; file "master/empty.db"; }; > zone "254.in-addr.arpa" { type master; file "master/empty.db"; }; > > // IPv6 Unassigned Addresses (RFC 4291) > zone "1.ip6.arpa" { type master; file "master/empty.db"; }; > zone "3.ip6.arpa" { type master; file "master/empty.db"; }; > zone "4.ip6.arpa" { type master; file "master/empty.db"; }; > zone "5.ip6.arpa" { type master; file "master/empty.db"; }; > zone "6.ip6.arpa" { type master; file "master/empty.db"; }; > zone "7.ip6.arpa" { type master; file "master/empty.db"; }; > zone "8.ip6.arpa" { type master; file "master/empty.db"; }; > zone "9.ip6.arpa" { type master; file "master/empty.db"; }; > zone "a.ip6.arpa" { type master; file "master/empty.db"; }; > zone "b.ip6.arpa" { type master; file "master/empty.db"; }; > zone "c.ip6.arpa" { type master; file "master/empty.db"; }; > zone "d.ip6.arpa" { type master; file "master/empty.db"; }; > zone "e.ip6.arpa" { type master; file "master/empty.db"; }; > zone "0.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "1.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "2.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "3.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "4.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "5.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "6.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "7.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "8.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "9.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "a.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "b.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > > // IPv6 ULA (RFC 4193) > zone "c.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "d.f.ip6.arpa" { type master; file "master/empty.db"; }; > > // IPv6 Link Local (RFC 4291) > zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > > // IPv6 Deprecated Site-Local Addresses (RFC 3879) > zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; }; > > // IP6.INT is Deprecated (RFC 4159) > zone "ip6.int" { type master; file "master/empty.db"; }; > > // NB: Do not use the IP addresses below, they are faked, and only > // serve demonstration/documentation purposes! > // > // Example slave zone config entries. It can be convenient to become > // a slave at least for the zone your own domain is in. Ask > // your network administrator for the IP address of the responsible > // master name server. > // > // Do not forget to include the reverse lookup zone! > // This is named after the first bytes of the IP address, in reverse > // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. > // > // Before starting to set up a master zone, make sure you fully > // understand how DNS and BIND work. There are sometimes > // non-obvious pitfalls. Setting up a slave zone is usually simpler. > // > // NB: Don't blindly enable the examples below. :-) Use actual names > // and addresses instead. > > /* An example dynamic zone > key "exampleorgkey" { > algorithm hmac-md5; > secret "sf87HJqjkqh8ac87a02lla=="; > }; > zone "example.org" { > type master; > allow-update { > key "exampleorgkey"; > }; > file "dynamic/example.org"; > }; > */ > > /* Example of a slave reverse zone > zone "1.168.192.in-addr.arpa" { > type slave; > file "slave/1.168.192.in-addr.arpa"; > masters { > 192.168.1.1; > }; > }; > */ > > zone "97.179.208.in-addr.arpa" IN { > type master; > file "master/reverse.zone"; > allow-transfer { 76.238.148.146; 4.35.33.247; }; > }; > > > zone "localhost" IN { > type master; > file "localhost.zone"; > allow-update { none; }; > }; > > zone "chrismaness.com" { > type master; > file "master/chrismaness.com"; > // IP addresses of slave servers allowed to transfer > chrismaness.com > allow-transfer { > 76.238.148.146; > }; > > }; > > ########### > > Does anything look strange here? I also tried uncommenting the listen > on directive with the correct IP, and my server stopped resolving > names for hosts that it is authoritative for. > > Any help would be appreciated. > > Thanks, > Chris Maness > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > you may want to explictily set up a recursion acl on it. Look at these options below. The defaults may have changed when you did an upgrade allow-query { auth_hosts; }; allow-recursion { auth_hosts; }; allow-query-cache { auth_hosts; };
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep>