On Wed, Oct 19, 2011 at 6:40 PM, mailing list subscriber <
[email protected]> wrote:
> salut
> am un bind nameserver* configurat ca master pe o zona intr-un view si
> doresc ca pentru interogarile sosite pentru o inregistrare de tip
> CNAME sa faca recursion
> (sa-i fie comunicat clientului direct adresa ip). in acelasi timp
> doresc ca pentru acel view pe care am definita zona sa nu fie activat
> recursion.
>
> pentru asta am incercat urmatoarea configuratie de named.conf.
> pentru a proteja clientul ip-urile au fost inlocuite cu 1.1.1.1, iar
> numele de domeniu cu domeniu.ro
>
> root@server:~# cat /etc/bind/named.conf /etc/bind/named.conf.options
> /etc/bind/named.conf.local|egrep -v '^#|* $|^\/'
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> acl all { 0.0.0.0/0; };
> acl query { 192.168.1.0/24; };
> acl axfr { 127.0.0.0/8; };
> options {
> directory "/var/cache/bind";
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
> max-ncache-ttl 1;
> auth-nxdomain no; # conform to RFC1035
> listen-on { any; };
> allow-recursion { query; };
> allow-query { query; };
> allow-transfer { axfr; };
> version "I/O error reading version";
> additional-from-auth yes;
> additional-from-cache yes;
> };
> logging {
> category lame-servers { null; };
> };
> include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> };
> view "intern" {
> include "/etc/bind/zones.rfc1918";
> match-clients { query; };
> zone "domeniu.ro" {
> type master;
> file "db.domeniu.ro-intern";
> allow-update { key "rndc-key"; };
> };
> zone "1.168.192.in-addr.arpa" {
> type master;
> notify no;
> file "db.1.168.192";
> allow-update { key "rndc-key"; };
> };
> zone "." { type hint; file "/etc/bind/db.root"; };
> zone "localhost" { type master; file "/etc/bind/db.local"; };
> zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; };
> zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; };
> zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; };
> };
> view "extern" {
> include "/etc/bind/zones.rfc1918";
> match-clients { all; };
> zone "domeniu.ro" {
> type master;
> file "db.domeniu.ro-extern";
> allow-query { all; };
> };
> };
>
> root@domeniu:~# cat /var/cache/bind/db.domeniu.ro-extern
> $ORIGIN domeniu.ro.
> $TTL 86400
> @ SOA auth02.ns.de.uu.net. yp.domeniu.de. (
> 2011101901 ; serial
> 21600 ; refresh after 6 hours
> 3600 ; retry after 1 hour
> 604800 ; expire after 1 week
> 86400 ) ; minimum TTL of 1 day
>
> @ MX 10 mx.domeniu.ro.
> @ A 1.1.1.1
> @ NS auth52.ns.de.uu.net.
> @ NS auth02.ns.de.uu.net.
> mail A 1.1.1.1
> www A 1.1.1.1
> mx A 1.1.1.1
> test10 CNAME www.google.com.
>
> cind interoghez ip-ul serverului de la un ip extern, raspunsul e urmatorul:
>
> root@statie:~# host test10.domeniu.ro ip-ul-named-ului
> Using domain server:
> Name: ip-ul-named-ului
> Address: 82.76.154.100#53
> Aliases:
>
> test10.domeniu.ro is an alias for www.google.com.
> Host www.google.com not found: 5(REFUSED)
> Host www.google.com not found: 5(REFUSED)
>
> Ce trebuie modificat astfel incit sa imi faca si recursion, dar doar
> pentru acel out-of-zone record?
>
adica vrei sa faca recursion si sa rezolve www.google.com ?
problema ta apare pentru ca tu intrebi NS-ul tau recursiv o chestie si
raspunde corect, dar un resolver nu ar intreba recursiv ci nerecursiv si ar
primi www.google.com si dupa aia ar re-incepe resolving de la ., .com, .
google.com, etc.
Adica problema apare doar pentru ca tu intrebi direct NS-ul, intreaba orice
alt recursive resolver si o sa mearga.
>
> *ii bind9 1:9.6.ESV.R4+dfsg-0+lenny3
> Internet Domain Name Server
>
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
