MS AD 2008R2 and bind
Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one... With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AW: MS AD 2008R2 and bind
Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824 Persönlich haftender Gesellschafter: WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6, FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian
christian.melbin...@wienit.at wrote:
Hi
** **
My company moved to a 2008R2 Domain Controller environment. Now I see the
following message in the windows log:
** **
*Title*: This domain controller must register its correct IP addresses
with the DNS server
*Severity*: Error
*Category*: Configuration
*Issue*: The Domain Name System (DNS) host resource records for this
domain controller's fully qualified domain name currently map to the IP
addresses that do not belong to this domain controller. The invalid IP
addresses are 10.1.1.1; 10.2.2.2.
*Impact*: Other member computers and domain controllers in the domain or
forest might not be able to locate this domain controller. This domain
controller will not be able to provide a full suite of services.
*Resolution*: Ensure that the DNS Client service on this domain
controller is configured and able to register valid host resource records
with an authoritative DNS server for the domain.
More information about this best practice and detailed resolution
procedures: http://go.microsoft.com/fwlink/?LinkId=131229
** **
** **
All Domain Controllers have zone updates rights on the master dns server,
and according to the logfile updating zones works.
My DNS-Servers are running BIND 9.7.3-P3.
** **
** **
** **
So this is presumably not a problem of the bind servers themselves, but
still, does anyone have an idea how to get rid of the error messages?
Anyone know the checkbox to unset? I didn’t find one…
** **
With regards
Christian Melbinger
** **
** **
---
Ing. Christian Melbinger
Netzwerk Security
** **
WienIT EDV Dienstleistungsgesellschaft mbH Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at
** **
WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien,
Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien,
Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
I'm just going to throw out a few ideas, not sure any or all of them will
get you in the right direction...but I had significant issues with DCs and
dynamic updates following a migration from AD integrated DNS to BIND.
What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)?
Are there any same as zone records that point to your DC IPs? (this is
common if DNS is AD integrated)
Do you see in the Event Viewer on the DC that it
is successfully registering the A, PTR and SRV records? (not sure what log
this is in, been a little while since I looked last).
I know you said it was the case, but your BIND config has one of the
following options set?
- allow-update { address_match_list }; -- If the DC is pointing to the
master BIND server
- allow-update-forwarding { address_match_list }; -- if the DC is
pointing to the slave BIND server
What happens if you issue the ipconfig /registerdns command from the DCs?
- Will
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: AW: MS AD 2008R2 and bind
The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and according to the logfile updating zones works. My DNS-Servers are running BIND 9.7.3-P3. So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn't find one. With regards Christian Melbinger --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at WienIT EDV Dienstleistungsgesellschaft mbH Co KG,
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk:
On 21.12.11 19:21, Peter Andreev wrote:
I think that if server is authoritative - and - slave-only it should
use system resolver rather than querying by itself.
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk:
BIND will not use system resolver. BIND is the resolver. Relying on other
resolver could cause troubles. If BIND does not need to resolve, it will
not. If it needs, don't block it.
On 02.01.12 16:42, Peter Andreev wrote:
I understood your point, however it differs from mine.
Matus, I'm afraid we won't find consent on this topic. So I offer you
to stop this discussion.
Thank you for suggestions and happy new year!
I don't see your point now. I'm afraid that you will have to live with the
fact that you can not disable sending queries from BIND when it needs them,
you can only prevent it by configuring BIND (so it will not need them) or
firewall such packets so they will not get outside (which may break its
functionality).
My point: I need my servers to answer with authoritative data only. I
need them to not perform anything else. Only get query - send
authoritative response. Where in this scenario BIND has to resolve
something?
In which scenario (except master notifies) BIND has to resolve something?
Maybe ISC will patch BIND to use system resolver for internal queries, but I
doubt so. Maybe you can do it but imho it's not worth trying.
Maybe you can set up forward only; and forwarders {}; so BIND will forward
all recursive queries it generates to your recursive servers.
But the way you are trying to get over this, I'm afrait you will fail and
that's what I am trying to tell you.
I'm free to replace BIND with another authoritative DNS implementation.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On Jan 2, 2012, at 2:16 PM, Barry Margolin wrote: If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. Why not at least allow this as an option? In article mailman.656.1325532888.68562.bind-us...@lists.isc.org, Chuck Swiger cswi...@mac.com wrote: The system resolver will happily provide answers based upon data from /etc/hosts, YP/NIS, and LDAP which have no relationship to what is in the DNS. On 02.01.12 17:03, Barry Margolin wrote: In that case, you probably shouldn't enable the option. I'm not even suggesting that the option be on by default. Actually, does libresolv really use those other facilities? highly depends on configuration of host.conf or nsswitch.conf, but afaik hosts are preferred by default on most of systems. gethostbyname() does, but BIND probably shouldn't use that, because it loses data like TTLs. and that is one of reasons why BIND does not (and apparently even should not) use system libresolv and gethost* functions. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
In article mailman.665.1325598835.68562.bind-us...@lists.isc.org, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On Jan 2, 2012, at 2:16 PM, Barry Margolin wrote: If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. Why not at least allow this as an option? In article mailman.656.1325532888.68562.bind-us...@lists.isc.org, Chuck Swiger cswi...@mac.com wrote: The system resolver will happily provide answers based upon data from /etc/hosts, YP/NIS, and LDAP which have no relationship to what is in the DNS. On 02.01.12 17:03, Barry Margolin wrote: In that case, you probably shouldn't enable the option. I'm not even suggesting that the option be on by default. Actually, does libresolv really use those other facilities? highly depends on configuration of host.conf or nsswitch.conf, but afaik hosts are preferred by default on most of systems. gethostbyname() does, but BIND probably shouldn't use that, because it loses data like TTLs. and that is one of reasons why BIND does not (and apparently even should not) use system libresolv and gethost* functions. Are we talking about the same libresolv? I'm talking about functions like res_query(), which are very DNS-specific. They return the raw DNS reply data, including details like TTL. gethostbyname() is the function that uses nsswitch.conf. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk:
I don't see your point now. I'm afraid that you will have to live with the
fact that you can not disable sending queries from BIND when it needs them,
you can only prevent it by configuring BIND (so it will not need them) or
firewall such packets so they will not get outside (which may break its
functionality).
On 03.01.12 16:53, Peter Andreev wrote:
My point: I need my servers to answer with authoritative data only. I
need them to not perform anything else. Only get query - send
authoritative response. Where in this scenario BIND has to resolve
something?
Nowhere. Note that BIND may send upward or root referrals, for clients
that are allowed to view cached data (the hint zone is taken as
cached). Also, bind can send additional data (authoritative or from
cache) when configured so, but won't recursively resolve them.
See description of additional-from-cache and additional-from-auth,
maybe minimal-responses.
In which scenario (except master notifies) BIND has to resolve something?
I don't know about any.
Maybe ISC will patch BIND to use system resolver for internal queries, but I
doubt so. Maybe you can do it but imho it's not worth trying.
Maybe you can set up forward only; and forwarders {}; so BIND will forward
all recursive queries it generates to your recursive servers.
But the way you are trying to get over this, I'm afrait you will fail and
that's what I am trying to tell you.
I'm free to replace BIND with another authoritative DNS implementation.
Yes, you are. but i'd advise you focus on the real problem, if it
exists. Kevin Darcy mentioned that in his response.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 01/03/12 07:53, Peter Andreev wrote:
2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk:
On 21.12.11 19:21, Peter Andreev wrote:
I think that if server is authoritative - and - slave-only it should
use system resolver rather than querying by itself.
2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk:
BIND will not use system resolver. BIND is the resolver. Relying on other
resolver could cause troubles. If BIND does not need to resolve, it will
not. If it needs, don't block it.
On 02.01.12 16:42, Peter Andreev wrote:
I understood your point, however it differs from mine.
Matus, I'm afraid we won't find consent on this topic. So I offer you
to stop this discussion.
Thank you for suggestions and happy new year!
I don't see your point now. I'm afraid that you will have to live with the
fact that you can not disable sending queries from BIND when it needs them,
you can only prevent it by configuring BIND (so it will not need them) or
firewall such packets so they will not get outside (which may break its
functionality).
My point: I need my servers to answer with authoritative data only. I
need them to not perform anything else. Only get query - send
authoritative response. Where in this scenario BIND has to resolve
something?
In which scenario (except master notifies) BIND has to resolve something?
Maybe ISC will patch BIND to use system resolver for internal queries, but I
doubt so. Maybe you can do it but imho it's not worth trying.
Maybe you can set up forward only; and forwarders {}; so BIND will forward
all recursive queries it generates to your recursive servers.
But the way you are trying to get over this, I'm afrait you will fail and
that's what I am trying to tell you.
I'm free to replace BIND with another authoritative DNS implementation.
Let me ask this question another way. How do you plan to block BIND
from making any queries outside the server? If you want me to log any
queries that I don't answer(refused in the logs), I think the default is
to look up the reverse of the querying IP address. Do you want to block
that type of traffic also?
Do you want to block this traffic at the application level or in
IPTables? If you block this traffic via IPTables or an external
firewall, lots of things at the OS level get grumpy.
For instance, I want to attach to the server using VNC or SSH for
maintanence. By default, they want to do do a reverse lookup of your ip
address before allowing access. Now you wait for that query to time out
before you can do your work. That's just a PITA.
And if Bind does want to do any lookups(reverse lookups, go query the
root servers for something), now you are forcing it to timeout rather
than doing the lookup and continuing on it's way. Very inefficient use
of resources and will cause delays for legit queries.
BIND was designed to be a multipurpose application and as such, it wants
and is happier being able to do lookups as needed. You are asking for a
specific use case and ISC is not into generating special builds for
special or specific use cases unless you contract with them to build and
maintain your special build of BIND.
Lyle Giese
LCR Computer Services, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
AW: MS AD 2008R2 and bind
What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)?
only their own name, nothing more
Are there any same as zone records that point to your DC IPs? (this is
common if DNS is AD integrated)
yes
internal.wienit.at is a round robbin to all DC IPs
gc._msdcs.internal.wienit.at is also a round robbin to all DC IPs
I don't know if long time ago it was AD integrated, but in the last few years
it certainly was not.
Do you see in the Event Viewer on the DC that it is successfully registering
the A, PTR and SRV records? (not sure what log this is in, been a little
while since I looked last).
yes that's working too, otherwise there would be a lot more errors
I even see every update in the messages log on the dns-server, all working
I know you said it was the case, but your BIND config has one of the following
options set?
- allow-update { address_match_list }; -- If the DC is pointing to the
master BIND server
- allow-update-forwarding { address_match_list }; -- if the DC is pointing
to the slave BIND server
updates are working
What happens if you issue the ipconfig /registerdns command from the DCs?
I think I did that some time ago... the DC kicked all of its own Records and
then put them back in...
---
Ing. Christian Melbinger
Netzwerk Security
WienIT EDV Dienstleistungsgesellschaft mbH Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188
fax: +43 (1) 90405 88 47188
mailto:christian.melbin...@wienit.at
Von: Will Lists [mailto:listsw...@gmail.com]
Gesendet: Dienstag, 03. Jänner 2012 14:07
An: bind-users@lists.isc.org
Cc: Melbinger Christian
Betreff: Re: MS AD 2008R2 and bind
On Tue, Jan 3, 2012 at 4:00 AM, Melbinger Christian
christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at wrote:
Hi
My company moved to a 2008R2 Domain Controller environment. Now I see the
following message in the windows log:
Title: This domain controller must register its correct IP addresses with the
DNS server
Severity: Error
Category: Configuration
Issue: The Domain Name System (DNS) host resource records for this domain
controller's fully qualified domain name currently map to the IP addresses that
do not belong to this domain controller. The invalid IP addresses are 10.1.1.1;
10.2.2.2.
Impact: Other member computers and domain controllers in the domain or forest
might not be able to locate this domain controller. This domain controller will
not be able to provide a full suite of services.
Resolution: Ensure that the DNS Client service on this domain controller is
configured and able to register valid host resource records with an
authoritative DNS server for the domain.
More information about this best practice and detailed resolution procedures:
http://go.microsoft.com/fwlink/?LinkId=131229
All Domain Controllers have zone updates rights on the master dns server, and
according to the logfile updating zones works.
My DNS-Servers are running BIND 9.7.3-P3.
So this is presumably not a problem of the bind servers themselves, but still,
does anyone have an idea how to get rid of the error messages?
Anyone know the checkbox to unset? I didn't find one...
With regards
Christian Melbinger
---
Ing. Christian Melbinger
Netzwerk Security
WienIT EDV Dienstleistungsgesellschaft mbH Co KG
A-1030 Wien, Thomas-Klestil-Platz 6
tel: +43 (1) 90405 47188tel:%2B43%20%281%29%2090405%2047188
fax: +43 (1) 90405 88 47188tel:%2B43%20%281%29%2090405%2088%2047188
mailto:christian.melbin...@wienit.atmailto:christian.melbin...@wienit.at
WienIT EDV Dienstleistungsgesellschaft mbH Co KG, A-1030 Wien,
Thomas-Klestil-Platz 6,
FN 255974h, Handelsgericht Wien, DVR: 2109667, UID-Nr. ATU61260824
Persönlich haftender Gesellschafter:
WienIT EDV Dienstleistungsgesellschaft mbH, A-1030 Wien, Thomas-Klestil-Platz 6,
FN 255649f, Handelsgericht Wien, UID-Nr. ATU61296118
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.orgmailto:bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
I'm just going to throw out a few ideas, not sure any or all of them will get
you in the right direction...but I had significant issues with DCs and dynamic
updates following a migration from AD integrated DNS to BIND.
What A records map to those IP addresses listed (10.1.1.1, 10.2.2.2)?
Are there any same as zone records that point to your DC IPs? (this is
common if DNS is AD integrated)
Do you see in the Event Viewer on the DC that it is successfully registering
the A, PTR and SRV records? (not sure what log this is in, been a little while
since I looked last).
I know you said it was the case, but your BIND config has one of the following
options set?
- allow-update { address_match_list }; -- If the DC is pointing to the master
BIND server
-
AW: AW: MS AD 2008R2 and bind
According to syslog the DCs do update tons of records all the time... A, PTR, SRV. I didn't regulate them. Their IPs are allowed to do any updates. --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: r...@nachtmaus.us [mailto:r...@nachtmaus.us] Gesendet: Dienstag, 03. Jänner 2012 14:17 An: Melbinger Christian; bind-users-bounces+root=nachtmaus...@lists.isc.org; Carsten Strotmann (private) Cc: bind-users@lists.isc.org Betreff: Re: AW: MS AD 2008R2 and bind The DC must not only be allow to update his A, (if applicable) and PTR records, he must also be able to update his SRV and TXT records. Please add the DC to the ACL for allow-updates on the zone that corresponds to the AD Domain/Kerberos zone, and then confirm that it is working by restarting Netlogon service (necessary, because IPCONFIG /registerdns only updates A, (if applicable) and PTR records, while the former regenerates the SRV records, et al). Hope that helps, -DTK Sent via BlackBerry from T-Mobile -Original Message- From: Melbinger Christian christian.melbin...@wienit.at Sender: bind-users-bounces+root=nachtmaus...@lists.isc.orgDate: Tue, 3 Jan 2012 13:47:30 To: Carsten Strotmann (private)c...@strotmann.de Cc: bind-users@lists.isc.orgbind-users@lists.isc.org Subject: AW: MS AD 2008R2 and bind Hello Thanks for your answer, but unfortunately that's not the case. When I do a nslookup like nslookup internal.wienit.at, I get back the IPs of the DCs, speaking Addresses: 10.4.4.4, 10.5.5.5 The error message The invalid IP addresses are 10.1.1.1; 10.2.2.2. is pointing towards the dns-servers. (bind and linux, no windows there) I also had an old dns server running on 10.3.3.3, which was included in the error message too. I shut it down but the ip only got removed from the error once I deleted the NS Record. (yeah forgot to do that) any ideas? --- Ing. Christian Melbinger Netzwerk Security WienIT EDV Dienstleistungsgesellschaft mbH Co KG A-1030 Wien, Thomas-Klestil-Platz 6 tel: +43 (1) 90405 47188 fax: +43 (1) 90405 88 47188 mailto:christian.melbin...@wienit.at -Ursprüngliche Nachricht- Von: Carsten Strotmann (private) [mailto:c...@strotmann.de] Gesendet: Dienstag, 03. Jänner 2012 13:07 An: Melbinger Christian Cc: bind-users@lists.isc.org Betreff: Re: MS AD 2008R2 and bind -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Christian, On 1/3/12 11:00 AM, Melbinger Christian wrote: So this is presumably not a problem of the bind servers themselves, but still, does anyone have an idea how to get rid of the error messages? Anyone know the checkbox to unset? I didn?t find one? from the error message you've seeing, the problem is that the domain controller has already found DNS entries for itself in the DNS, but the entries are pointing to a different IP Address than the domain controller has. The domain controller will not overwrite the existing entries. You have to remove the wrong, stale entries and after that the domain controller should be able to register (update) the address records with the correct IP addresses. You can force this with a reboot or with ipconfig /registerdns from the commandline. The old IP addresses might be leftovers from a test, and have not been properly removed when the IP addresses of the domain controller has been changed. Best regards Carsten Strotmann -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8C72MACgkQsUJ3c+pomYF23wCfUB8ziHkSkF3R1XTtVOUoU4SX yHAAn2N59KR3k14fbA+WG8AYjOBpjBzl =uRxM -END PGP SIGNATURE- Hi My company moved to a 2008R2 Domain Controller environment. Now I see the following message in the windows log: Title: This domain controller must register its correct IP addresses with the DNS server Severity: Error Category: Configuration Issue: The Domain Name System (DNS) host resource records for this domain controller's fully qualified domain name currently map to the IP addresses that do not belong to this domain controller. The invalid IP addresses are 10.1.1.1; 10.2.2.2. Impact: Other member computers and domain controllers in the domain or forest might not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services. Resolution: Ensure that the DNS Client service on this domain controller is configured and able to register valid host resource records with an authoritative DNS server for the domain. More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=131229 All Domain Controllers have zone updates rights on the master dns server, and
Re: About root zones
2012/1/3 Matus UHLAR - fantomas uh...@fantomas.sk:
2012/1/2 Matus UHLAR - fantomas uh...@fantomas.sk:
I don't see your point now. I'm afraid that you will have to live with
the
fact that you can not disable sending queries from BIND when it needs
them,
you can only prevent it by configuring BIND (so it will not need them) or
firewall such packets so they will not get outside (which may break its
functionality).
On 03.01.12 16:53, Peter Andreev wrote:
My point: I need my servers to answer with authoritative data only. I
need them to not perform anything else. Only get query - send
authoritative response. Where in this scenario BIND has to resolve
something?
Nowhere. Note that BIND may send upward or root referrals, for clients that
are allowed to view cached data (the hint zone is taken as cached). Also,
bind can send additional data (authoritative or from cache) when configured
so, but won't recursively resolve them.
See description of additional-from-cache and additional-from-auth, maybe
minimal-responses.
Yep, that's what I done first when problem appeared. Second step was
deleting root.hints to (as I hoped) prevent any further resolving and
caching.
In which scenario (except master notifies) BIND has to resolve
something?
I don't know about any.
Neither do I. Unfortunately it is not covered in documentation.
Maybe ISC will patch BIND to use system resolver for internal queries,
but I
doubt so. Maybe you can do it but imho it's not worth trying.
Maybe you can set up forward only; and forwarders {}; so BIND will
forward
all recursive queries it generates to your recursive servers.
But the way you are trying to get over this, I'm afrait you will fail and
that's what I am trying to tell you.
I'm free to replace BIND with another authoritative DNS implementation.
Yes, you are. but i'd advise you focus on the real problem, if it exists.
Kevin Darcy mentioned that in his response.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: Unfortunately as I learning BIND more, I understand that it is not very suitable for my requirements. Which are? I've been trying to understand what the actual problem you are trying to solve might be. Regards, -- -Chuck ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
In article mailman.668.1325603242.68562.bind-us...@lists.isc.org, Lyle Giese l...@lcrcomputer.net wrote: For instance, I want to attach to the server using VNC or SSH for maintanence. By default, they want to do do a reverse lookup of your ip address before allowing access. Now you wait for that query to time out before you can do your work. That's just a PITA. Of course you wouldn't block DNS queries at the network level, that messes up everything else running on the machine. He apparently just wants to ensure that nothing gets into the BIND cache of an authoritative-only server -- it should truly be authoritative-only. If other servers on the machine need to do lookups, it will use a caching server for this. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/3 Chuck Swiger cswi...@mac.com: On Jan 3, 2012, at 11:13 AM, Peter Andreev wrote: Unfortunately as I learning BIND more, I understand that it is not very suitable for my requirements. Which are? I've been trying to understand what the actual problem you are trying to solve might be. I'm not trying to solve any problem. I'm wondering why this thread grown so big. The only question I have unanswered is where I can find documents/articles/whatever describing BIND's internals, architecture etc? That's all :) It was asked in 13th post. May be it's still unanswered because of unhappy number, I'm not sure. Regards, -- -Chuck -- -- AP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MS AD 2008R2 and bind
There is a bug in Windows 2008 R2 which prevents correct registration to BIND dns servers. See http://support.microsoft.com/kb/2002490 for the hotfix to apply. Unfortunately, this hotfox still does not correct the behavior. Windows 2008 R2 registers the record first. This record is registered correctly on BIND, but the response from BIND is interpreted by the windows incorrectly, so it stops registering the following records, like the A record. However, the DCs with this patch successfully registers all records related to the AD. This is a strange behavior. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 1/2/2012 2:16 PM, Barry Margolin wrote: In articlemailman.654.1325531095.68562.bind-us...@lists.isc.org, Kevin Darcyk...@chrysler.com wrote: I agree with Matus. BIND should be as self-sufficient as possible, and not make any assumptions about the capability of and/or the data it expects to get from the system resolver If the system resolver is good enough for every other application running on the system, it should be good enough for BIND. See, there's the problem right there. Many of us see the BIND instance as forming part of an *infrastructure*, not just an *application* that happens to run on the machine. This distinction isn't just semantic. We have, for instance, totally separate groups who manage the OS'es of our servers (including the configuration of the system resolver), versus those of us in the Networking area who have responsibility for the DNS infrastructure itself. Those server folks have strange ideas about name resolution. Strange enough that sometimes I don't even understand what the hell they are trying to accomplish. Or, they do know, but I think they indulge the end-users way too much (don't even get me started on shortname resolution, for instance, and the ugly hacks we're forced to maintain, supporting that bad habit). So no, the system resolver is not good enough for BIND. Not in my book. I'm responsible for BIND, I'm not going to stick my neck out making my subsystem dependent on someone's else's subsystem, when I have no confidence that they know what they're doing and/or that they're doing the right things. Nor do I think it is particularly unusual for the Networking and Server responsibilities within an organization to belong to different groups, with different skillsets and competency levels. BIND is good at resolving names to addresses, so let it do the name resolution, without creating unnecessary dependencies which may cross organizational and possibly even trust boundaries. I've already outlined in my previous message some possible ways to obviate these internal queries, along with the suggestion that maybe at the end of the day it's actually more trouble than it's worth... - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 1/3/12 12:46 PM, Kevin Darcy k...@chrysler.com wrote: Those server folks have strange ideas about name resolution. Strange enough that sometimes I don't even understand what the hell they are trying to accomplish. In all fairness, lots of folks have strange ideas. We should start with standards -- software should be built based on BCPs (peer review rules). If those don't meet our needs, we should help to get them updated (good luck, I know -- many standards bodies have become like political lobbyists) So no, the system resolver is not good enough for BIND. Not in my book. I'm responsible for BIND, I'm not going to stick my neck out making my subsystem dependent on someone's else's subsystem, when I have no confidence that they know what they're doing and/or that they're doing the right things. Maybe it's because I started in networking... But TCP/IP (or IPv6 these days) is quite the subsystem to avoid. Really, like it or not, you are actually responsible for understanding interactions with subsystems your managed system must interact with. ;-) possibly even trust boundaries. I've already outlined in my previous message some possible ways to obviate these internal queries, along with the suggestion that maybe at the end of the day it's actually more trouble than it's worth... That's the problem. Such suggestions won't ever become BCPs, since they aren't easily justifiable to business minds. Granted, personal preferences are always welcome...but more trouble than it's worth and business priority or even POLA don't jive. -- Don't worry about avoiding temptation -- as you grow older, it starts avoiding you. -- The Old Farmer's Almanac ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
If you want named to be authoritative only set recursion no; or
allow-recursion { none; } or allow-query-cache { none; }; and
no data will be returned from the cache. allow-recursion and
allow-query-cache cross inherit from each other.
If you only want master zones to send notify messages then set
notify master-only;.
If you want named to only use the same nameservers as the system
uses then set forward only; forwarders { list from resolv.conf; };.
Named does not read resolv.conf though the tools do.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Warning view message during rndc reload
Good morning all, its many days now that I observed the warning view message during the rndc reload process: Jan 4 07:01:09 ns1 named[920]: received control channel command 'reload' Jan 4 07:01:09 ns1 named[920]: loading configuration from '/etc/bind/named.conf' Jan 4 07:01:09 ns1 named[920]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv4 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv6 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: no IPv6 interfaces found Jan 4 07:01:09 ns1 named[920]: sizing zone task pool based on 53 zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view external-root: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal-localhost: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: reloading configuration succeeded Jan 4 07:01:09 ns1 named[920]: reloading zones succeeded Jan 4 07:01:09 ns1 named[920]: zone 0.0.10.in-addr.arpa/IN/internal: loaded serial 2012010402 Please how can I fix this issue? -- -- You Truly Eric Kom System Administrator - Metropolitan College 2 Hennie Van Till, White River, 1240 Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334 eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za www.kom.za.net | www.kom.za.org | www.erickom.co.za Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Warning view message during rndc reload
In message 4f03dddf.6070...@metropolitanstaff.co.za, Eric Kom writes: Good morning all, its many days now that I observed the warning view message during the rndc reload process: Jan 4 07:01:09 ns1 named[920]: received control channel command 'reload' Jan 4 07:01:09 ns1 named[920]: loading configuration from '/etc/bind/named.conf' Jan 4 07:01:09 ns1 named[920]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv4 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: using default UDP/IPv6 port range: [1024, 65535] Jan 4 07:01:09 ns1 named[920]: no IPv6 interfaces found Jan 4 07:01:09 ns1 named[920]: sizing zone task pool based on 53 zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view external-root: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: Warning: view internal-localhost: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Jan 4 07:01:09 ns1 named[920]: reloading configuration succeeded Jan 4 07:01:09 ns1 named[920]: reloading zones succeeded Jan 4 07:01:09 ns1 named[920]: zone 0.0.10.in-addr.arpa/IN/internal: loaded serial 2012010402 Please how can I fix this issue? Explictly set empty-zones-enable or explictly disable a empty zone. This test has been removed from 9.9.0. -- -- You Truly Eric Kom System Administrator - Metropolitan College 2 Hennie Van Till, White River, 1240 Tel: 013 750 2255 | Fax: 013 750 0105 | Cell: 078 879 1334 eric...@kom.za.net | eric...@namekom.co.za | eric...@erickom.co.za www.kom.za.net | www.kom.za.org | www.erickom.co.za Key fingerprint: 513E E91A C243 3020 8735 09BB 2DBC 5AD7 A9DA 1EF5 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Problems with NS @home and my public
Hello,
I learn network administration and like to configure my network to do:
workstation - ns.intra.mydomain.com - ns.mydomain.com
currently I have followin configs:
workstation:
--( /etc/resolv.conf )--
search intra.mydomain.com
nameserver 192.168.0.2
ns.intra.mydomain.com
--( /etc/resolv.conf )--
search mydomain.com
nameserver IP.OF.MY.PUBLIC.NS
-
--( /etc/named.conf.options )---
options {
directory /var/cache/bind;
check-names master fail;
check-names slave warn;
check-names response ignore;
auth-nxdomain no;
listen-on-v6 { any; };
listen-on { 192.168.0.2; };
forwarders {
IP.OF.MY.PUBLIC.NS;
};
dnssec-enable yes;
};
logging {
channel default_syslog {
syslog local2;
severity info;
print-category yes;
print-severity yes;
print-time no;
};
category default {
};
category edns-disabled {
null;
};
};
include /etc/bind/rndc.key;
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
include /etc/bind/tsig.key;
ns.mydomain.com:
--( /etc/resolv.conf )--
--( /etc/named.conf.options )---
options {
directory /var/cache/bind;
check-names master fail;
check-names slave warn;
check-names response ignore;
auth-nxdomain no;
listen-on-v6 { any; };
listen-on { IP.OF.MY.PUBLIC.NS; };
dnssec-enable yes;
recursion yes;
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
logging {
channel default_syslog {
syslog local2;
severity info;
print-category yes;
print-severity yes;
print-time no;
};
category default {
default_syslog;
};
};
include /etc/bind/rndc.key;
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { rndc-key; };
};
include /etc/bind/tsig.key;
I have gotten the above config from the internet but it seems not to
work, because I have the same error messages like
lame-servers: info: error (unexpected RCODE REFUSED) resolving...
security: info: client MY.FIXED.HOME.IP#5525: query (cache) 'some_domain'
denied
lame-servers: info: error (network unreachable) resolving 'b.au//IN':
2607:f140::fffe::3#53
lame-servers: info: lame server resolving 'www.some_domain' (in
'some_domain'?): first.NS.IP#53
lame-servers: info: lame server resolving 'www.some_domain' (in
'some_domain'?): second.NS.IP#53
in my logs as another person on the list.
So, in the last days I was searchi the intenet hell how to solf this
problem but have noting found yet
Can someone help me please?
Where can I find a HOWTO which tell me how to setup my Name Server
correctly including DNSEC3
Thanks
Note: I need to lean this perfectly, because I come from a conty where
peoples are kidnaped and killed by the government and I need a
bulletproof setup which I can put online one day without risking
being hacked by my government
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
2012/1/4 Mark Andrews ma...@isc.org:
If you want named to be authoritative only set recursion no; or
allow-recursion { none; } or allow-query-cache { none; }; and
no data will be returned from the cache. allow-recursion and
allow-query-cache cross inherit from each other.
If you only want master zones to send notify messages then set
notify master-only;.
If you want named to only use the same nameservers as the system
uses then set forward only; forwarders { list from resolv.conf; };.
Named does not read resolv.conf though the tools do.
Thank you, Mark, these things was done long time ago. Is there any
documentation related to BIND's internals?
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
--
--
AP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
