S-a rezolvat cu iptables.
Conectat la hostul respectiv = conectat prin ssh la serverul de ns.
am pus llow-transfer { "recursive_subnets";any; }; oricum eu facusem testul de
la o statie care se afla in subneturile respective. nu merge nici cu any nici
fara.
Era decat firewallul de vina.
Kind Regards,
Cu respect,
Gabriel Avramescu
IT Trainer & Consultant
________________________________
Cisco Networking Academy
http://www.ituniversity.ro
>________________________________
> From: Florin Popovici <[email protected]>
>To: Gabriel Avramescu <[email protected]>; Romanian Linux Users Group
><[email protected]>
>Sent: Monday, 12 December 2011, 10:30
>Subject: Re: [rlug] Probleme bind
>
>
>Salut,
>raspunsuri inline
>
>On Mon, Dec 12, 2011 at 10:10 AM, Gabriel Avramescu <[email protected]>
>wrote:
>
>
>>
>>
>>Salut,
>>>
>>>
>>>Am doua probleme in Bind:
>>>1. conectat la hostul respectiv imi rezolva orice cerere dns - folosind
>>>nslookup. Query-urile facute de alte statii catre acest host, nu le rezolva.
>>>
>>
>
>Ce inseamna "conectat la host-ul respectiv" ? Banuiesc ca vrei sa zici "de la
>host-uri din subneturile x.x.54.0/23 sau y.y.0.0/16".
>
>>
>>>Output fisier named.conf
>>>
>>>
>>>acl "recursive_subnets" {
>>> x.x.54.0/23;
>>> y.y.0.0/16;
>>> localhost;
>>>};
>>>
>>>
>>>options {
>>> directory "/var/named";
>>> allow-recursion { "recursive_subnets"; };
>>> allow-transfer { "recursive_subnets"; };
>>> allow-query { "recursive_subnets"; };
>>
>
>Aici e problema ^^^. Allow-query-ul tau nu da voie altor host-uri sa faca
>query-uri. Deloc.
>Daca vrei sa permiti query-uri si de la alte host-uri, dar NU si recursion,
>aici pui allow-query { "recursive_subnets"; all; }; iar allow-recursion il
>lasi neschimbat.
>
>Probabil nu vrei sa permiti transferul de la orice host din subneturile astea.
>Recomand sa pui allow-transfer { doar_ip-ul_slave-ului; }
>
>> [...]
>
>>[root@ns3 ~]# iptables -L -n
>>>Chain INPUT (policy ACCEPT)
>>>target prot opt source destination
>>>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>>>RELATED,ESTABLISHED
>>>ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
>>>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp
>>>dpt:22
>>>REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
>>>icmp-host-prohibited
>>
>
>Incearca sa te documentezi cum functioneaza regulile iptables. Regula 3
>probabil iti "anuleaza" firewallul. Da-i iptables -L -nv ca sa vedem si
>"input interface", daca e "lo" atunci e ok, dar daca e "*" atunci tot ce e
>dupa ea e useless.
>Daca totusi e "lo", probabil vei vrea sa iti adaugi o regula ca sa deschizi
>53/UDP, inainte de ultima cu REJECT-ul general.
>
>> [...]
>>>
>>>2. Acest server este secondary
>>>
>>>
>>>
>>>
>>>Dec 9 14:53:49 ns3 named[2184]: transfer of 'rai-ria.ro/IN'
>>>from Ip_master#53: Transfer completed: 0 messages, 9 records, 0 bytes, 0.003
>>>secs (0 bytes/sec)
>>>
>>>Dec 9 14:57:32 ns3 named[2184]: zone .ro/IN: Transfer started.
>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53:
>>>connected using y.y.23.23#39743
>>
>
>Ahem, tu ai o zona ".ro" ? Probabil nu vrei asta, decat daca esti RoTLD :)
>
>>Dec 9 14:57:32 ns3 named[2184]: dumping master file: tmp-12SgbfA9Jf: open:
>>permission denied
>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53:
>>>failed while receiving responses: permission denied
>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53:
>>>Transfer completed: 0 messages, 7 records, 0 bytes, 0.003 secs (0 bytes/sec)
>>>
>>>
>>>si la master si la slave toate fisierele din /var/named apartin grupului si
>>>userului named.
>>>
>>>
>>>Idei?
>>
>
>Daca ai named chrooted (de exemplu in /var/named/chroot), verifica sa ai
>/var/named/chroot/tmp si /var/named/chroot/var/tmp writable de userul named --
>si pe master, si pe slave
>
>HTH
>Flo
>
>--
>flo.ro
>
>
>
_______________________________________________
RLUG mailing list
[email protected]
http://lists.lug.ro/mailman/listinfo/rlug
