Stop using IP addresses for UPDATE authentication. Use TSIG instead between the
DHCP server and named.
--
Mark Andrews
> On 19 Dec 2020, at 18:25, Dan Egli <d...@newideatest.site> wrote:
>
> I guess sometimes you just need to look at it in a differnet way. I never
> noticed it was using the 10.0.2.15 IP to try to update. That's going to be
> blocked because I don't have the outside world enabled for this server. So
> let me go ask on the DHCP list why it's insisting on using that interface.
>
>> On 12/18/2020 11:59 PM, Dan Egli wrote:
>> I'm really stumped as to what's going on. I'm trying to get dhcpd to
>> automatically update name records for my internal network. This is NOT going
>> to the public internet by any means. It's just an internal network. But
>> every time either I or dhcpd try to add a record, named refuses to allow it.
>> I'm getting a message in the log that says refused due to allow-query:
>>
>> 19-Dec-2020 06:49:19.299 update-security: error: client @0x7fa610000cd0
>> 10.0.2.15#49948: update 'eglifamily.name/IN' denied due to allow-query
>>
>> What's causing this, and how do I fix it? I'm including my named.conf and
>> dhcpd.con files below. Can anyone help me?
>>
>> dhcpd.conf:
>> default-lease-time 300;
>> max-lease-time 43200;
>>
>> ddns-update-style interim;
>>
>> authoritative;
>> log-facility local1;
>>
>>
>> allow booting;
>>
>> subnet 10.0.2.0 netmask 255.255.255.0 {
>> # no services at all! That's the llnk from the ISP. Don't touch it!
>> }
>>
>>
>> subnet 192.168.10.0 netmask 255.255.255.0 {
>> range 192.168.10.128 192.168.10.254;
>> if exists user-class and option user-class = "iPXE" {
>> filename "pxelinux.efi";
>> } else {
>> filename "pxelinux.0";
>> }
>> next-server 192.168.10.3;
>> option domain-name-servers 192.168.10.2, 8.8.8.8;
>> option domain-name "eglifamily.name";
>> option routers 192.168.10.1;
>>
>> }
>>
>> host fixed-1 {
>> hardware ethernet 08:00:27:D5:AA:3C;
>> fixed-address 192.168.10.64;
>> option host-name "ethereum-1";
>> ddns-hostname "ethereum-1.eglifamily.name";
>> }
>>
>> named.conf:
>> /*
>> * Refer to the named.conf(5) and named(8) man pages, and the documentation
>> * in /usr/share/doc/bind-* for more details.
>> * Online versions of the documentation can be found here:
>> * https://kb.isc.org/article/AA-01031
>> *
>> * If you are going to set up an authoritative server, make sure you
>> * understand the hairy details of how DNS works. Even with simple mistakes,
>> * you can break connectivity for affected parties, or cause huge amounts of
>> * useless Internet traffic.
>> */
>>
>> acl "xfer" {
>> /* Deny transfers by default except for the listed hosts.
>> * If we have other name servers, place them here.
>> */
>> none;
>> };
>>
>> /*
>> * You might put in here some ips which are allowed to use the cache or
>> * recursive queries
>> */
>> acl "trusted" {
>> 192.168.10.0/24;
>> 127.0.0.0/8;
>> ::1/128;
>> };
>>
>> acl "myself" {
>> 127.0.0.0/24;
>> ::1/128;
>> };
>>
>> options {
>> directory "/var/bind";
>> pid-file "/run/named/named.pid";
>>
>> /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
>> //bindkeys-file "/etc/bind/bind.keys";
>> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>> minimal-responses yes;
>>
>>
>> listen-on-v6 { none; }; // for now
>> listen-on { 192.168.10.2; 127.0.0.1; };
>>
>> allow-query {
>> /*
>> * Accept queries from our "trusted" ACL. We will
>> * allow anyone to query our master zones below.
>> * This prevents us from becoming a free DNS server
>> * to the masses.
>> */
>> trusted;
>> };
>>
>> allow-query-cache {
>> /* Use the cache for the "trusted" ACL. */
>> trusted;
>> };
>>
>> allow-recursion {
>> /* Only trusted addresses are allowed to use recursion. */
>> trusted;
>> };
>>
>> allow-transfer {
>> /* Zone tranfers are denied by default. */
>> none;
>> };
>>
>> allow-update {
>> myself;
>> };
>>
>> /*
>> * If you've got a DNS server around at your upstream provider, enter
>> its
>> * IP address here, and enable the line below. This will make you
>> benefit
>> * from its cache, thus reduce overall DNS traffic in the Internet.
>> *
>> * Uncomment the following lines to turn on DNS forwarding, and change
>> * and/or update the forwarding ip address(es):
>> */
>> /*
>> forward first;
>> forwarders {
>> // 123.123.123.123; // Your ISP NS
>> // 124.124.124.124; // Your ISP NS
>> // 4.2.2.1; // Level3 Public DNS
>> // 4.2.2.2; // Level3 Public DNS
>> 8.8.8.8; // Google Open DNS
>> 8.8.4.4; // Google Open DNS
>> };
>>
>> */
>>
>> // dnssec-enable yes;
>> // named-checkconf says above line is bad
>> //dnssec-validation yes;
>>
>> /*
>> * As of bind 9.8.0:
>> * "If the root key provided has expired,
>> * named will log the expiration and validation will not work."
>> */
>> dnssec-validation auto;
>>
>> /* if you have problems and are behind a firewall: */
>> //query-source address * port 53;
>> };
>>
>>
>> logging {
>> channel default_log {
>> file "/var/log/named/named.log" versions 5 size 50M;
>> print-time yes;
>> print-severity yes;
>> print-category yes;
>> };
>>
>> category default { default_log; };
>> category general { default_log; };
>> };
>>
>>
>> include "/etc/bind/rndc.key";
>> controls {
>> inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
>> "rndc-key"; };
>> };
>>
>> #zone "." in {
>> # type hint;
>> # file "/var/bind/named.cache";
>> #};
>>
>> zone "localhost" IN {
>> type master;
>> file "pri/localhost.zone";
>> notify no;
>> };
>>
>> zone "eglifamily.name" {
>> type master;
>> file "pri/eglifamily.zone";
>> notify yes;
>> };
>>
>>
>> zone "10.168.192.in-addr.arpa" {
>> type master;
>> file "pri/10.168.192.arpa.zone";
>> notify yes;
>> };
>>
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>>
>> The samba file only contains the lines needed to load the dynamically loaded
>> zone modules (bind9_dlz).
>>
> --
> Dan Egli
> From my Test Server
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
