Acum am oprit de tot iptables pentru teste si problema a ramas decat la transferul de zone dintre master si slave:
Output /var/log/messages pe master Dec 12 14:02:25 ns named[27313]: client IP_SLAVe#54567: transfer of 'ceva.ro/IN': AXFR started Dec 12 14:02:26 ns named[27313]: client IP_SLAVE#56231: transfer of 'ceva2.ro/IN': AXFR started Dec 12 14:02:26 ns named[27313]: client IP_SLAVE#36614: transfer of 'etc.in-addr.arpa/IN': AXFR started Dec 12 14:02:26 ns named[27313]: client IP_SLAVE#42815: transfer of 'etc.in-addr.arpa/IN': AXFR started Dec 12 14:02:26 ns named[27313]: client IP_SLAVE#40294: transfer of 'ceva3.ro/IN': AXFR started Dec 12 14:02:26 ns named[27313]: client IP_SLAVE#40760: transfer of 'ceva4.ro/IN': AXFR started Output /var/log/messages pe slave Dec 12 14:32:45 ns3 named[3168]: transfer of 'ceva1.ro/IN' from IP_MASTER#53: connected using IP_SLAVE#44867 Dec 12 14:32:45 ns3 named[3168]: dumping master file: slaves/tmp-3Q5kWhTcSU: open: permission denied Dec 12 14:32:45 ns3 named[3168]: transfer of 'ceva2.ro/IN' from IP_MASTER#53: failed while receiving responses: permission denied Dec 12 14:32:45 ns3 named[3168]: transfer of 'ceva3.ro/IN' from IP_MASTER#53: Transfer completed: 0 messages, 10 records, 0 bytes, 0.003 secs (0 bytes/sec) Kind Regards, Cu respect, Gabriel Avramescu >________________________________ > From: Gabriel Avramescu <[email protected]> >To: Florin Popovici <[email protected]>; Romanian Linux Users Group ><[email protected]> >Sent: Monday, 12 December 2011, 12:00 >Subject: Re: [rlug] Probleme bind > >S-a rezolvat cu iptables. > > Conectat la hostul respectiv = conectat prin ssh la serverul de ns. > > am pus llow-transfer { "recursive_subnets";any; }; oricum eu facusem testul >de la o statie care se afla in subneturile respective. nu merge nici cu any >nici fara. > >Era decat firewallul de vina. > > Kind Regards, > Cu respect, > Gabriel Avramescu > IT Trainer & Consultant > >________________________________ > > > Cisco Networking Academy > http://www.ituniversity.ro > > > >>________________________________ >> From: Florin Popovici <[email protected]> >>To: Gabriel Avramescu <[email protected]>; Romanian Linux Users Group >><[email protected]> >>Sent: Monday, 12 December 2011, 10:30 >>Subject: Re: [rlug] Probleme bind >> >> >>Salut, >>raspunsuri inline >> >>On Mon, Dec 12, 2011 at 10:10 AM, Gabriel Avramescu >><[email protected]> wrote: >> >> >>> >>> >>>Salut, >>>> >>>> >>>>Am doua probleme in Bind: >>>>1. conectat la hostul respectiv imi rezolva orice cerere dns - folosind >>>>nslookup. Query-urile facute de alte statii catre acest host, nu le rezolva. >>>> >>> >> >>Ce inseamna "conectat la host-ul respectiv" ? Banuiesc ca vrei sa zici "de la >>host-uri din subneturile x.x.54.0/23 sau y.y.0.0/16". >> >>> >>>>Output fisier named.conf >>>> >>>> >>>>acl "recursive_subnets" { >>>> x.x.54.0/23; >>>> y.y.0.0/16; >>>> localhost; >>>>}; >>>> >>>> >>>>options { >>>> directory "/var/named"; >>>> allow-recursion { "recursive_subnets"; }; >>>> allow-transfer { "recursive_subnets"; }; >>>> allow-query { "recursive_subnets"; }; >>> >> >>Aici e problema ^^^. Allow-query-ul tau nu da voie altor host-uri sa faca >>query-uri. Deloc. >>Daca vrei sa permiti query-uri si de la alte host-uri, dar NU si recursion, >>aici pui allow-query { "recursive_subnets"; all; }; iar allow-recursion il >>lasi neschimbat. >> >>Probabil nu vrei sa permiti transferul de la orice host din subneturile >>astea. Recomand sa pui allow-transfer { doar_ip-ul_slave-ului; } >> >>> [...] >> >>>[root@ns3 ~]# iptables -L -n >>>>Chain INPUT (policy ACCEPT) >>>>target prot opt source destination >>>>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state >>>>RELATED,ESTABLISHED >>>>ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 >>>>ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 >>>>ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp >>>>dpt:22 >>>>REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with >>>>icmp-host-prohibited >>> >> >>Incearca sa te documentezi cum functioneaza regulile iptables. Regula 3 >>probabil iti "anuleaza" firewallul. Da-i iptables -L -nv ca sa vedem si >>"input interface", daca e "lo" atunci e ok, dar daca e "*" atunci tot ce e >>dupa ea e useless. >>Daca totusi e "lo", probabil vei vrea sa iti adaugi o regula ca sa deschizi >>53/UDP, inainte de ultima cu REJECT-ul general. >> >>> [...] >>>> >>>>2. Acest server este secondary >>>> >>>> >>>> >>>> >>>>Dec 9 14:53:49 ns3 named[2184]: transfer of 'rai-ria.ro/IN' >>>>from Ip_master#53: Transfer completed: 0 messages, 9 records, 0 bytes, >>>>0.003 secs (0 bytes/sec) >>>> >>>>Dec 9 14:57:32 ns3 named[2184]: zone .ro/IN: Transfer started. >>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53: >>>>connected using y.y.23.23#39743 >>> >> >>Ahem, tu ai o zona ".ro" ? Probabil nu vrei asta, decat daca esti RoTLD :) >> >>>Dec 9 14:57:32 ns3 named[2184]: dumping master file: tmp-12SgbfA9Jf: open: >>>permission denied >>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53: >>>>failed while receiving responses: permission denied >>>>Dec 9 14:57:32 ns3 named[2184]: transfer of '.ro/IN' from Ip_master#53: >>>>Transfer completed: 0 messages, 7 records, 0 bytes, 0.003 secs (0 bytes/sec) >>>> >>>> >>>>si la master si la slave toate fisierele din /var/named apartin grupului si >>>>userului named. >>>> >>>> >>>>Idei? >>> >> >>Daca ai named chrooted (de exemplu in /var/named/chroot), verifica sa ai >>/var/named/chroot/tmp si /var/named/chroot/var/tmp writable de userul named >>-- si pe master, si pe slave >> >>HTH >>Flo >> >>-- >>flo.ro >> >> >> >_______________________________________________ >RLUG mailing list >[email protected] >http://lists.lug.ro/mailman/listinfo/rlug > > > _______________________________________________ RLUG mailing list [email protected] http://lists.lug.ro/mailman/listinfo/rlug
