Re: DNS forwarding
On 5/22/2017 10:48 AM, bind-users-requ...@lists.isc.org wrote: On 05/22/2017 07:16 AM, Barry S. Finkel wrote: Maybe I am misinterpreting the problem. When I was managing a mixed AD-BIND DNS scenario, ALL of the computers used the BIND servers for their DNS resolution; none used the AD servers. But I had all of the AD zones slaved on my BIND servers, so there was no need for any machine to use the AD servers for DNS resolution. The AD servers had only the AD zones, so if any machine queried the AD server for a non-AD zone, the request would have been forwarded to the BIND servers anyway. On Mon, 22 May 2017 08:46:59 -0600 Grant Taylor replied: Could your AD clients still reach the AD DNS servers? (It sounds like they could.) It's been my experience that AD clients still want to reach the master name server (in the SOA record) to do Dynamic DNS updates. (I've also successfully forced those through a BIND secondary configured to forward the dynamic updates to the AD master.) -- Grant. . . . unix || die The only dynamic updates were to the AD"_" zones. Windows desktops and servers had static IP addresses, so they did not use DHCP. One forward zone and five /24 reverse zones were completely dynamic, and those zones were mastered on a Windows DNS Server and slaved on my BIND servers. As I have written before, there were lots of serial number updates in these zones (forward, reverse, and "_") were the one contents did not change. This caused a lot of unnecessary zone transfers between the Windows DNS masters and my BIND slaves. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
On 05/22/2017 01:36 PM, Elias Pereira wrote: I was provisioning the AD in the wrong way. As we have our main DNS and it is authoritative for our domain "example.com" I needed to create a subdomain "sandom.example.com" so that AD DNS would be authoritative only for "samdom". You don't have to have AD be a sub-domain. You can delegate the _msdcs.example.com sub-domain instead of samdom.example.com. This will make AD appear as if it is example.com. Note: The merits / pros / cons of this are subject to debate. - I'm just advocating that you define what you want your infrastructure to be, not the other way around. Now everything is working properly. I'm glad that you got it working. Thank you all!!! *nod* -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
Hello guys, thanks for all the answers!!! I was provisioning the AD in the wrong way. As we have our main DNS and it is authoritative for our domain "example.com" I needed to create a subdomain "sandom.example.com" so that AD DNS would be authoritative only for "samdom". Now everything is working properly. Thank you all!!! On Mon, May 22, 2017 at 11:46 AM, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 05/22/2017 07:16 AM, Barry S. Finkel wrote: > >> Maybe I am misinterpreting the problem. When I was managing a mixed >> AD-BIND DNS scenario, ALL of the computers used the BIND servers for >> their DNS resolution; none used the AD servers. But I had all of the >> AD zones slaved on my BIND servers, so there was no need for any machine >> to use the AD servers for DNS resolution. The AD servers had only >> the AD zones, so if any machine queried the AD server for a non-AD zone, >> the request would have been forwarded to the BIND servers anyway. >> > > Could your AD clients still reach the AD DNS servers? (It sounds like > they could.) > > It's been my experience that AD clients still want to reach the master > name server (in the SOA record) to do Dynamic DNS updates. > > (I've also successfully forced those through a BIND secondary configured > to forward the dynamic updates to the AD master.) > > > > > -- > Grant. . . . > unix || die > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
On 05/22/2017 07:16 AM, Barry S. Finkel wrote: Maybe I am misinterpreting the problem. When I was managing a mixed AD-BIND DNS scenario, ALL of the computers used the BIND servers for their DNS resolution; none used the AD servers. But I had all of the AD zones slaved on my BIND servers, so there was no need for any machine to use the AD servers for DNS resolution. The AD servers had only the AD zones, so if any machine queried the AD server for a non-AD zone, the request would have been forwarded to the BIND servers anyway. Could your AD clients still reach the AD DNS servers? (It sounds like they could.) It's been my experience that AD clients still want to reach the master name server (in the SOA record) to do Dynamic DNS updates. (I've also successfully forced those through a BIND secondary configured to forward the dynamic updates to the AD master.) -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
On Wed, 17 May 2017 17:44:12, Elias Pereira wrote: Hello, Our scenario today consists of one: - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com*, moodle.mydomain.com, etc) - samba3 PDC server - Openldap server (user base for samba) All our IPs are public. This scenario above works like a charm!! :D Now, I'm implementing a new samba4 AD server. In order for me to be able to put users in the AD domain, I need to configure the samba4 AD IP as primary dns on the computers. In the bind installed on samba4 AD I configured the "forwarder" variable with the IP of our DNS server. The problem is that from this computer, if I need to access an internal subdomain, for example our webserver*, I can not access. Gives resolution error. For any other site, for example, google.com, I can access. I'm not finding the problem. Any idea? -- Elias Pereira Maybe I am misinterpreting the problem. When I was managing a mixed AD-BIND DNS scenario, ALL of the computers used the BIND servers for their DNS resolution; none used the AD servers. But I had all of the AD zones slaved on my BIND servers, so there was no need for any machine to use the AD servers for DNS resolution. The AD servers had only the AD zones, so if any machine queried the AD server for a non-AD zone, the request would have been forwarded to the BIND servers anyway. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
In article , Elias Pereira wrote: > Hello, > > Our scenario today consists of one: > > - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com*, > moodle.mydomain.com, etc) > - samba3 PDC server > - Openldap server (user base for samba) > > All our IPs are public. > > This scenario above works like a charm!! :D > > Now, I'm implementing a new samba4 AD server. > > In order for me to be able to put users in the AD domain, I need to > configure the samba4 AD IP as primary dns on the computers. In the bind > installed on samba4 AD I configured the "forwarder" variable with the IP of > our DNS server. > > The problem is that from this computer, if I need to access an internal > subdomain, for example our webserver*, I can not access. Gives resolution > error. For any other site, for example, google.com, I can access. > > I'm not finding the problem. Any idea? Is this server configured to be authoriative for your domain? Does it have delegation records for the subdomains? It won't follow forwarders if the query is in a zone it's configured to be authoritative for. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding
As others have commented, more information about your config and your setup need to be provided, before a proper troubleshooting can occur. I would add, you should be more specific than just “resolution error”. Is it a timeout? An NXDOMAIN? A SERVFAIL? A so-called “NODATA” response or a referral (i.e. NOERROR, but 0 answers)? You might need to use a tool like “dig” to see for sure what the response is (nslookup often triggers domain-suffixing behavior, which obfuscates the actual error, so I would stay away from nslookup as a DNS troubleshooting tool). Another important piece of information about the response is the status of the flags, e.g. whether the RA (Recursion Available) and/or AA (Authoritative Answer) flags are set. What I would say, generally, is that if you want your new setup to look as close as possible to your old setup, then your new server should be authoritative for the same zones as your old server is/was. Thus, I would lean in the direction of making the new server slave for those zones. That will give you a better “apples-to-apples” comparison, than trying to mix-and-match authoritative and forwarding behavior, which can greatly complicate things. - Kevin From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Elias Pereira Sent: Wednesday, May 17, 2017 4:44 PM To: bind-users@lists.isc.org Subject: DNS forwarding Hello, Our scenario today consists of one: - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com<http://www.mydomain.com>*, moodle.mydomain.com<http://moodle.mydomain.com>, etc) - samba3 PDC server - Openldap server (user base for samba) All our IPs are public. This scenario above works like a charm!! :D Now, I'm implementing a new samba4 AD server. In order for me to be able to put users in the AD domain, I need to configure the samba4 AD IP as primary dns on the computers. In the bind installed on samba4 AD I configured the "forwarder" variable with the IP of our DNS server. The problem is that from this computer, if I need to access an internal subdomain, for example our webserver*, I can not access. Gives resolution error. For any other site, for example, google.com<http://google.com>, I can access. I'm not finding the problem. Any idea? -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
If u 've as forwarder the dns master for such zones (meaning that dns know how to resolve) >check acl inside conf >check authoritative (master dns) logs and if not implemented , put some log channels inside conf to check From: bind-users on behalf of Elias Pereira Sent: Wednesday, May 17, 2017 10:44 PM To: bind-users@lists.isc.org Subject: DNS forwarding Hello, Our scenario today consists of one: - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com<http://www.mydomain.com>*, moodle.mydomain.com<http://moodle.mydomain.com>, etc) MyDomain | Domain Names, Web Hosting, and Free Domain Services<http://www.mydomain.com/> www.mydomain.com Small business web hosting offering additional business services such as: domain name registrations, email accounts, web services, online community resources and ... - samba3 PDC server - Openldap server (user base for samba) All our IPs are public. This scenario above works like a charm!! :D Now, I'm implementing a new samba4 AD server. In order for me to be able to put users in the AD domain, I need to configure the samba4 AD IP as primary dns on the computers. In the bind installed on samba4 AD I configured the "forwarder" variable with the IP of our DNS server. The problem is that from this computer, if I need to access an internal subdomain, for example our webserver*, I can not access. Gives resolution error. For any other site, for example, google.com<http://google.com>, I can access. [http://upload.wikimedia.org/wikipedia/commons/thumb/3/30/Googlelogo.png/220px-Googlelogo.png]<http://google.com/> Google<http://google.com/> google.com Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for. I'm not finding the problem. Any idea? -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding
Hi Elias, Perhaps you could post your BIND configs for the existing server and for the new Samba4 server? Forwarders may not be exactly what you want here - they're generally meant for recursive, rather than authoritative traffic. IP addresses would be helpful as well: it's always annoying when people try to obfuscate these. John On Wed, May 17, 2017 at 4:44 PM, Elias Pereira wrote: > Hello, > > Our scenario today consists of one: > > - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com*, > moodle.mydomain.com, etc) > - samba3 PDC server > - Openldap server (user base for samba) > > All our IPs are public. > > This scenario above works like a charm!! :D > > Now, I'm implementing a new samba4 AD server. > > In order for me to be able to put users in the AD domain, I need to > configure the samba4 AD IP as primary dns on the computers. In the bind > installed on samba4 AD I configured the "forwarder" variable with the IP of > our DNS server. > > The problem is that from this computer, if I need to access an internal > subdomain, for example our webserver*, I can not access. Gives resolution > error. For any other site, for example, google.com, I can access. > > I'm not finding the problem. Any idea? > > -- > Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS forwarding
Hello, Our scenario today consists of one: - DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com*, moodle.mydomain.com, etc) - samba3 PDC server - Openldap server (user base for samba) All our IPs are public. This scenario above works like a charm!! :D Now, I'm implementing a new samba4 AD server. In order for me to be able to put users in the AD domain, I need to configure the samba4 AD IP as primary dns on the computers. In the bind installed on samba4 AD I configured the "forwarder" variable with the IP of our DNS server. The problem is that from this computer, if I need to access an internal subdomain, for example our webserver*, I can not access. Gives resolution error. For any other site, for example, google.com, I can access. I'm not finding the problem. Any idea? -- Elias Pereira ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Forwarding and RD flag set to 0
In article , "j...@voila.fr" wrote: > In BIND configuration, is it possible to set the RD flag to 1, because my = > DNS Relay receives DNS Request with RD flag to 0 and the forwarding doesn't= > work when this flag is set to 0. > The configuration is this one : Public DNS with delegation of the zone to= > to to DNS A, public DNS sent requests concerning toto domain to a DNS Relay= > B which forward to DNS A. We dont want to make a direct connection between= > public DNS and DNS A. Recursive queries are only sent in two cases: 1. When a stub resolver is querying the caching servers it's configured to use. 2. When a DNS server is following "forwarders" directives. When a caching server is following NS records, the records are supposed to point to authoritative servers, and recursion is never requested. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Forwarding and RD flag set to 0
Hello, In BIND configuration, is it possible to set the RD flag to 1, because my DNS Relay receives DNS Request with RD flag to 0 and the forwarding doesn't work when this flag is set to 0. The configuration is this one : Public DNS with delegation of the zone toto to DNS A, public DNS sent requests concerning toto domain to a DNS Relay B which forward to DNS A. We dont want to make a direct connection between public DNS and DNS A. Thanks for your help JM Découvrez le nouveau Voila.fr et apprenez à maîtriser le web 2.0 sur http://voila.fr ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding not working properly?
Aha! Thanks, checking the config showed that I had messed up my syntax at the recursion statement. I corrected that and was able to start bind, and now I can run nslookup on my XP clients to resolve other domains! Thanks to all for your help!! Kenny -Original Message- From: Jeremy C. Reed [mailto:jeremy_r...@isc.org] Sent: Thursday, March 26, 2009 12:44 PM To: ARMSTRONG, KENNETH Cc: bind-users@lists.isc.org Subject: RE: DNS forwarding not working properly? On Thu, 26 Mar 2009, ARMSTRONG, KENNETH wrote: > Thanks, I gave that a go and now when I run a query I get "No response > from server" when running nslookup. I tried restarting bind and now I > get the "rndc: connect failed: 127.0.0.1#953: connection refused" error. > I then tried running rndc-confgen, and added the following to rndc.conf: Is your named even running? Check your logs. Run named-checkconf. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding not working properly?
On Thu, 26 Mar 2009, ARMSTRONG, KENNETH wrote: > Thanks, I gave that a go and now when I run a query I get "No response > from server" when running nslookup. I tried restarting bind and now I > get the "rndc: connect failed: 127.0.0.1#953: connection refused" error. > I then tried running rndc-confgen, and added the following to rndc.conf: Is your named even running? Check your logs. Run named-checkconf. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS forwarding not working properly?
Thanks, I gave that a go and now when I run a query I get "No response from server" when running nslookup. I tried restarting bind and now I get the "rndc: connect failed: 127.0.0.1#953: connection refused" error. I then tried running rndc-confgen, and added the following to rndc.conf: key "rndc-key" { algorithm hmac-md5; secret "stuff here"; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; And created rndc.conf file with the following: key "rndc-key" { algorithm hmac-md5; secret "stuff here"; }; But I still get the connection failed error as above when I try to restart bind. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jonathan Petersson Sent: Thursday, March 26, 2009 11:33 AM To: ARMSTRONG, KENNETH Cc: bind-users@lists.isc.org Subject: Re: DNS forwarding not working properly? You need to enable recursion in options. /Jonathan 2009/3/26 ARMSTRONG, KENNETH : > OK, I've been trying my hardest to figure this out. > > I have BIND9 installed and set up as a slave to one of our Domain > Controllers (so we can at least still get DNS if it were to go down). It > works fine for transferring the zone file of our domain down, and from the > server running BIND I can resolve hostnames of our local network machines > along with outside names such as google.com (using nslookup, yeah I know it > sucks). > > However, when I set up one of my Windows XP clients to use the new server > for DNS, it can resolve local machine names fine when I run nslookup against > it, but it gives me "Query refused" when trying to resolve an outside DNS > name. > > I ran nslookup against the ISP's DNS IP's and can resolve the outside > hostnames just fine, but for some reason I can't resolve them against the > new DNS server. > > I have not made any modifications to /etc/bind/named.conf. Instead, I have > put my configurations in /etc/bind/named.conf.local (since that is what the > named.conf file says to do). > > Here is my /etc/bind/named.conf.local file (protected of course): > > Code: > > zone "OURDOMAIN.COM" { > > type slave; > > masters { > > 192.168.1.22; > > 192.168.1.23; > > }; > > file "OURDOMAIN.COM.db"; > > allow-transfer { > > any; > > }; > > allow-query { > > any; > > }; > > }; > > > > zone "192.168.in-addr.arpa" { > > type slave; > > masters { > > 192.168.1.22; > > 192.168.1.23; > > }; > > file "192.168.in-addr.arpa.db"; > > allow-transfer { > > any; > > }; > > allow-query { > > any; > > }; > > }; > > And my /etc/bind/named.conf.options: > > Code: > > options { > > directory "/var/cache/bind"; > > > > forwarders { > > 216.12.0.20; > > 216.12.48.23; > > }; > > > > auth-nxdomain no; > > listen-on-v6 { any; }; > > }; > > Again, this only seems to affect outside clients, I can run queries on > nslookup just fine on the DNS server itself. > > Any help would be greatly appreciated. > > > > Kenny > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS forwarding not working properly?
You need to enable recursion in options. /Jonathan 2009/3/26 ARMSTRONG, KENNETH : > OK, I've been trying my hardest to figure this out. > > I have BIND9 installed and set up as a slave to one of our Domain > Controllers (so we can at least still get DNS if it were to go down). It > works fine for transferring the zone file of our domain down, and from the > server running BIND I can resolve hostnames of our local network machines > along with outside names such as google.com (using nslookup, yeah I know it > sucks). > > However, when I set up one of my Windows XP clients to use the new server > for DNS, it can resolve local machine names fine when I run nslookup against > it, but it gives me "Query refused" when trying to resolve an outside DNS > name. > > I ran nslookup against the ISP's DNS IP's and can resolve the outside > hostnames just fine, but for some reason I can't resolve them against the > new DNS server. > > I have not made any modifications to /etc/bind/named.conf. Instead, I have > put my configurations in /etc/bind/named.conf.local (since that is what the > named.conf file says to do). > > Here is my /etc/bind/named.conf.local file (protected of course): > > Code: > > zone "OURDOMAIN.COM" { > > type slave; > > masters { > > 192.168.1.22; > > 192.168.1.23; > > }; > > file "OURDOMAIN.COM.db"; > > allow-transfer { > > any; > > }; > > allow-query { > > any; > > }; > > }; > > > > zone "192.168.in-addr.arpa" { > > type slave; > > masters { > > 192.168.1.22; > > 192.168.1.23; > > }; > > file "192.168.in-addr.arpa.db"; > > allow-transfer { > > any; > > }; > > allow-query { > > any; > > }; > > }; > > And my /etc/bind/named.conf.options: > > Code: > > options { > > directory "/var/cache/bind"; > > > > forwarders { > > 216.12.0.20; > > 216.12.48.23; > > }; > > > > auth-nxdomain no; > > listen-on-v6 { any; }; > > }; > > Again, this only seems to affect outside clients, I can run queries on > nslookup just fine on the DNS server itself. > > Any help would be greatly appreciated. > > > > Kenny > > ___ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS forwarding not working properly?
OK, I've been trying my hardest to figure this out. I have BIND9 installed and set up as a slave to one of our Domain Controllers (so we can at least still get DNS if it were to go down). It works fine for transferring the zone file of our domain down, and from the server running BIND I can resolve hostnames of our local network machines along with outside names such as google.com (using nslookup, yeah I know it sucks). However, when I set up one of my Windows XP clients to use the new server for DNS, it can resolve local machine names fine when I run nslookup against it, but it gives me "Query refused" when trying to resolve an outside DNS name. I ran nslookup against the ISP's DNS IP's and can resolve the outside hostnames just fine, but for some reason I can't resolve them against the new DNS server. I have not made any modifications to /etc/bind/named.conf. Instead, I have put my configurations in /etc/bind/named.conf.local (since that is what the named.conf file says to do). Here is my /etc/bind/named.conf.local file (protected of course): Code: zone "OURDOMAIN.COM" { type slave; masters { 192.168.1.22; 192.168.1.23; }; file "OURDOMAIN.COM.db"; allow-transfer { any; }; allow-query { any; }; }; zone "192.168.in-addr.arpa" { type slave; masters { 192.168.1.22; 192.168.1.23; }; file "192.168.in-addr.arpa.db"; allow-transfer { any; }; allow-query { any; }; }; And my /etc/bind/named.conf.options: Code: options { directory "/var/cache/bind"; forwarders { 216.12.0.20; 216.12.48.23; }; auth-nxdomain no; listen-on-v6 { any; }; }; Again, this only seems to affect outside clients, I can run queries on nslookup just fine on the DNS server itself. Any help would be greatly appreciated. Kenny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users