BIND Refusing to Resolve for External Hosts
krad
kraduk at googlemail.com
Thu Jul 1 13:47:20 UTC 2010
On 30 June 2010 15:34, Chris Maness <chris at chrismaness.com> wrote:
> On Wed, Jun 30, 2010 at 1:49 AM, krad <kraduk at googlemail.com> wrote:
> >
> >
> > On 29 June 2010 07:20, Chris Maness <chris at chrismaness.com> wrote:
> >>
> >> My named server used to resolve for external hosts. Recently I have
> >> noticed that it no longer resolves names for resolvers not on the
> >> local host. It works just fine for dig on the dns server itself. It
> >> also works for domains that it has authority over. I also have it set
> >> up to be a caching server on my network. Has the spec for the config
> >> file changed or something?
> >>
> >> Here is the beginning of the the config file:
> >>
> >> cat named.conf
> >> // $FreeBSD: src/etc/namedb/named.conf,v 1.26.2.2.2.1 2008/11/25
> >> 02:59:29 kensmith Exp $
> >> //
> >> // Refer to the named.conf(5) and named(8) man pages, and the
> >> documentation
> >> // in /usr/share/doc/bind9 for more details.
> >> //
> >> // If you are going to set up an authoritative server, make sure you
> >> // understand the hairy details of how DNS works. Even with
> >> // simple mistakes, you can break connectivity for affected parties,
> >> // or cause huge amounts of useless Internet traffic.
> >>
> >> options {
> >> // Relative to the chroot directory, if any
> >> directory "/etc/namedb";
> >> pid-file "/var/run/named/pid";
> >> dump-file "/var/dump/named_dump.db";
> >> statistics-file "/var/stats/named.stats";
> >> allow-transfer {
> >> 76.238.148.146;
> >> };
> >>
> >> // If named is being used only as a local resolver, this is a safe
> >> default.
> >> // For named to be accessible to the network, comment this option,
> specify
> >> // the proper IP address, or delete this option.
> >> // listen-on { 127.0.0.1; };
> >>
> >> // If you have IPv6 enabled on this system, uncomment this option for
> >> // use as a local resolver. To give access to the network, specify
> >> // an IPv6 address, or the keyword "any".
> >> // listen-on-v6 { ::1; };
> >>
> >> // These zones are already covered by the empty zones listed below.
> >> // If you remove the related empty zones below, comment these lines out.
> >> disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
> >> disable-empty-zone
> >>
> >>
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
> >> disable-empty-zone
> >>
> >>
> "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
> >>
> >> // In addition to the "forwarders" clause, you can force your name
> >> // server to never initiate queries of its own, but always ask its
> >> // forwarders only, by enabling the following line:
> >> //
> >> // forward only;
> >>
> >> // If you've got a DNS server around at your upstream provider, enter
> >> // its IP address here, and enable the line below. This will make you
> >> // benefit from its cache, thus reduce overall DNS traffic in the
> >> Internet.
> >> /*
> >> forwarders {
> >> 127.0.0.1;
> >> };
> >> */
> >> /*
> >> Modern versions of BIND use a random UDP port for each
> outgoing
> >> query by default in order to dramatically reduce the
> possibility
> >> of cache poisoning. All users are strongly encouraged to
> >> utilize
> >> this feature, and to configure their firewalls to accommodate
> >> it.
> >>
> >> AS A LAST RESORT in order to get around a restrictive firewall
> >> policy you can try enabling the option below. Use of this
> >> option
> >> will significantly reduce your ability to withstand cache
> >> poisoning
> >> attacks, and should be avoided if at all possible.
> >>
> >> Replace NNNNN in the example with a number between 49160 and
> >> 65530.
> >> */
> >> // query-source address * port NNNNN;
> >> };
> >>
> >> // If you enable a local name server, don't forget to enter 127.0.0.1
> >> // first in your /etc/resolv.conf so this server will be queried.
> >> // Also, make sure to enable it in /etc/rc.conf.
> >>
> >> // The traditional root hints mechanism. Use this, OR the slave zones
> >> below.
> >> zone "." { type hint; file "named.root"; };
> >>
> >> /* Slaving the following zones from the root name servers has some
> >> significant advantages:
> >> 1. Faster local resolution for your users
> >> 2. No spurious traffic will be sent from your network to the
> roots
> >> 3. Greater resilience to any potential root server failure/DDoS
> >>
> >> On the other hand, this method requires more monitoring than the
> >> hints file to be sure that an unexpected failure mode has not
> >> incapacitated your server. Name servers that are serving a lot
> >> of clients will benefit more from this approach than individual
> >> hosts. Use with caution.
> >>
> >> To use this mechanism, uncomment the entries below, and comment
> >> the hint zone above.
> >> */
> >> /*
> >> zone "." {
> >> type slave;
> >> file "slave/root.slave";
> >> masters {
> >> 192.5.5.241; // F.ROOT-SERVERS.NET.
> >> };
> >> notify no;
> >> };
> >>
> >> zone "0.0.127.IN-ADDR.ARPA" {
> >> type master;
> >> file "master/localhost.rev";
> >> };
> >> zone "in-addr.arpa" {
> >> type slave;
> >> file "slave/in-addr.arpa.slave";
> >> masters {
> >> 192.5.5.241; // F.ROOT-SERVERS.NET.
> >> };
> >> notify no;
> >> };
> >> */
> >>
> >> /* Serving the following zones locally will prevent any queries
> >> for these zones leaving your network and going to the root
> >> name servers. This has two significant advantages:
> >> 1. Faster local resolution for your users
> >> 2. No spurious traffic will be sent from your network to the
> roots
> >> */
> >> // RFC 1912
> >> zone "127.in-addr.arpa" { type master; file
> "master/localhost-reverse.db";
> >> };
> >> zone "255.in-addr.arpa" { type master; file "master/empty.db"; };
> >>
> >> // RFC 1912-style zone for IPv6 localhost address
> >> zone "0.ip6.arpa" { type master; file
> "master/localhost-reverse.db";
> >> };
> >>
> >> // "This" Network (RFCs 1912 and 3330)
> >> zone "0.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // Private Use Networks (RFC 1918)
> >> zone "10.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "16.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "17.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "18.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "19.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "20.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "21.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "22.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "23.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "24.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "25.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "26.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "27.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "28.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "29.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "30.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "31.172.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "168.192.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // Link-local/APIPA (RFCs 3330 and 3927)
> >> zone "254.169.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // TEST-NET for Documentation (RFC 3330)
> >> zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // Router Benchmark Testing (RFC 3330)
> >> zone "18.198.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "19.198.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IANA Reserved - Old Class E Space
> >> zone "240.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "241.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "242.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "243.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "244.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "245.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "246.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "247.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "248.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "249.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "250.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "251.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "252.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "253.in-addr.arpa" { type master; file "master/empty.db";
> };
> >> zone "254.in-addr.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IPv6 Unassigned Addresses (RFC 4291)
> >> zone "1.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "3.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "4.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "5.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "6.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "7.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "8.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "9.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "a.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "b.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "c.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "d.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "e.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "0.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "1.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "2.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "3.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "4.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "5.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "6.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "7.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "8.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "9.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "a.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "b.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "0.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "1.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "2.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "3.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "4.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "5.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "6.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "7.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IPv6 ULA (RFC 4193)
> >> zone "c.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "d.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IPv6 Link Local (RFC 4291)
> >> zone "8.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "9.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "a.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "b.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IPv6 Deprecated Site-Local Addresses (RFC 3879)
> >> zone "c.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "d.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "e.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >> zone "f.e.f.ip6.arpa" { type master; file "master/empty.db";
> };
> >>
> >> // IP6.INT is Deprecated (RFC 4159)
> >> zone "ip6.int" { type master; file "master/empty.db";
> };
> >>
> >> // NB: Do not use the IP addresses below, they are faked, and only
> >> // serve demonstration/documentation purposes!
> >> //
> >> // Example slave zone config entries. It can be convenient to become
> >> // a slave at least for the zone your own domain is in. Ask
> >> // your network administrator for the IP address of the responsible
> >> // master name server.
> >> //
> >> // Do not forget to include the reverse lookup zone!
> >> // This is named after the first bytes of the IP address, in reverse
> >> // order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
> >> //
> >> // Before starting to set up a master zone, make sure you fully
> >> // understand how DNS and BIND work. There are sometimes
> >> // non-obvious pitfalls. Setting up a slave zone is usually simpler.
> >> //
> >> // NB: Don't blindly enable the examples below. :-) Use actual names
> >> // and addresses instead.
> >>
> >> /* An example dynamic zone
> >> key "exampleorgkey" {
> >> algorithm hmac-md5;
> >> secret "sf87HJqjkqh8ac87a02lla==";
> >> };
> >> zone "example.org" {
> >> type master;
> >> allow-update {
> >> key "exampleorgkey";
> >> };
> >> file "dynamic/example.org";
> >> };
> >> */
> >>
> >> /* Example of a slave reverse zone
> >> zone "1.168.192.in-addr.arpa" {
> >> type slave;
> >> file "slave/1.168.192.in-addr.arpa";
> >> masters {
> >> 192.168.1.1;
> >> };
> >> };
> >> */
> >>
> >> zone "97.179.208.in-addr.arpa" IN {
> >> type master;
> >> file "master/reverse.zone";
> >> allow-transfer { 76.238.148.146; 4.35.33.247; };
> >> };
> >>
> >>
> >> zone "localhost" IN {
> >> type master;
> >> file "localhost.zone";
> >> allow-update { none; };
> >> };
> >>
> >> zone "chrismaness.com" {
> >> type master;
> >> file "master/chrismaness.com";
> >> // IP addresses of slave servers allowed to transfer
> >> chrismaness.com
> >> allow-transfer {
> >> 76.238.148.146;
> >> };
> >>
> >> };
> >>
> >> ###########
> >>
> >> Does anything look strange here? I also tried uncommenting the listen
> >> on directive with the correct IP, and my server stopped resolving
> >> names for hosts that it is authoritative for.
> >>
> >> Any help would be appreciated.
> >>
> >> Thanks,
> >> Chris Maness
> >> _______________________________________________
> >> freebsd-questions at freebsd.org mailing list
> >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> >> To unsubscribe, send any mail to
> >> "freebsd-questions-unsubscribe at freebsd.org"
> >
> >
> > you may want to explictily set up a recursion acl on it. Look at these
> > options below. The defaults may have changed when you did an upgrade
> >
> > allow-query { auth_hosts; };
> > allow-recursion { auth_hosts; };
> > allow-query-cache { auth_hosts; };
> >
> >
>
> What is a recursion acl? Can I just add these lines to my config file
> to set it up? Is the auth_hosts flag referring to a file with
> authorized clients?
>
> I did figure that something got nailed during mergemaster.
>
> Thanks,
> Chris Maness
>
Just a list of hosts you want to be able to use your dns server as a
resolver
More information about the freebsd-questions
mailing list