kowalsky Posted June 30, 2009 Report Share Posted June 30, 2009 Hi all! I've just installed a couple of Mandriva 2008.1 boxes and I'm attempting to get BIND 9.5.0-P1 working as caching dns for my box. Here is the log at startup: named[15717]: starting BIND 9.5.0-P1 -u named -t /var/lib/named Jun 30 15:47:32 Linux61 named[15717]: loading configuration from '/etc/named.conf' Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface ppp0, 91.81.207.221#53 Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface vmw0, 10.37.129.2#53 Jun 30 15:47:32 Linux61 named[15717]: default max-cache-size (33554432) applies Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 127.IN-ADDR.ARPA Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 254.169.IN-ADDR.ARPA Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 and here my net interfaces: lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:2032 errors:0 dropped:0 overruns:0 frame:0 TX packets:2032 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:248339 (242.5 KiB) TX bytes:248339 (242.5 KiB) ppp0 Link encap:Point-to-Point Protocol inet addr:91.81.207.221 P-t-P:10.64.64.64 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:9572 errors:0 dropped:0 overruns:0 frame:0 TX packets:9089 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:9742215 (9.2 MiB) TX bytes:988946 (965.7 KiB) vmw0 Link encap:Ethernet HWaddr 00:FF:3A:C6:E1:E8 inet addr:10.37.129.2 Bcast:10.37.129.2 Mask:255.255.255.255 inet6 addr: fe80::2ff:3aff:fec6:e1e8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:31 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) PPP0 is the external interface. If I issue this cmd against the 127.0.0.1 nic all is ok: ; <<>> DiG 9.5.0-P1 <<>> @127.0.0.1 www.ibm.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28472 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;www.ibm.com. IN A ;; ANSWER SECTION: www.ibm.com. 325 IN CNAME www.ibm.com.cs186.net. www.ibm.com.cs186.net. 60 IN A 129.42.60.216 ;; AUTHORITY SECTION: cs186.net. 600 IN NS ns.events.ihost.com. cs186.net. 600 IN NS ns1.events.ihost.com. cs186.net. 600 IN NS ns2.events.ihost.com. ;; ADDITIONAL SECTION: ns.events.ihost.com. 171554 IN A 129.42.3.200 ns1.events.ihost.com. 171554 IN A 129.42.1.200 ns2.events.ihost.com. 171554 IN A 129.42.5.200 ;; Query time: 3426 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Jun 30 16:10:24 2009 ;; MSG SIZE rcvd: 194 the same anaingt the 10.37.129.2 nic gives: [root@Linux61 ~]# dig @10.37.129.2 www.ibm.com ; <<>> DiG 9.5.0-P1 <<>> @10.37.129.2 www.ibm.com ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached here are my routes: [root@Linux61 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.64.64.64 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0 All this stuff acting locally. I've dropped down my firewall for a while, but getting no success [root@Linux61 ~]# telnet 10.37.129.2 53 Trying 10.37.129.2... Connected to 10.37.129.2 (10.37.129.2). Escape character is '^]'. Connection closed by foreign host. It reaches my nic, so non fw problem. I've an old 2006 Box working perfectly using the same interfaces and network config. any suggestion? Tks for any help Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted June 30, 2009 Report Share Posted June 30, 2009 Please post a: netstat -tunlp when your connected to the internet. I expect your bind is not configured properly and is only listening on localhost hence why it never worked when you tried on the other address bound the the ppp0 interface. The netstat should show port 53 listening on 0.0.0.0 or a particular address if it was configured correctly. Alternatively, check the named.conf for the listen-on directive because it's probably misconfigured. Quote Link to comment Share on other sites More sharing options...
kowalsky Posted June 30, 2009 Author Report Share Posted June 30, 2009 Sorry for my previous formatting. I'm not posting frequently into forums... Here it the result of the command: [root@Linux61 ~]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:30020 0.0.0.0:* LISTEN 4785/python tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 4560/smbd tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4128/rpcbind tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 4324/X tcp 0 0 127.0.0.1:8979 0.0.0.0:* LISTEN 5652/wcstatusd tcp 0 0 10.37.129.2:53 0.0.0.0:* LISTEN 15781/named tcp 0 0 91.81.207.221:53 0.0.0.0:* LISTEN 15781/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 15781/named tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 4264/proftpd: (acce tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4174/sshd tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 4450/cupsd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 15781/named tcp 0 0 0.0.0.0:58393 0.0.0.0:* LISTEN 4291/rpc.statd tcp 0 0 127.0.0.1:10555 0.0.0.0:* LISTEN 5643/wclientd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 4560/smbd tcp 0 0 0.0.0.0:7741 0.0.0.0:* LISTEN 4073/lisa tcp 0 0 :::6000 :::* LISTEN 4324/X tcp 0 0 :::22 :::* LISTEN 4174/sshd tcp 0 0 :::631 :::* LISTEN 4450/cupsd udp 0 0 0.0.0.0:514 0.0.0.0:* 3248/syslog-ng udp 0 0 0.0.0.0:137 0.0.0.0:* 4592/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 4592/nmbd udp 0 0 0.0.0.0:651 0.0.0.0:* 4291/rpc.statd udp 0 0 0.0.0.0:44581 0.0.0.0:* 4785/python udp 0 0 0.0.0.0:818 0.0.0.0:* 4128/rpcbind udp 0 0 10.37.129.2:53 0.0.0.0:* 15781/named udp 0 0 91.81.207.221:53 0.0.0.0:* 15781/named udp 0 0 127.0.0.1:53 0.0.0.0:* 15781/named udp 0 0 0.0.0.0:7741 0.0.0.0:* 4073/lisa udp 0 0 0.0.0.0:35916 0.0.0.0:* 15781/named udp 0 0 0.0.0.0:1900 0.0.0.0:* 4785/python udp 0 0 0.0.0.0:111 0.0.0.0:* 4128/rpcbind udp 0 0 0.0.0.0:631 0.0.0.0:* 4450/cupsd udp 0 0 0.0.0.0:41338 0.0.0.0:* 4291/rpc.statd udp 0 0 :::35438 :::* 15781/named Thanks for your help Quote Link to comment Share on other sites More sharing options...
ianw1974 Posted June 30, 2009 Report Share Posted June 30, 2009 OK, so it's listening so that's good. So chances are we have a problem with what IP's can query. Can you post the contents of /etc/named.conf here so we can see how it looks and perhaps offer some amendments. There is a config option like allow-query and you can put the networks of machines that can query your DNS, or just give any which would mean every single machine that has access to your server can query it for DNS - which sometimes is OK, but not always. Quote Link to comment Share on other sites More sharing options...
kowalsky Posted June 30, 2009 Author Report Share Posted June 30, 2009 Hi Ian, thanks for your time.... I've finally solved, even if I've non understood where the named.conf was buggy :-) I've dumped in the trash the Mandriva 2008.1 named.conf (and most of the related includes) // (oe) Loosely based on the document below and from production server configurations. // [url="http://www.cymru.com/Documents/secure-bind-template.html"]http://www.cymru.com/Documents/secure-bind-template.html[/url] // // $Id: named.conf 80849 2007-09-06 11:56:48Z oden $ // $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/named.conf $ // secret must be the same as in /etc/rndc.conf include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { any; } keys { mykey; }; }; // Access lists (ACL's) should be defined here include "/etc/bogon_acl.conf"; include "/etc/trusted_networks_acl.conf"; // Define logging channels include "/etc/logging.conf"; options { version ""; directory "/var/named"; dump-file "/var/tmp/named_dump.db"; pid-file "/var/run/named.pid"; statistics-file "/var/tmp/named.stats"; zone-statistics yes; // datasize 256M; coresize 100M; // fetch-glue no; // recursion no; // recursive-clients 10000; auth-nxdomain yes; query-source address * port *; listen-on port 53 { any; }; cleaning-interval 120; transfers-in 20; transfers-per-ns 2; lame-ttl 0; max-ncache-ttl 10800; // forwarders { first_public_nameserver_ip; second_public_nameserver_ip; }; // allow-update { none; }; // allow-transfer { any; }; // Prevent DoS attacks by generating bogus zone transfer // requests. This will result in slower updates to the // slave servers (e.g. they will await the poll interval // before checking for updates). notify no; // notify explicit; // also-notify { secondary_name_server }; // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // Uncoment these to enable IPv6 connections support // IPv4 will still work // listen-on { none; }; // listen-on-v6 { any; }; // allow-query { trusted_networks; }; allow-recursion { trusted_networks; }; // Deny anything from the bogon networks as // detailed in the "bogon" ACL. blackhole { bogon; }; }; // workaround stupid stuff... (OE: Wed 17 Sep 2003) zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "lv" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain" IN { type master; file "master/localdomain.zone"; allow-update { none; }; }; zone "localhost" IN { type master; file "master/localhost.zone"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "reverse/named.local"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "reverse/named.ip6.local"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "reverse/named.broadcast"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "reverse/named.zero"; allow-update { none; }; }; and reworked a little the old (clear) named.conf taken from the Mandriva 2006 box // generated by myself :-) from the Mandriva 2006 named.conf // secret must be the same as in /etc/rndc.conf include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { any; } keys { mykey; }; }; options { directory "/var/named"; # forward first; forwarders { # 208.67.222.222; # 208.67.220.220; }; // Put pid file in working dir pid-file "/var/run/named.pid"; /* * If there is a firewall between you and nameservers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked * questions using port 53, but BIND 8.1 uses an unprivileged * port by default. */ // query-source address * port 53; }; // // a caching only nameserver config // zone "." { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" { type master; file "reverse/named.local"; }; // workaround stupid stuff... (OE: Wed 17 Sep 2003) zone "ac" { type delegation-only; }; zone "cc" { type delegation-only; }; zone "com" { type delegation-only; }; zone "cx" { type delegation-only; }; zone "museum" { type delegation-only; }; zone "net" { type delegation-only; }; zone "nu" { type delegation-only; }; zone "ph" { type delegation-only; }; zone "sh" { type delegation-only; }; zone "tm" { type delegation-only; }; zone "ws" { type delegation-only; }; Now whatever interface I 'dig' my caching dns gives a correct reply. Thanks again for your help Roberto My Mandriva boxes: Mvd 2006 on Ibm Thinkpad T42 Mdv 2007.1 on Ibm Thinkpad T23 Mdv 2008.1 on Ibm Thinkpad T61 Mdv 2007.0 / Mdv 2008.1 / Mdv 2006 'Plus' (homemade merged with 2007.1) on home multiboot desktop Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.