Jump to content

Caching DNS [solved]

kowalsky

By kowalsky
in Networking

 Share

Recommended Posts

kowalsky New Here

kowalsky

Posted
Posted

Hi all!

I've just installed a couple of Mandriva 2008.1 boxes and I'm attempting to get BIND 9.5.0-P1 working as caching dns for my box.

Here is the log at startup:

 

named[15717]: starting BIND 9.5.0-P1 -u named -t /var/lib/named
Jun 30 15:47:32 Linux61 named[15717]: loading configuration from '/etc/named.conf'
Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface ppp0, 91.81.207.221#53
Jun 30 15:47:32 Linux61 named[15717]: listening on IPv4 interface vmw0, 10.37.129.2#53
Jun 30 15:47:32 Linux61 named[15717]: default max-cache-size (33554432) applies
Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 127.IN-ADDR.ARPA
Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jun 30 15:47:32 Linux61 named[15717]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0

 

and here my net interfaces:

 

lo		Link encap:Local Loopback
	  inet addr:127.0.0.1  Mask:255.0.0.0
	  inet6 addr: ::1/128 Scope:Host
	  UP LOOPBACK RUNNING  MTU:16436  Metric:1
	  RX packets:2032 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:2032 errors:0 dropped:0 overruns:0 carrier:0
	  collisions:0 txqueuelen:0
	  RX bytes:248339 (242.5 KiB)  TX bytes:248339 (242.5 KiB)

ppp0	  Link encap:Point-to-Point Protocol
	  inet addr:91.81.207.221  P-t-P:10.64.64.64  Mask:255.255.255.255
	  UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
	  RX packets:9572 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:9089 errors:0 dropped:0 overruns:0 carrier:0
	  collisions:0 txqueuelen:3
	  RX bytes:9742215 (9.2 MiB)  TX bytes:988946 (965.7 KiB)

vmw0	  Link encap:Ethernet  HWaddr 00:FF:3A:C6:E1:E8
	  inet addr:10.37.129.2  Bcast:10.37.129.2  Mask:255.255.255.255
	  inet6 addr: fe80::2ff:3aff:fec6:e1e8/64 Scope:Link
	  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
	  RX packets:0 errors:0 dropped:0 overruns:0 frame:0
	  TX packets:0 errors:0 dropped:31 overruns:0 carrier:0
	  collisions:0 txqueuelen:500
	  RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

 

PPP0 is the external interface.

 

If I issue this cmd against the 127.0.0.1 nic all is ok:

 

; <<>> DiG 9.5.0-P1 <<>> @127.0.0.1 www.ibm.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28472
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;www.ibm.com.				   IN	  A

;; ANSWER SECTION:
www.ibm.com.			325	 IN	  CNAME   www.ibm.com.cs186.net.
www.ibm.com.cs186.net.  60	  IN	  A	   129.42.60.216

;; AUTHORITY SECTION:
cs186.net.			  600	 IN	  NS	  ns.events.ihost.com.
cs186.net.			  600	 IN	  NS	  ns1.events.ihost.com.
cs186.net.			  600	 IN	  NS	  ns2.events.ihost.com.

;; ADDITIONAL SECTION:
ns.events.ihost.com.	171554  IN	  A	   129.42.3.200
ns1.events.ihost.com.   171554  IN	  A	   129.42.1.200
ns2.events.ihost.com.   171554  IN	  A	   129.42.5.200

;; Query time: 3426 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 30 16:10:24 2009
;; MSG SIZE  rcvd: 194

 

the same anaingt the 10.37.129.2 nic gives:

 

 [root@Linux61 ~]# dig @10.37.129.2 www.ibm.com

; <<>> DiG 9.5.0-P1 <<>> @10.37.129.2 www.ibm.com
; (1 server found)
;; global options:  printcmd
;; connection timed out; no servers could be reached

 

here are my routes:

 

[root@Linux61 ~]# route -n
Kernel IP routing table
Destination	 Gateway		 Genmask		 Flags Metric Ref	Use Iface
10.64.64.64	 0.0.0.0		 255.255.255.255 UH	0	  0		0 ppp0
127.0.0.0		 0.0.0.0		 255.0.0.0			   U	 0	  0		0 lo
0.0.0.0			 0.0.0.0		 0.0.0.0					U	 0	  0		0 ppp0

 

All this stuff acting locally.

 

I've dropped down my firewall for a while, but getting no success

 

[root@Linux61 ~]# telnet 10.37.129.2 53
Trying 10.37.129.2...
Connected to 10.37.129.2 (10.37.129.2).
Escape character is '^]'.
Connection closed by foreign host.

 

It reaches my nic, so non fw problem.

 

I've an old 2006 Box working perfectly using the same interfaces and network config.

 

 

any suggestion?

 

 

Tks for any help

Link to comment
Share on other sites
ianw1974 Platinum

ianw1974

Posted
Posted

Please post a:

 

netstat -tunlp

 

when your connected to the internet. I expect your bind is not configured properly and is only listening on localhost hence why it never worked when you tried on the other address bound the the ppp0 interface. The netstat should show port 53 listening on 0.0.0.0 or a particular address if it was configured correctly. Alternatively, check the named.conf for the listen-on directive because it's probably misconfigured.

Link to comment
Share on other sites
kowalsky New Here

kowalsky

Posted
  • Author
Posted

Sorry for my previous formatting. I'm not posting frequently into forums...

 

Here it the result of the command:

 

[root@Linux61 ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:30020               0.0.0.0:*                   LISTEN      4785/python
tcp        0      0 0.0.0.0:139                 0.0.0.0:*                   LISTEN      4560/smbd
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      4128/rpcbind
tcp        0      0 0.0.0.0:6000                0.0.0.0:*                   LISTEN      4324/X
tcp        0      0 127.0.0.1:8979              0.0.0.0:*                   LISTEN      5652/wcstatusd
tcp        0      0 10.37.129.2:53              0.0.0.0:*                   LISTEN      15781/named
tcp        0      0 91.81.207.221:53            0.0.0.0:*                   LISTEN      15781/named
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      15781/named
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      4264/proftpd: (acce
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      4174/sshd
tcp        0      0 0.0.0.0:631                 0.0.0.0:*                   LISTEN      4450/cupsd
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      15781/named
tcp        0      0 0.0.0.0:58393               0.0.0.0:*                   LISTEN      4291/rpc.statd
tcp        0      0 127.0.0.1:10555             0.0.0.0:*                   LISTEN      5643/wclientd
tcp        0      0 0.0.0.0:445                 0.0.0.0:*                   LISTEN      4560/smbd
tcp        0      0 0.0.0.0:7741                0.0.0.0:*                   LISTEN      4073/lisa
tcp        0      0 :::6000                     :::*                        LISTEN      4324/X
tcp        0      0 :::22                       :::*                        LISTEN      4174/sshd
tcp        0      0 :::631                      :::*                        LISTEN      4450/cupsd
udp        0      0 0.0.0.0:514                 0.0.0.0:*                               3248/syslog-ng
udp        0      0 0.0.0.0:137                 0.0.0.0:*                               4592/nmbd
udp        0      0 0.0.0.0:138                 0.0.0.0:*                               4592/nmbd
udp        0      0 0.0.0.0:651                 0.0.0.0:*                               4291/rpc.statd
udp        0      0 0.0.0.0:44581               0.0.0.0:*                               4785/python
udp        0      0 0.0.0.0:818                 0.0.0.0:*                               4128/rpcbind
udp        0      0 10.37.129.2:53              0.0.0.0:*                               15781/named
udp        0      0 91.81.207.221:53            0.0.0.0:*                               15781/named
udp        0      0 127.0.0.1:53                0.0.0.0:*                               15781/named
udp        0      0 0.0.0.0:7741                0.0.0.0:*                               4073/lisa
udp        0      0 0.0.0.0:35916               0.0.0.0:*                               15781/named
udp        0      0 0.0.0.0:1900                0.0.0.0:*                               4785/python
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               4128/rpcbind
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               4450/cupsd
udp        0      0 0.0.0.0:41338               0.0.0.0:*                               4291/rpc.statd
udp        0      0 :::35438                    :::*                                    15781/named

 

 

Thanks for your help

Link to comment
Share on other sites
ianw1974 Platinum

ianw1974

Posted
Posted

OK, so it's listening so that's good. So chances are we have a problem with what IP's can query. Can you post the contents of /etc/named.conf here so we can see how it looks and perhaps offer some amendments.

 

There is a config option like allow-query and you can put the networks of machines that can query your DNS, or just give any which would mean every single machine that has access to your server can query it for DNS - which sometimes is OK, but not always.

Link to comment
Share on other sites
kowalsky New Here

kowalsky

Posted
  • Author
Posted

Hi Ian,

 

thanks for your time.... I've finally solved, even if I've non understood where the named.conf was buggy :-)

 

I've dumped in the trash the Mandriva 2008.1 named.conf (and most of the related includes)

 

// (oe) Loosely based on the document below and from production server configurations.
// [url="http://www.cymru.com/Documents/secure-bind-template.html"]http://www.cymru.com/Documents/secure-bind-template.html[/url]
// 
// $Id: named.conf 80849 2007-09-06 11:56:48Z oden $
// $HeadURL: svn+ssh://svn.mandriva.com/svn/packages/cooker/bind/current/SOURCES/named.conf $


// secret must be the same as in /etc/rndc.conf
include "/etc/rndc.key";

controls {
   inet 127.0.0.1 port 953
   allow { any; } keys { mykey; };
};

// Access lists (ACL's) should be defined here
include "/etc/bogon_acl.conf";
include "/etc/trusted_networks_acl.conf";

// Define logging channels
include "/etc/logging.conf";

options {
   version "";
   directory "/var/named";
   dump-file "/var/tmp/named_dump.db";
   pid-file "/var/run/named.pid";
   statistics-file "/var/tmp/named.stats";
   zone-statistics yes;
//    datasize 256M;
   coresize 100M; 
//    fetch-glue no;
//    recursion no;
//    recursive-clients 10000;
   auth-nxdomain yes;
   query-source address * port *;
   listen-on port 53 { any; };
   cleaning-interval 120;
   transfers-in 20;
   transfers-per-ns 2;
   lame-ttl 0;
   max-ncache-ttl 10800;

//    forwarders { first_public_nameserver_ip; second_public_nameserver_ip; };

//    allow-update { none; };
//    allow-transfer { any; };

// Prevent DoS attacks by generating bogus zone transfer 
// requests.  This will result in slower updates to the 
// slave servers (e.g. they will await the poll interval 
// before checking for updates). 
   notify no; 
//    notify explicit; 
//    also-notify { secondary_name_server };

// Generate more efficient zone transfers.  This will place 
// multiple DNS records in a DNS message, instead of one per 
// DNS message. 
   transfer-format many-answers; 

// Set the maximum zone transfer time to something more 
// reasonable.  In this case, we state that any zone transfer 
// that takes longer than 60 minutes is unlikely to ever 
// complete.  WARNING:  If you have very large zone files, 
// adjust this to fit your requirements. 
   max-transfer-time-in 60; 

// We have no dynamic interfaces, so BIND shouldn't need to 
// poll for interface state {UP|DOWN}. 
   interface-interval 0; 

// Uncoment these to enable IPv6 connections support
// IPv4 will still work
//      listen-on { none; };
//      listen-on-v6 { any; };

//    allow-query { trusted_networks; };
   allow-recursion { trusted_networks; };

// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
   blackhole { bogon; };
};

// workaround stupid stuff... (OE: Wed 17 Sep 2003)
zone "ac" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "com" { type delegation-only; };
zone "cx" { type delegation-only; };
zone "lv" { type delegation-only; };
zone "museum" { type delegation-only; };
zone "net" { type delegation-only; };
zone "nu" { type delegation-only; };
zone "ph" { type delegation-only; };
zone "sh" { type delegation-only; };
zone "tm" { type delegation-only; };
zone "ws" { type delegation-only; };

zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "master/localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "master/localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "reverse/named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
       type master;
file "reverse/named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "reverse/named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "reverse/named.zero";
allow-update { none; };
};

 

 

and reworked a little the old (clear) named.conf taken from the Mandriva 2006 box

 

 

// generated by myself :-) from the Mandriva 2006 named.conf


// secret must be the same as in /etc/rndc.conf

include "/etc/rndc.key";

controls {
   inet 127.0.0.1 port 953
   allow { any; } keys { mykey; };
};


options {
directory "/var/named";
#	forward first;
forwarders {
#		208.67.222.222;
#		208.67.220.220;
 };
// Put pid file in working dir
pid-file "/var/run/named.pid";
/*
 * If there is a firewall between you and nameservers you want
 * to talk to, you might need to uncomment the query-source
 * directive below.  Previous versions of BIND always asked
 * questions using port 53, but BIND 8.1 uses an unprivileged
 * port by default.
 */
// query-source address * port 53;
};

// 
// a caching only nameserver config
// 
zone "." {
type hint;
file "named.ca";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "reverse/named.local";
};

// workaround stupid stuff... (OE: Wed 17 Sep 2003)
zone "ac"     { type delegation-only; };
zone "cc"     { type delegation-only; };
zone "com"    { type delegation-only; };
zone "cx"     { type delegation-only; };
zone "museum" { type delegation-only; };
zone "net"    { type delegation-only; };
zone "nu"     { type delegation-only; };
zone "ph"     { type delegation-only; };
zone "sh"     { type delegation-only; };
zone "tm"     { type delegation-only; };
zone "ws"     { type delegation-only; };

 

 

Now whatever interface I 'dig' my caching dns gives a correct reply.

 

 

Thanks again for your help

 

Roberto

 

My Mandriva boxes:

 

Mvd 2006 on Ibm Thinkpad T42

Mdv 2007.1 on Ibm Thinkpad T23

Mdv 2008.1 on Ibm Thinkpad T61

 

Mdv 2007.0 / Mdv 2008.1 / Mdv 2006 'Plus' (homemade merged with 2007.1) on home multiboot desktop

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...