Am 28.07.2011 01:18, schrieb Bob: > These two views are identical in any way I can see, so the fault may > be in an included configuration file that is not included in your > message. > > Look for allow-query, allow-recursion or allow-cache statements in > your other config files.
Did this. The only "allow" I could find was "allow-transfer". The only two parts I left out where "options", the included keys and "logging": !options { ! directory "/var/tmp/named"; ! pid-file "/var/run/named/named.pid"; ! dump-file "/var/run/named/named_dump.db"; ! statistics-file "/var/run/named/named.stats"; ! listen-on { any; }; ! #listen-on-v6 { any; }; ! ! recursion yes; ! auth-nxdomain no; !}; !include "/etc/named/mskey.key"; !include "/etc/named/bind.keys"; !include "/etc/bind/key.rndc"; mskey.key: !key mskey { ! algorithm hmac-md5; ! secret "....................."; !}; bind.keys: !managed-keys { ! # NOTE: This key is current as of October 2009. ! # If it fails to initialize correctly, it may have expired; ! # see https://www.isc.org/solutions/dlv for a replacement. ! dlv.isc.org. initial-key 257 3 5 !"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 !brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ !1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 !ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk !Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM !QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt !TDN0YUuWrBNh"; !}; key.rndc: !key "xompukey" { ! algorithm hmac-md5; ! secret "............................................"; !}; !logging { ! channel security_log { ! file "/var/log/named/security.log"; ! severity info; ! print-time yes; ! }; ! channel update_log { ! file "/var/log/named/update.log"; ! severity info; ! print-time yes; ! }; ! channel query_log { ! file "/var/log/named/query.log"; ! severity debug 3; ! print-time yes; ! }; ! channel debug_log { ! file "/var/log/named/debug.log"; ! severity info; ! print-time yes; ! }; ! category update { update_log; }; ! category queries { query_log; }; ! category default { debug_log; }; ! category security { security_log; }; ! category unmatched { null; }; !}; calling "dig +trace google.com" on systems located 192.168.180.0/23: !; <<>> DiG 9.7.3 <<>> +trace google.com !;; global options: +cmd !. 518400 IN NS e.root-servers.net. !. 518400 IN NS f.root-servers.net. !. 518400 IN NS h.root-servers.net. !. 518400 IN NS i.root-servers.net. !. 518400 IN NS m.root-servers.net. !. 518400 IN NS d.root-servers.net. !. 518400 IN NS a.root-servers.net. !. 518400 IN NS g.root-servers.net. !. 518400 IN NS b.root-servers.net. !. 518400 IN NS c.root-servers.net. !. 518400 IN NS l.root-servers.net. !. 518400 IN NS j.root-servers.net. !. 518400 IN NS k.root-servers.net. !;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in !0 ms ! !com. 172800 IN NS c.gtld-servers.net. !com. 172800 IN NS j.gtld-servers.net. !com. 172800 IN NS l.gtld-servers.net. !com. 172800 IN NS e.gtld-servers.net. !com. 172800 IN NS f.gtld-servers.net. !com. 172800 IN NS h.gtld-servers.net. !com. 172800 IN NS a.gtld-servers.net. !com. 172800 IN NS g.gtld-servers.net. !com. 172800 IN NS k.gtld-servers.net. !com. 172800 IN NS b.gtld-servers.net. !com. 172800 IN NS i.gtld-servers.net. !com. 172800 IN NS m.gtld-servers.net. !com. 172800 IN NS d.gtld-servers.net. !;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in !100 ms ! !google.com. 172800 IN NS ns2.google.com. !google.com. 172800 IN NS ns1.google.com. !google.com. 172800 IN NS ns3.google.com. !google.com. 172800 IN NS ns4.google.com. !;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in !161 ms ! !google.com. 300 IN A 209.85.148.103 !google.com. 300 IN A 209.85.148.99 !google.com. 300 IN A 209.85.148.104 !google.com. 300 IN A 209.85.148.147 !google.com. 300 IN A 209.85.148.106 !google.com. 300 IN A 209.85.148.105 !;; Received 124 bytes from 216.239.38.10#53(ns4.google.com) in !95 ms calling "dig +trace google.com" on systems located 192.168.112.0/23: !; <<>> DiG 9.7.3 <<>> +trace google.com !;; global options: +cmd !. 518400 IN NS l.root-servers.net. !. 518400 IN NS g.root-servers.net. !. 518400 IN NS d.root-servers.net. !. 518400 IN NS i.root-servers.net. !. 518400 IN NS k.root-servers.net. !. 518400 IN NS c.root-servers.net. !. 518400 IN NS j.root-servers.net. !. 518400 IN NS a.root-servers.net. !. 518400 IN NS e.root-servers.net. !. 518400 IN NS f.root-servers.net. !. 518400 IN NS b.root-servers.net. !. 518400 IN NS h.root-servers.net. !. 518400 IN NS m.root-servers.net. !;; Received 228 bytes from 192.168.180.28#53(ns.example.de) in 24 !ms ! !;; connection timed out; no servers could be reached Any of the servers can be reached from both subnets: !# ping a.gtld-servers.net !PING a.gtld-servers.net (192.5.6.30) 56(84) bytes of data. !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=1 ttl=117 !time=127 ms !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=2 ttl=117 !time=128 ms and on the other subnet (using ip-address): !$ ping 192.5.6.30 !PING 192.5.6.30 (192.5.6.30) 56(84) bytes of data. !64 bytes from 192.5.6.30: icmp_req=1 ttl=118 time=129 ms !64 bytes from 192.5.6.30: icmp_req=2 ttl=118 time=129 ms !64 bytes from 192.5.6.30: icmp_req=3 ttl=118 time=129 ms ????? --- I am a littlebit lost at the moment ... > When using views, I often find it more manageable to move such > options inside the view definition. > > Mvh. / Regards > Bob > > On 2011-07-25 16:24, Thomas Schweikle wrote: >> Hi! >> >> I have set up a view for one site. It is bound to change answers as >> necessary for different IP-ranges. It works as far as I could see. >> But with one ip-range there is a problem ... >> >> I can query internal addresses: >> !user@kvm2~# host intweb.example.de >> !web.example.de has address 192.168.180.46 >> >> But external ones do not work: >> !user@kvm2:~# host google.com >> !user@kvm2:~# >> >> The host I am trying on has address 192.168.112.4 and I've set up my >> view as: >> !view "ex" { >> ! match-clients { 192.168.112.0/23; }; >> ! recursion yes; >> ! >> ! include "/etc/named/master/rootns.conf"; >> ! include "/etc/named/master/localhost.conf"; >> ! include "/etc/named/master/empty.conf"; >> ! >> ! zone "example.de." { >> ! type master; >> ! allow-transfer { key "mskey"; }; >> ! notify no; >> ! file "/etc/named/zhz/fwd.example"; >> ! }; >> ! zone "112.168.192.in-addr.arpa." { >> ! type master; >> ! allow-transfer { key "mskey"; }; >> ! notify no; >> ! file "/etc/named/zin/rev.192.168.1"; >> ! }; >> !}; >> >> !view "in" { >> ! match-clients { 192.168.180.0/23; }; >> ! recursion yes; >> ! >> ! include "/etc/named/master/rootns.conf"; >> ! include "/etc/named/master/localhost.conf"; >> ! include "/etc/named/master/empty.conf"; >> ! >> ! zone "example.de." { >> ! type master; >> ! allow-transfer { key "mskey"; }; >> ! notify no; >> ! file "/etc/named/zhz/fwd.example"; >> ! }; >> ! zone "112.168.192.in-addr.arpa." { >> ! type master; >> ! allow-transfer { key "mskey"; }; >> ! notify no; >> ! file "/etc/named/zin/rev.192.168.1"; >> ! }; >> !}; >> >> Any idea why the server resolves internal names, but no external >> ones to view "ex", while it does answer internal and external names >> to view "in"? >> I've set up query logging, but this just tells me queries are >> correctly processed. But not why no answer was sent. >> >> In the server logs I can watch queries from 192.168.180.0/23 tagged >> with "in" and such from 192.168.112.0/23 with "ex". Addresses >> defined by my server are served to both clients "in" and "ex". >> Addresses from others like google.com are only served to clients >> from "in" not to clients from "ex" (server answers NXDOMAIN). >> >> > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Thomas _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users