Date: Sat, 29 Nov 2003 16:18:13 +0000 From: Stacey Roberts <stacey@vickiandstacey.com> To: freebsd-questions@FreeBSD.ORG Subject: Named errors - running BIND in sandbox Message-ID: <20031129161813.GG44778@crom.vickiandstacey.com>
next in thread | raw e-mail | index | archive | help
Hello, I know that I've asked this in the past, but after a fresh reinstall of the machine on my local network that provided (amongst other services) DNS to all other machines (FreeBSD, Solaris, WIn2K & WinXP Pro), I find that I am not having much success setting up BIND in a sandbox. The box is running FreeBSD-4.9Stable (after initially installing 4.8-Rel) after cvsup of sources. Basically, the errors I get on start up is here: /etc/namedb/etc # tail /var/log/messages Nov 29 15:42:39 Demon named[226]: 'masters' statement present for master zone 'vickiandstacey.com' Nov 29 15:42:39 Demon named[226]: zone 'vickiandstacey.com' did not validate, skipping Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [192.168.1.8].53): Address already in use Nov 29 15:42:39 Demon named[226]: deleting interface [192.168.1.8].53 Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [127.0.0.1].53): Address already in use Nov 29 15:42:39 Demon named[226]: deleting interface [127.0.0.1].53 Nov 29 15:42:39 Demon named[226]: not listening on any interfaces Nov 29 15:42:39 Demon named[233]: Ready to answer queries. Nov 29 15:42:39 Demon named[234]: can't exec /bin/named-xfer: No such file or directory Nov 29 15:43:47 Demon named-xfer[240]: [192.168.1.8] not authoritative for 1.168.192.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 0, aucount 13 /etc/namedb/etc # Here's the layout for named as followed from the HandBook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html#NETWORK-NAMED-SANDBOX): $ ls -la /etc/namedb total 22 drwxr-xr-x 8 root wheel 512 Nov 29 12:43 . drwxr-xr-x 17 root wheel 2048 Nov 25 12:49 .. -rw-r--r-- 1 root wheel 427 Apr 3 2003 PROTO.localhost-v6.rev -rw-r--r-- 1 root wheel 423 Apr 3 2003 PROTO.localhost.rev drwxr-xr-x 2 root wheel 512 Nov 29 11:33 bin drwxr-xr-x 2 root wheel 512 Nov 29 15:33 dev drwxr-xr-x 2 root wheel 512 Nov 29 11:39 etc -rw-r--r-- 1 root wheel 1032 Apr 3 2003 make-localhost drwxr-xr-x 2 root wheel 512 Nov 29 12:22 master lrwxr-xr-x 1 root wheel 14 Nov 29 11:19 named.conf -> etc/named.conf drwxr-xr-x 2 bind bind 512 Nov 29 16:03 slave drwxr-xr-x 4 root wheel 512 Nov 29 12:43 var stacey@Demon ~ $ $ ls -la /etc/namedb/etc total 14 drwxr-xr-x 2 root wheel 512 Nov 29 11:39 . drwxr-xr-x 8 root wheel 512 Nov 29 12:43 .. -r--r--r-- 1 root wheel 1323 Nov 29 11:18 localtime -rw-r--r-- 1 root wheel 3892 Nov 29 15:42 named.conf -rw-r--r-- 1 root wheel 3478 Nov 29 11:39 named.conf-29112003 stacey@Demon ~ $ stacey@Demon ~ $ ls -la /etc/namedb/master/ total 16 drwxr-xr-x 2 root wheel 512 Nov 29 12:22 . drwxr-xr-x 8 root wheel 512 Nov 29 12:43 .. -rw-r--r-- 1 root wheel 493 Nov 29 11:20 localhost-v6.rev -rw-r--r-- 1 root wheel 489 Nov 29 11:20 localhost.rev -rw-r--r-- 1 root wheel 200 Nov 29 15:40 named.localhost -rw-r--r-- 1 root wheel 2583 Apr 3 2003 named.root -rw-r--r-- 1 root wheel 473 Nov 29 15:31 vickiandstacey.com.db stacey@Demon ~ $ stacey@Demon ~ $ ls -la /etc/namedb/slave/ total 6 drwxr-xr-x 2 bind bind 512 Nov 29 16:03 . drwxr-xr-x 8 root wheel 512 Nov 29 12:43 .. -rw-r--r-- 1 root bind 460 Nov 29 13:15 1.168.192.in-addr.arpa stacey@Demon ~ $ Here are the config files: - named.conf: stacey@Demon /etc/namedb/etc $ cat named.conf // $FreeBSD: src/etc/namedb/named.conf,v 1.6.2.7 2003/02/13 13:16:51 keramida Exp $ // // Refer to the named.conf(5) and named(8) man pages for details. If // you are ever going to set up a primary server, make sure you // understand the hairy details of how DNS works. Even with // simple mistakes, you can break connectivity for affected parties, // or cause huge amounts of useless Internet traffic. options { directory "/"; named-xfer "/bin/named-xfer"; version ""; // Don't reveal BIND version // In addition to the "forwarders" clause, you can force your name // server to never initiate queries of its own, but always ask its // forwarders only, by enabling the following line: // // forward only; // If you've got a DNS server around at your upstream provider, enter // its IP address here, and enable the line below. This will make you // benefit from its cache, thus reduce overall DNS traffic in the Internet. forwarders { 212.23.8.6; }; * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. query-source address * port 53; * If running in a sandbox, you may have to specify a different * location for the dumpfile. // dump-file "s/named_dump.db"; }; // ndc control socket controls { unix "/var/run/ndc" perm 0600 owner 0 group 0; }; // Note: the following will be supported in a future release. /* host { any; } { topology { 127.0.0.0/8; }; }; */ // Setting up secondaries is way easier and a rough example for this // is provided below. // // If you enable a local name server, don't forget to enter 127.0.0.1 // first in your /etc/resolv.conf so this server will be queried. // Also, make sure to enable it in /etc/rc.conf. zone "." { type hint; file "master/named.root"; }; zone "localhost" IN { type master; file "master/named.localhost"; allow-transfer { localhost; }; notify no; }; zone "0.0.127.IN-ADDR.ARPA" { type master; file "master/localhost.rev"; allow-transfer { localhost; }; notify no; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; file "master/localhost-v6.rev"; allow-transfer { localhost; }; notify no; }; // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; file "master/localhost-v6.rev"; }; // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! // // Example secondary config entries. It can be convenient to become // a secondary at least for the zone your own domain is in. Ask // your network administrator for the IP address of the responsible // primary. // // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone! // (This is named after the first bytes of the IP address, in reverse // order, with ".IN-ADDR.ARPA" appended.) // // Before starting to set up a primary zone, make sure you fully // understand how DNS and BIND works. There are sometimes // non-obvious pitfalls. Setting up a secondary is simpler. // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. // // NOTE!!! FreeBSD can run bind in a sandbox (see named_flags in rc.conf). // The directory containing the secondary zones must be write accessible // to bind. The following sequence is suggested: // // mkdir /etc/namedb/s // chown bind:bind /etc/namedb/s // chmod 750 /etc/namedb/s zone "vickiandstacey.com" { type master; file "master/vickiandstacey.com.db"; allow-transfer { 192.168.1.0/24; }; masters { 192.168.1.8; }; }; zone "1.168.192.in-addr.arpa" { type slave; file "slave/1.168.192.in-addr.arpa"; masters { 192.168.1.8; }; }; stacey@Demon /etc/namedb/etc $ vickiandstacey.com.db: stacey@Demon /etc/namedb $ cat master/vickiandstacey.com.db $TTL 3600 vickiandstacey.com. IN SOA Demon.vickiandstacey.com. stacey.vickiandstacey.com. ( 6 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL ; DNS Servers @ IN NS Demon.vickiandstacey.com. ; Host Names localhost IN A 127.0.0.1 snowball IN A 192.168.1.6 omni IN A 192.168.1.7 Demon IN A 192.168.1.8 crom IN A 192.168.1.10 conan IN A 192.168.1.12 ibm IN A 192.168.1.14 ; Aliases ;www IN CNAME @ stacey@Demon /etc/namedb $ 1.168.192.in-addr.arpa: stacey@Demon /etc/namedb $ cat slave/1.168.192.in-addr.arpa $TTL 3600 1.168.192.in-addr.arpa IN SOA Demon.vickiandstacey.com. stacey.vickiandstacey.com. ( 6 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 3600 ) ; Minimum TTL @ IN NS Demon.vickiandstacey.com. 6 IN PTR snowball.vickiandstacey.com. 7 IN PTR omni.vickiandstacey.com. 8 IN PTR Demon.vickiandstacey.com. 10 IN PTR crom.vickiandstacey.com. 12 IN PTR conan.vickiandstacey.com. 14 IN PTR ibm.vickiandstacey.com. stacey@Demon /etc/namedb $ Here is the relevant entries in /etc/rc.conf: stacey@Demon /etc/namedb $ grep -i named /etc/rc.conf syslogd_flags="-ss -l /etc/namedb/dev/log" named_enable="YES" named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf" stacey@Demon /etc/namedb $ Here's what I've got in resolv.conf: root@Demon /etc/namedb # cat /etc/resolv.conf domain vickiandstacey.com nameserver 127.0.0.1 nameserver 192.168.1.8 root@Demon /etc/namedb # An example of my problem follows: root@Demon /etc/namedb # nslookup Default Server: localhost.vickiandstacey.com Address: 127.0.0.1 > server Demon.vickiandstacey.com Default Server: Demon.vickiandstacey.com Address: 82.68.31.177 > What I had prior to installing, I would get "Demon.vickiandstacey.com" returned as the Default Server, not localhost as above. Secondly, the address 82.68.31.177 is the real IP address of Demon (I have a block of 8) that is translated to 192.168.1.8, the internal IP address of Demon. So I'd have hoped that trying to set server to Demon, would have resulted in "Address: 192.168.1.8" instead of the machine's real IP address. I'd gladly provide more information here if anyone thinks it would assist in helping me here. Thanks for the time. Regards, Stacey -- Stacey Roberts B. Sc (HONS) Computer Science Web: www.vickiandstacey.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031129161813.GG44778>