problem with NS record resolution
Hi,
i have BIND 9.9.5-P1 installed.
i have tried to configure a new zone isilon.mep.es:
zone isilon.mep.es in {
type master;
file /var/named/data/isilon.mep.es.hosts;
allow-update { dns; };
allow-transfer { dns_xfer; };
};
with the following zone archive:
*
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
isilon.mep.es IN SOA dnspri.mep.es. mail.mep.es. (
42 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS dnspri.mep.es.
NS dnssec.mep.es.
$ORIGIN isilon.mep.es.
buzones01 CNAME scmol1
scgal1 NS sipgal1
scmol1 NS sipmol1
sipgal1 A 10.1.32.224
sipmol1 A 10.1.32.222
*
What i want is when i do a nslookup to scgal1.isilon.mep.es, the sipgal1
server returns me the correct ip, but it is not working.
If i do a nslookup to sipgal1, it resolves ok with the 10.1.32.224this
is ok
but when i try the query to one of the NS records(scgal1 or scmol1),
doesn´t resolve.
I see that query goes to the forwarders servers, like my dns server is not
authoritative for that zone.
this is the DIG command output:
**
[root@dnssec ~]# dig @10.1.29.179 scmol1.isilon.mep.es
; DiG 9.9.5-P1 @10.1.29.179 scmol1.isilon.mep.es
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26785
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;scmol1.isilon.mep.es. IN A
;; Query time: 4 msec
;; SERVER: 10.1.29.179#53(10.1.29.179)
;; WHEN: Wed Jul 02 13:46:41 CEST 2014
;; MSG SIZE rcvd: 49
***
querys to records type A,CNAME works fine but this is the first time i
configure a NS record and doesn´t work.
these are the named.conf options:
options {
listen-on port 53 { 127.0.0.1; 10.1.29.179; };
directory /var/named;
pid-file/var/run/named/named.pid;
dump-file /var/named/data/named_dump.db;
statistics-file /var/named/data/named_stats.txt;
memstatistics-file /var/named/data/named_mem_stats.txt;
forwarders { 10.1.0.236; 10.1.0.242; };
allow-query { red_interna; dns_mpr; };
allow-recursion { red_interna; dns_mpr; };
allow-transfer { dns_xfer; };
allow-notify { 10.1.24.35; };
also-notify { 10.1.24.35; };
recursive-clients 2000;
transfers-out 100;
transfers-per-ns 10;
minimal-responses yes;
notify yes;
version none;
check-names master ignore;
check-names slave ignore;
};
Thanks for your help and sorry for my poor English.
Regards
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Am 02.07.2014 14:00, schrieb Manuel Ramirez Montero: scgal1 NS sipgal1 scmol1 NS sipmol1 sipgal1 A 10.1.32.224 sipmol1 A 10.1.32.222 why don't you just use FQDN instead sipgal1 and sipmol1? that below works fine dnsbl IN NS dnslists.thelounge.net. dnswl IN NS dnslists.thelounge.net. dnswl-high IN NS dnslists.thelounge.net. dnswl-low IN NS dnslists.thelounge.net. dnswl-mediumIN NS dnslists.thelounge.net. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Turn off forwarding for the namespace. Add a empty forwarders
clause.
zone isilon.mep.es in {
type master;
file /var/named/data/isilon.mep.es.hosts;
allow-update { dns; };
allow-transfer { dns_xfer; };
forwarders { /* empty */ };
};
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Hi, if the ns record and type A record are in the same zone , is not necesary. I have configured the forwarders with no values as Mark has told before and that works fine!!! . Regards 2014-07-02 14:09 GMT+02:00 Reindl Harald h.rei...@thelounge.net: Am 02.07.2014 14:00, schrieb Manuel Ramirez Montero: scgal1 NS sipgal1 scmol1 NS sipmol1 sipgal1 A 10.1.32.224 sipmol1 A 10.1.32.222 why don't you just use FQDN instead sipgal1 and sipmol1? that below works fine dnsbl IN NS dnslists.thelounge.net. dnswl IN NS dnslists.thelounge.net. dnswl-high IN NS dnslists.thelounge.net. dnswl-low IN NS dnslists.thelounge.net. dnswl-mediumIN NS dnslists.thelounge.net. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
The server I really need this for is a little more complex. I was just
trying for a simple test case.
Here are more details on my plans to actually use allow-query-on. Two
DNS servers, one only for the data centers, and another for the users, but
also as backup for the data center.
DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
... my zones
};
DNS resolver for users, but also backup resolver for the data center:
(There are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view users {
match-clients { any; };
allow-query-on { user resolver ip };
... my zones ...
};
I don't want users trying to use the data center resolver IP. Without the
allow-query-on, it would work for them if the anycast path reached the
user resolver, but not if it reached the data center resolver. That
confuses users.
(Actually, both data center and users have two anycast resolver IP's each,
so double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.
--
Bob Harold
DNS Hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net
wrote:
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
personally i would not mix that and have own virtual servers
and control the reachability via iptables, the servers
can act as slave/master where needed so that the datacenter
nameserver has all zones and differ where it makes sense
we do something similar with internal / public namservers
4 dns servers, 2 of them only reachable from specific IP's
some years ago i would have mixed that too, but now with
VMware/Xen/KVM/LCX became mature
Am 02.07.2014 18:18, schrieb Bob Harold:
The server I really need this for is a little more complex. I was just
trying for a simple test case.
Here are more details on my plans to actually use allow-query-on. Two DNS
servers, one only for the data
centers, and another for the users, but also as backup for the data center.
DNS resolver for data center has these relevant settings in named.conf:
(has data center DNS resolver IP)
acl DATACENTER { ... data center subnets ... };
options {allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
... my zones
};
DNS resolver for users, but also backup resolver for the data center: (There
are actually two of these.)
(has both user DNS resolver IP and data center DNS resolver IP)
options {
allow-query { any; } ;
allow-recursion { any; } ;
recursion yes;
};
view datacenter {
match-clients { DATACENTER; };
allow-query-on { data center resolver ip };
... my zones ...
};
view users {
match-clients { any; };
allow-query-on { user resolver ip };
... my zones ...
};
I don't want users trying to use the data center resolver IP. Without the
allow-query-on, it would work for them
if the anycast path reached the user resolver, but not if it reached the data
center resolver. That confuses users.
(Actually, both data center and users have two anycast resolver IP's each, so
double the above sets of servers.)
The authoritative servers are a separate set of servers, not using anycast,
not involved in this.
On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net
mailto:h.rei...@thelounge.net wrote:
Am 02.07.2014 17:08, schrieb Bob Harold:
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not
answer queries sent to the server's normal IP.
But it seems to have no effect
why just listening on a interface you don#t want to
answer from and so accept packets at all?
listen-on {any;};
listen-on {127.0.0.1;};
listen-on {127.0.0.1; 192.168.196.2;};
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
re: Cannot get allow-query-on to work.
Did you specify 127.0.0.1 in the listen-on options statement?
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same
results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work.
listen-on defaults to all the computer's IPv4 addresses, including the
loopback, so I did not put an explicit listen-on statement. It answers
queries to both the loopback and other addresses.
--
Bob Harold
DNS hostmaster
University of Michigan
On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald bmcdonal...@gmail.com wrote:
Did you specify 127.0.0.1 in the listen-on options statement?
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to the server's normal IP. But it seems to have no effect.
I have tried putting the computer's real IP in there instead - same
results
- both IP's answer queries.
I have tried the similar allow-recursion-on option and that works as
documented.
Any clue how to get allow-query-on to work?
Searching the mail archives and Google did not find anything - but it is
hard to filter on just allow-query-on as a complete string.
Has anyone even used that option?
--
Bob Harold
DNS hostmaster
University of Michigan
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
problem resolving ardownload.adobe.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 version: 9.10.0-P2 dig ardownload.adobe.com. @localhost ;; ANSWER SECTION: ardownload.adobe.com. 8743IN CNAME ardownload.wip4.adobe.com. dig ardownload.adobe.com. @8.8.8.8 ;; ANSWER SECTION: ardownload.adobe.com. 4141IN CNAME ardownload.wip4.adobe.com. ardownload.wip4.adobe.com. 196 IN CNAME ardownload.adobe.com.edgesuite.net. ardownload.adobe.com.edgesuite.net. 3903 IN CNAME a1953.d.akamai.net. a1953.d.akamai.net. 19 IN A 184.28.188.201 a1953.d.akamai.net. 19 IN A 184.28.188.184 I can manually get the second cname via dig directly to the name servers for wip4.adobe.com: dig ardownload.wip4.adobe.com. a @192.150.16.247 +norecur ;; ANSWER SECTION: ardownload.wip4.adobe.com. 300 IN CNAME ardownload.adobe.com.edgesuite.net. And I can manually get the third cname via dig: dig ardownload.adobe.com.edgesuite.net. @localhost ;; ANSWER SECTION: ardownload.adobe.com.edgesuite.net. 19916 IN CNAME a1953.d.akamai.net. a1953.d.akamai.net. 20 IN A 184.28.188.201 a1953.d.akamai.net. 20 IN A 184.28.188.184 I don't see any errors in the log files. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO0VHkACgkQL6j7milTFsEAQwCaArVTdHTyLmm1H/JDPRPz5RIU 5cIAnjVQyn/0Vsmi4N9ROAyMHqKDdEJ/ =pCeV -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
Please upgrade your BIND. There was a bug in allow-query-on that was
fixed since 9.8.6rc2.
Please note that currently allow-query-on is only used for zone
configurations. Use allow-cache-on if restricting accessing cache (or
allow-recursion-on like you also used).___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
