problem with NS record resolution
Hi, i have BIND 9.9.5-P1 installed. i have tried to configure a new zone isilon.mep.es: zone isilon.mep.es in { type master; file /var/named/data/isilon.mep.es.hosts; allow-update { dns; }; allow-transfer { dns_xfer; }; }; with the following zone archive: * $ORIGIN . $TTL 38400 ; 10 hours 40 minutes isilon.mep.es IN SOA dnspri.mep.es. mail.mep.es. ( 42 ; serial 10800 ; refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 38400 ; minimum (10 hours 40 minutes) ) NS dnspri.mep.es. NS dnssec.mep.es. $ORIGIN isilon.mep.es. buzones01 CNAME scmol1 scgal1 NS sipgal1 scmol1 NS sipmol1 sipgal1 A 10.1.32.224 sipmol1 A 10.1.32.222 * What i want is when i do a nslookup to scgal1.isilon.mep.es, the sipgal1 server returns me the correct ip, but it is not working. If i do a nslookup to sipgal1, it resolves ok with the 10.1.32.224this is ok but when i try the query to one of the NS records(scgal1 or scmol1), doesn´t resolve. I see that query goes to the forwarders servers, like my dns server is not authoritative for that zone. this is the DIG command output: ** [root@dnssec ~]# dig @10.1.29.179 scmol1.isilon.mep.es ; DiG 9.9.5-P1 @10.1.29.179 scmol1.isilon.mep.es ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26785 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;scmol1.isilon.mep.es. IN A ;; Query time: 4 msec ;; SERVER: 10.1.29.179#53(10.1.29.179) ;; WHEN: Wed Jul 02 13:46:41 CEST 2014 ;; MSG SIZE rcvd: 49 *** querys to records type A,CNAME works fine but this is the first time i configure a NS record and doesn´t work. these are the named.conf options: options { listen-on port 53 { 127.0.0.1; 10.1.29.179; }; directory /var/named; pid-file/var/run/named/named.pid; dump-file /var/named/data/named_dump.db; statistics-file /var/named/data/named_stats.txt; memstatistics-file /var/named/data/named_mem_stats.txt; forwarders { 10.1.0.236; 10.1.0.242; }; allow-query { red_interna; dns_mpr; }; allow-recursion { red_interna; dns_mpr; }; allow-transfer { dns_xfer; }; allow-notify { 10.1.24.35; }; also-notify { 10.1.24.35; }; recursive-clients 2000; transfers-out 100; transfers-per-ns 10; minimal-responses yes; notify yes; version none; check-names master ignore; check-names slave ignore; }; Thanks for your help and sorry for my poor English. Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Am 02.07.2014 14:00, schrieb Manuel Ramirez Montero: scgal1 NS sipgal1 scmol1 NS sipmol1 sipgal1 A 10.1.32.224 sipmol1 A 10.1.32.222 why don't you just use FQDN instead sipgal1 and sipmol1? that below works fine dnsbl IN NS dnslists.thelounge.net. dnswl IN NS dnslists.thelounge.net. dnswl-high IN NS dnslists.thelounge.net. dnswl-low IN NS dnslists.thelounge.net. dnswl-mediumIN NS dnslists.thelounge.net. signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Turn off forwarding for the namespace. Add a empty forwarders clause. zone isilon.mep.es in { type master; file /var/named/data/isilon.mep.es.hosts; allow-update { dns; }; allow-transfer { dns_xfer; }; forwarders { /* empty */ }; }; Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: problem with NS record resolution
Hi, if the ns record and type A record are in the same zone , is not necesary. I have configured the forwarders with no values as Mark has told before and that works fine!!! . Regards 2014-07-02 14:09 GMT+02:00 Reindl Harald h.rei...@thelounge.net: Am 02.07.2014 14:00, schrieb Manuel Ramirez Montero: scgal1 NS sipgal1 scmol1 NS sipmol1 sipgal1 A 10.1.32.224 sipmol1 A 10.1.32.222 why don't you just use FQDN instead sipgal1 and sipmol1? that below works fine dnsbl IN NS dnslists.thelounge.net. dnswl IN NS dnslists.thelounge.net. dnswl-high IN NS dnslists.thelounge.net. dnswl-low IN NS dnslists.thelounge.net. dnswl-mediumIN NS dnslists.thelounge.net. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
The server I really need this for is a little more complex. I was just trying for a simple test case. Here are more details on my plans to actually use allow-query-on. Two DNS servers, one only for the data centers, and another for the users, but also as backup for the data center. DNS resolver for data center has these relevant settings in named.conf: (has data center DNS resolver IP) acl DATACENTER { ... data center subnets ... }; options {allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; ... my zones }; DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.) (has both user DNS resolver IP and data center DNS resolver IP) options { allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; allow-query-on { data center resolver ip }; ... my zones ... }; view users { match-clients { any; }; allow-query-on { user resolver ip }; ... my zones ... }; I don't want users trying to use the data center resolver IP. Without the allow-query-on, it would work for them if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users. (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.) The authoritative servers are a separate set of servers, not using anycast, not involved in this. -- Bob Harold DNS Hostmaster University of Michigan On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net wrote: Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
personally i would not mix that and have own virtual servers and control the reachability via iptables, the servers can act as slave/master where needed so that the datacenter nameserver has all zones and differ where it makes sense we do something similar with internal / public namservers 4 dns servers, 2 of them only reachable from specific IP's some years ago i would have mixed that too, but now with VMware/Xen/KVM/LCX became mature Am 02.07.2014 18:18, schrieb Bob Harold: The server I really need this for is a little more complex. I was just trying for a simple test case. Here are more details on my plans to actually use allow-query-on. Two DNS servers, one only for the data centers, and another for the users, but also as backup for the data center. DNS resolver for data center has these relevant settings in named.conf: (has data center DNS resolver IP) acl DATACENTER { ... data center subnets ... }; options {allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; ... my zones }; DNS resolver for users, but also backup resolver for the data center: (There are actually two of these.) (has both user DNS resolver IP and data center DNS resolver IP) options { allow-query { any; } ; allow-recursion { any; } ; recursion yes; }; view datacenter { match-clients { DATACENTER; }; allow-query-on { data center resolver ip }; ... my zones ... }; view users { match-clients { any; }; allow-query-on { user resolver ip }; ... my zones ... }; I don't want users trying to use the data center resolver IP. Without the allow-query-on, it would work for them if the anycast path reached the user resolver, but not if it reached the data center resolver. That confuses users. (Actually, both data center and users have two anycast resolver IP's each, so double the above sets of servers.) The authoritative servers are a separate set of servers, not using anycast, not involved in this. On Wed, Jul 2, 2014 at 11:12 AM, Reindl Harald h.rei...@thelounge.net mailto:h.rei...@thelounge.net wrote: Am 02.07.2014 17:08, schrieb Bob Harold: I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect why just listening on a interface you don#t want to answer from and so accept packets at all? listen-on {any;}; listen-on {127.0.0.1;}; listen-on {127.0.0.1; 192.168.196.2;}; signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
re: Cannot get allow-query-on to work.
Did you specify 127.0.0.1 in the listen-on options statement? I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan Regards, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work.
listen-on defaults to all the computer's IPv4 addresses, including the loopback, so I did not put an explicit listen-on statement. It answers queries to both the loopback and other addresses. -- Bob Harold DNS hostmaster University of Michigan On Wed, Jul 2, 2014 at 1:06 PM, Bob McDonald bmcdonal...@gmail.com wrote: Did you specify 127.0.0.1 in the listen-on options statement? I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; To the default /etc/bind/named.conf.options file. That should make it only answer queries sent to 127.0.0.1, and not answer queries sent to the server's normal IP. But it seems to have no effect. I have tried putting the computer's real IP in there instead - same results - both IP's answer queries. I have tried the similar allow-recursion-on option and that works as documented. Any clue how to get allow-query-on to work? Searching the mail archives and Google did not find anything - but it is hard to filter on just allow-query-on as a complete string. Has anyone even used that option? -- Bob Harold DNS hostmaster University of Michigan Regards, Bob ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
problem resolving ardownload.adobe.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 version: 9.10.0-P2 dig ardownload.adobe.com. @localhost ;; ANSWER SECTION: ardownload.adobe.com. 8743IN CNAME ardownload.wip4.adobe.com. dig ardownload.adobe.com. @8.8.8.8 ;; ANSWER SECTION: ardownload.adobe.com. 4141IN CNAME ardownload.wip4.adobe.com. ardownload.wip4.adobe.com. 196 IN CNAME ardownload.adobe.com.edgesuite.net. ardownload.adobe.com.edgesuite.net. 3903 IN CNAME a1953.d.akamai.net. a1953.d.akamai.net. 19 IN A 184.28.188.201 a1953.d.akamai.net. 19 IN A 184.28.188.184 I can manually get the second cname via dig directly to the name servers for wip4.adobe.com: dig ardownload.wip4.adobe.com. a @192.150.16.247 +norecur ;; ANSWER SECTION: ardownload.wip4.adobe.com. 300 IN CNAME ardownload.adobe.com.edgesuite.net. And I can manually get the third cname via dig: dig ardownload.adobe.com.edgesuite.net. @localhost ;; ANSWER SECTION: ardownload.adobe.com.edgesuite.net. 19916 IN CNAME a1953.d.akamai.net. a1953.d.akamai.net. 20 IN A 184.28.188.201 a1953.d.akamai.net. 20 IN A 184.28.188.184 I don't see any errors in the log files. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAlO0VHkACgkQL6j7milTFsEAQwCaArVTdHTyLmm1H/JDPRPz5RIU 5cIAnjVQyn/0Vsmi4N9ROAyMHqKDdEJ/ =pCeV -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot get allow-query-on to work
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added: allow-query-on { 127.0.0.1; }; Please upgrade your BIND. There was a bug in allow-query-on that was fixed since 9.8.6rc2. Please note that currently allow-query-on is only used for zone configurations. Use allow-cache-on if restricting accessing cache (or allow-recursion-on like you also used).___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users