Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 29 Nov 2003 16:18:13 +0000
From:      Stacey Roberts <stacey@vickiandstacey.com>
To:        freebsd-questions@FreeBSD.ORG
Subject:   Named errors - running BIND in sandbox
Message-ID:  <20031129161813.GG44778@crom.vickiandstacey.com>

next in thread | raw e-mail | index | archive | help
Hello,
    I know that I've asked this in the past, but after a fresh reinstall of the machine on my local network that provided (amongst other services) DNS to all other machines (FreeBSD, Solaris, WIn2K & WinXP Pro), I find that I am not having much success setting up BIND in a sandbox.

The box is running FreeBSD-4.9Stable (after initially installing 4.8-Rel) after cvsup of sources.

Basically, the errors I get on start up is here:
/etc/namedb/etc # tail /var/log/messages
Nov 29 15:42:39 Demon named[226]: 'masters' statement present for master zone 'vickiandstacey.com'
Nov 29 15:42:39 Demon named[226]: zone 'vickiandstacey.com' did not validate, skipping
Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [192.168.1.8].53): Address already in use
Nov 29 15:42:39 Demon named[226]: deleting interface [192.168.1.8].53
Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [127.0.0.1].53): Address already in use
Nov 29 15:42:39 Demon named[226]: deleting interface [127.0.0.1].53
Nov 29 15:42:39 Demon named[226]: not listening on any interfaces
Nov 29 15:42:39 Demon named[233]: Ready to answer queries.
Nov 29 15:42:39 Demon named[234]: can't exec /bin/named-xfer: No such file or directory
Nov 29 15:43:47 Demon named-xfer[240]: [192.168.1.8] not authoritative for 1.168.192.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 0, aucount 13
/etc/namedb/etc #

Here's the layout for named as followed from the HandBook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html#NETWORK-NAMED-SANDBOX):
$ ls -la /etc/namedb
total 22
drwxr-xr-x   8 root  wheel   512 Nov 29 12:43 .
drwxr-xr-x  17 root  wheel  2048 Nov 25 12:49 ..
-rw-r--r--   1 root  wheel   427 Apr  3  2003 PROTO.localhost-v6.rev
-rw-r--r--   1 root  wheel   423 Apr  3  2003 PROTO.localhost.rev
drwxr-xr-x   2 root  wheel   512 Nov 29 11:33 bin
drwxr-xr-x   2 root  wheel   512 Nov 29 15:33 dev
drwxr-xr-x   2 root  wheel   512 Nov 29 11:39 etc
-rw-r--r--   1 root  wheel  1032 Apr  3  2003 make-localhost
drwxr-xr-x   2 root  wheel   512 Nov 29 12:22 master
lrwxr-xr-x   1 root  wheel    14 Nov 29 11:19 named.conf -> etc/named.conf
drwxr-xr-x   2 bind  bind    512 Nov 29 16:03 slave
drwxr-xr-x   4 root  wheel   512 Nov 29 12:43 var
stacey@Demon ~ $

$ ls -la /etc/namedb/etc
total 14
drwxr-xr-x  2 root  wheel   512 Nov 29 11:39 .
drwxr-xr-x  8 root  wheel   512 Nov 29 12:43 ..
-r--r--r--  1 root  wheel  1323 Nov 29 11:18 localtime
-rw-r--r--  1 root  wheel  3892 Nov 29 15:42 named.conf
-rw-r--r--  1 root  wheel  3478 Nov 29 11:39 named.conf-29112003
stacey@Demon ~ $

stacey@Demon ~ $ ls -la /etc/namedb/master/
total 16
drwxr-xr-x  2 root  wheel   512 Nov 29 12:22 .
drwxr-xr-x  8 root  wheel   512 Nov 29 12:43 ..
-rw-r--r--  1 root  wheel   493 Nov 29 11:20 localhost-v6.rev
-rw-r--r--  1 root  wheel   489 Nov 29 11:20 localhost.rev
-rw-r--r--  1 root  wheel   200 Nov 29 15:40 named.localhost
-rw-r--r--  1 root  wheel  2583 Apr  3  2003 named.root
-rw-r--r--  1 root  wheel   473 Nov 29 15:31 vickiandstacey.com.db
stacey@Demon ~ $

stacey@Demon ~ $ ls -la /etc/namedb/slave/
total 6
drwxr-xr-x  2 bind  bind   512 Nov 29 16:03 .
drwxr-xr-x  8 root  wheel  512 Nov 29 12:43 ..
-rw-r--r--  1 root  bind   460 Nov 29 13:15 1.168.192.in-addr.arpa
stacey@Demon ~ $

Here are the config files: -

named.conf:
stacey@Demon /etc/namedb/etc $ cat named.conf
// $FreeBSD: src/etc/namedb/named.conf,v 1.6.2.7 2003/02/13 13:16:51 keramida Exp $
//
// Refer to the named.conf(5) and named(8) man pages for details.  If
// you are ever going to set up a primary server, make sure you
// understand the hairy details of how DNS works.  Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
 
options {
        directory "/";
        named-xfer "/bin/named-xfer";
        version "";     // Don't reveal BIND version
 
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
//      forward only;
 
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
 
        forwarders {
                212.23.8.6;
        };
 
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
          
        query-source address * port 53;
 
 
         * If running in a sandbox, you may have to specify a different
         * location for the dumpfile.
        // dump-file "s/named_dump.db";
};
 
// ndc control socket
controls {
        unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
 
// Note: the following will be supported in a future release.
/*
host { any; } {
        topology {
                127.0.0.0/8;
        };
};
*/
 
// Setting up secondaries is way easier and a rough example for this
// is provided below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
 
zone "." {
        type hint;
        file "master/named.root";
};
 
zone "localhost" IN {
        type master;
        file "master/named.localhost";
        allow-transfer { localhost; };
        notify no;
};
 
zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
        allow-transfer { localhost; };
        notify no;
};
 
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
        type master;
        file "master/localhost-v6.rev";
        allow-transfer { localhost; };
        notify no;
};
 
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
        type master;
        file "master/localhost-v6.rev";
};
 
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example secondary config entries.  It can be convenient to become
// a secondary at least for the zone your own domain is in.  Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works.  There are sometimes
// non-obvious pitfalls.  Setting up a secondary is simpler.
//
// NB: Don't blindly enable the examples below. :-)  Use actual names
// and addresses instead.
//
// NOTE!!! FreeBSD can run bind in a sandbox (see named_flags in rc.conf).
// The directory containing the secondary zones must be write accessible
// to bind.  The following sequence is suggested:
//
//      mkdir /etc/namedb/s
//      chown bind:bind /etc/namedb/s
//      chmod 750 /etc/namedb/s
 
 
zone "vickiandstacey.com" {
        type master;
        file "master/vickiandstacey.com.db";
        allow-transfer { 192.168.1.0/24; };
        masters {
                192.168.1.8;
        };
};
 
zone "1.168.192.in-addr.arpa" {
        type slave;
        file "slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.8;
        };
};
 
stacey@Demon /etc/namedb/etc $

vickiandstacey.com.db:
stacey@Demon /etc/namedb $ cat master/vickiandstacey.com.db
$TTL 3600
 
vickiandstacey.com.     IN      SOA     Demon.vickiandstacey.com.       stacey.vickiandstacey.com. (
                                        6               ; Serial
                                        10800           ; Refresh
                                        3600            ; Retry
                                        604800          ; Expire
                                        86400 )         ; Minimum TTL
 
; DNS Servers
@                       IN      NS      Demon.vickiandstacey.com.
 
; Host Names
localhost               IN      A       127.0.0.1
snowball                IN      A       192.168.1.6
omni                    IN      A       192.168.1.7
Demon                   IN      A       192.168.1.8
crom                    IN      A       192.168.1.10
conan                   IN      A       192.168.1.12
ibm                     IN      A       192.168.1.14
 
; Aliases
;www                    IN      CNAME   @
stacey@Demon /etc/namedb $

1.168.192.in-addr.arpa:
stacey@Demon /etc/namedb $ cat slave/1.168.192.in-addr.arpa
$TTL 3600
 
1.168.192.in-addr.arpa  IN      SOA     Demon.vickiandstacey.com.       stacey.vickiandstacey.com. (
                                6               ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                3600 )          ; Minimum TTL
 
@                       IN      NS      Demon.vickiandstacey.com.
 
6                       IN      PTR     snowball.vickiandstacey.com.
7                       IN      PTR     omni.vickiandstacey.com.
8                       IN      PTR     Demon.vickiandstacey.com.
10                      IN      PTR     crom.vickiandstacey.com.
12                      IN      PTR     conan.vickiandstacey.com.
14                      IN      PTR     ibm.vickiandstacey.com.
stacey@Demon /etc/namedb $

Here is the relevant entries in /etc/rc.conf:
stacey@Demon /etc/namedb $ grep -i named /etc/rc.conf
syslogd_flags="-ss -l /etc/namedb/dev/log"
named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"
stacey@Demon /etc/namedb $

Here's what I've got in resolv.conf:
root@Demon /etc/namedb # cat /etc/resolv.conf
domain  vickiandstacey.com
nameserver      127.0.0.1
nameserver      192.168.1.8
root@Demon /etc/namedb #

An example of my problem follows:
root@Demon /etc/namedb # nslookup
Default Server:  localhost.vickiandstacey.com
Address:  127.0.0.1
 
> server Demon.vickiandstacey.com
Default Server:  Demon.vickiandstacey.com
Address:  82.68.31.177
 
>

What I had prior to installing, I would get "Demon.vickiandstacey.com" returned as the Default Server, not localhost as above.

Secondly, the address 82.68.31.177 is the real IP address of Demon (I have a block of 8) that is translated to 192.168.1.8, the internal IP address of Demon. So I'd have hoped that trying to set server to Demon, would have resulted in "Address: 192.168.1.8" instead of the machine's real IP address.

I'd gladly provide more information here if anyone thinks it would assist in helping me here. Thanks for the time.

Regards,

Stacey
-- 
Stacey Roberts
B. Sc (HONS) Computer Science

Web: www.vickiandstacey.com



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031129161813.GG44778>