Date: Wed, 30 Jun 2010 07:34:30 -0700 From: Chris Maness <chris@chrismaness.com> To: krad <kraduk@googlemail.com> Cc: freebsd-questions@freebsd.org Subject: Re: BIND Refusing to Resolve for External Hosts Message-ID: <AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk@mail.gmail.com> In-Reply-To: <AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com> References: <AANLkTimgwvEhu9gt-L9_apH_rnwsv3NHSBARpHJepsvy@mail.gmail.com> <AANLkTimWrBi3wxvkKR0tLabbI1nz7fU_7xu0QZFeJ8ep@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 30, 2010 at 1:49 AM, krad <kraduk@googlemail.com> wrote: > > > On 29 June 2010 07:20, Chris Maness <chris@chrismaness.com> wrote: >> >> My named server used to resolve for external hosts. =A0Recently I have >> noticed that it no longer resolves names for resolvers not on the >> local host. =A0It works just fine for dig on the dns server itself. =A0I= t >> also works for domains that it has authority over. =A0I also have it set >> up to be a caching server on my network. =A0Has the spec for the config >> file changed or something? >> >> Here is the beginning of the the config file: >> >> cat named.conf >> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25 >> 02:59:29 kensmith Exp $ >> // >> // Refer to the named.conf(5) and named(8) man pages, and the >> documentation >> // in /usr/share/doc/bind9 for more details. >> // >> // If you are going to set up an authoritative server, make sure you >> // understand the hairy details of how DNS works. =A0Even with >> // simple mistakes, you can break connectivity for affected parties, >> // or cause huge amounts of useless Internet traffic. >> >> options { >> =A0 =A0 =A0 =A0// Relative to the chroot directory, if any >> =A0 =A0 =A0 =A0directory =A0 =A0 =A0 "/etc/namedb"; >> =A0 =A0 =A0 =A0pid-file =A0 =A0 =A0 =A0"/var/run/named/pid"; >> =A0 =A0 =A0 =A0dump-file =A0 =A0 =A0 "/var/dump/named_dump.db"; >> =A0 =A0 =A0 =A0statistics-file "/var/stats/named.stats"; >> =A0 =A0 =A0 =A0allow-transfer { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146; >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}; >> >> // If named is being used only as a local resolver, this is a safe >> default. >> // For named to be accessible to the network, comment this option, speci= fy >> // the proper IP address, or delete this option. >> // =A0 =A0 =A0listen-on =A0 =A0 =A0 { 127.0.0.1; }; >> >> // If you have IPv6 enabled on this system, uncomment this option for >> // use as a local resolver. =A0To give access to the network, specify >> // an IPv6 address, or the keyword "any". >> // =A0 =A0 =A0listen-on-v6 =A0 =A0{ ::1; }; >> >> // These zones are already covered by the empty zones listed below. >> // If you remove the related empty zones below, comment these lines out. >> =A0 =A0 =A0 =A0disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; >> =A0 =A0 =A0 =A0disable-empty-zone >> >> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARP= A"; >> =A0 =A0 =A0 =A0disable-empty-zone >> >> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARP= A"; >> >> // In addition to the "forwarders" clause, you can force your name >> // server to never initiate queries of its own, but always ask its >> // forwarders only, by enabling the following line: >> // >> // =A0 =A0 =A0forward only; >> >> // If you've got a DNS server around at your upstream provider, enter >> // its IP address here, and enable the line below. =A0This will make you >> // benefit from its cache, thus reduce overall DNS traffic in the >> Internet. >> /* >> =A0 =A0 =A0 =A0forwarders { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0127.0.0.1; >> =A0 =A0 =A0 =A0}; >> */ >> =A0 =A0 =A0 =A0/* >> =A0 =A0 =A0 =A0 =A0 Modern versions of BIND use a random UDP port for ea= ch outgoing >> =A0 =A0 =A0 =A0 =A0 query by default in order to dramatically reduce the= possibility >> =A0 =A0 =A0 =A0 =A0 of cache poisoning. =A0All users are strongly encour= aged to >> utilize >> =A0 =A0 =A0 =A0 =A0 this feature, and to configure their firewalls to ac= commodate >> it. >> >> =A0 =A0 =A0 =A0 =A0 AS A LAST RESORT in order to get around a restrictiv= e firewall >> =A0 =A0 =A0 =A0 =A0 policy you can try enabling the option below. =A0Use= of this >> option >> =A0 =A0 =A0 =A0 =A0 will significantly reduce your ability to withstand = cache >> poisoning >> =A0 =A0 =A0 =A0 =A0 attacks, and should be avoided if at all possible. >> >> =A0 =A0 =A0 =A0 =A0 Replace NNNNN in the example with a number between 4= 9160 and >> 65530. >> =A0 =A0 =A0 =A0*/ >> =A0 =A0 =A0 =A0// query-source address * port NNNNN; >> }; >> >> // If you enable a local name server, don't forget to enter 127.0.0.1 >> // first in your /etc/resolv.conf so this server will be queried. >> // Also, make sure to enable it in /etc/rc.conf. >> >> // The traditional root hints mechanism. Use this, OR the slave zones >> below. >> zone "." { type hint; file "named.root"; }; >> >> /* =A0 =A0 =A0Slaving the following zones from the root name servers has= some >> =A0 =A0 =A0 =A0significant advantages: >> =A0 =A0 =A0 =A01. Faster local resolution for your users >> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to = the roots >> =A0 =A0 =A0 =A03. Greater resilience to any potential root server failur= e/DDoS >> >> =A0 =A0 =A0 =A0On the other hand, this method requires more monitoring t= han the >> =A0 =A0 =A0 =A0hints file to be sure that an unexpected failure mode has= not >> =A0 =A0 =A0 =A0incapacitated your server. =A0Name servers that are servi= ng a lot >> =A0 =A0 =A0 =A0of clients will benefit more from this approach than indi= vidual >> =A0 =A0 =A0 =A0hosts. =A0Use with caution. >> >> =A0 =A0 =A0 =A0To use this mechanism, uncomment the entries below, and c= omment >> =A0 =A0 =A0 =A0the hint zone above. >> */ >> /* >> zone "." { >> =A0 =A0 =A0 =A0type slave; >> =A0 =A0 =A0 =A0file "slave/root.slave"; >> =A0 =A0 =A0 =A0masters { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NET= . >> =A0 =A0 =A0 =A0}; >> =A0 =A0 =A0 =A0notify no; >> }; >> >> zone "0.0.127.IN-ADDR.ARPA" { >> =A0 =A0 =A0 =A0type master; >> =A0 =A0 =A0 =A0file "master/localhost.rev"; >> }; >> zone "in-addr.arpa" { >> =A0 =A0 =A0 =A0type slave; >> =A0 =A0 =A0 =A0file "slave/in-addr.arpa.slave"; >> =A0 =A0 =A0 =A0masters { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.5.5.241; =A0 =A0// F.ROOT-SERVERS.NET= . >> =A0 =A0 =A0 =A0}; >> =A0 =A0 =A0 =A0notify no; >> }; >> */ >> >> /* =A0 =A0 =A0Serving the following zones locally will prevent any queri= es >> =A0 =A0 =A0 =A0for these zones leaving your network and going to the roo= t >> =A0 =A0 =A0 =A0name servers. =A0This has two significant advantages: >> =A0 =A0 =A0 =A01. Faster local resolution for your users >> =A0 =A0 =A0 =A02. No spurious traffic will be sent from your network to = the roots >> */ >> // RFC 1912 >> zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db= "; >> }; >> zone "255.in-addr.arpa" { type master; file "master/empty.db"; }; >> >> // RFC 1912-style zone for IPv6 localhost address >> zone "0.ip6.arpa" =A0 =A0 =A0 { type master; file "master/localhost-reve= rse.db"; >> }; >> >> // "This" Network (RFCs 1912 and 3330) >> zone "0.in-addr.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> >> // Private Use Networks (RFC 1918) >> zone "10.in-addr.arpa" =A0 =A0 =A0 =A0 =A0{ type master; file "master/em= pty.db"; }; >> zone "16.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "17.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "18.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "19.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "20.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "21.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "22.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "23.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "24.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "25.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "26.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "27.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "28.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "29.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "30.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "31.172.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "168.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.db= "; }; >> >> // Link-local/APIPA (RFCs 3330 and 3927) >> zone "254.169.in-addr.arpa" =A0 =A0 { type master; file "master/empty.db= "; }; >> >> // TEST-NET for Documentation (RFC 3330) >> zone "2.0.192.in-addr.arpa" =A0 =A0 { type master; file "master/empty.db= "; }; >> >> // Router Benchmark Testing (RFC 3330) >> zone "18.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> zone "19.198.in-addr.arpa" =A0 =A0 =A0{ type master; file "master/empty.= db"; }; >> >> // IANA Reserved - Old Class E Space >> zone "240.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "241.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "242.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "243.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "244.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "245.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "246.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "247.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "248.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "249.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "250.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "251.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "252.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "253.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> zone "254.in-addr.arpa" =A0 =A0 =A0 =A0 { type master; file "master/empt= y.db"; }; >> >> // IPv6 Unassigned Addresses (RFC 4291) >> zone "1.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "3.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "4.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "5.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "6.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "7.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "8.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "9.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "a.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "b.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "c.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "d.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "e.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "maste= r/empty.db"; }; >> zone "0.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "1.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "2.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "3.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "4.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "5.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "6.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "7.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "8.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "9.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "a.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "b.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "0.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "1.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "2.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "3.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "4.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "5.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "6.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "7.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> >> // IPv6 ULA (RFC 4193) >> zone "c.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> zone "d.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 =A0 { type master; file "master/= empty.db"; }; >> >> // IPv6 Link Local (RFC 4291) >> zone "8.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "9.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "a.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "b.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> >> // IPv6 Deprecated Site-Local Addresses (RFC 3879) >> zone "c.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "d.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "e.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> zone "f.e.f.ip6.arpa" =A0 =A0 =A0 =A0 =A0 { type master; file "master/em= pty.db"; }; >> >> // IP6.INT is Deprecated (RFC 4159) >> zone "ip6.int" =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0{ type master; file "m= aster/empty.db"; }; >> >> // NB: Do not use the IP addresses below, they are faked, and only >> // serve demonstration/documentation purposes! >> // >> // Example slave zone config entries. =A0It can be convenient to become >> // a slave at least for the zone your own domain is in. =A0Ask >> // your network administrator for the IP address of the responsible >> // master name server. >> // >> // Do not forget to include the reverse lookup zone! >> // This is named after the first bytes of the IP address, in reverse >> // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6. >> // >> // Before starting to set up a master zone, make sure you fully >> // understand how DNS and BIND work. =A0There are sometimes >> // non-obvious pitfalls. =A0Setting up a slave zone is usually simpler. >> // >> // NB: Don't blindly enable the examples below. :-) =A0Use actual names >> // and addresses instead. >> >> /* An example dynamic zone >> key "exampleorgkey" { >> =A0 =A0 =A0 =A0algorithm hmac-md5; >> =A0 =A0 =A0 =A0secret "sf87HJqjkqh8ac87a02lla=3D=3D"; >> }; >> zone "example.org" { >> =A0 =A0 =A0 =A0type master; >> =A0 =A0 =A0 =A0allow-update { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0key "exampleorgkey"; >> =A0 =A0 =A0 =A0}; >> =A0 =A0 =A0 =A0file "dynamic/example.org"; >> }; >> */ >> >> /* Example of a slave reverse zone >> zone "1.168.192.in-addr.arpa" { >> =A0 =A0 =A0 =A0type slave; >> =A0 =A0 =A0 =A0file "slave/1.168.192.in-addr.arpa"; >> =A0 =A0 =A0 =A0masters { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0192.168.1.1; >> =A0 =A0 =A0 =A0}; >> }; >> */ >> >> zone "97.179.208.in-addr.arpa" IN { >> =A0 =A0 =A0 =A0type master; >> =A0 =A0 =A0 =A0file "master/reverse.zone"; >> =A0 =A0 =A0 =A0allow-transfer { 76.238.148.146; 4.35.33.247; }; >> }; >> >> >> zone "localhost" IN { >> =A0 =A0 =A0 =A0type master; >> =A0 =A0 =A0 =A0file "localhost.zone"; >> =A0 =A0 =A0 =A0allow-update { none; }; >> }; >> >> zone "chrismaness.com" { >> =A0 =A0 =A0 =A0type master; >> =A0 =A0 =A0 =A0file "master/chrismaness.com"; >> =A0 =A0 =A0 =A0// IP addresses of slave servers allowed to transfer >> chrismaness.com >> =A0 =A0 =A0 =A0allow-transfer { >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A076.238.148.146; >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0}; >> >> }; >> >> ########### >> >> Does anything look strange here? =A0I also tried uncommenting the listen >> on directive with the correct IP, and my server stopped resolving >> names for hosts that it is authoritative for. >> >> Any help would be appreciated. >> >> Thanks, >> Chris Maness >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "freebsd-questions-unsubscribe@freebsd.org" > > > you may want to explictily set up a recursion acl on it. Look at these > options below. The defaults may have changed when you did an upgrade > > =A0=A0=A0=A0=A0=A0=A0 allow-query { auth_hosts; }; > =A0=A0=A0=A0=A0=A0=A0 allow-recursion { auth_hosts; }; > =A0=A0=A0=A0=A0=A0=A0 allow-query-cache { auth_hosts; }; > > What is a recursion acl? Can I just add these lines to my config file to set it up? Is the auth_hosts flag referring to a file with authorized clients? I did figure that something got nailed during mergemaster. Thanks, Chris Maness
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinhx0LuivXNQNQKz3g57OSWTScWIIyZlP_ngrdk>