Getting an error on a simple DNS configuration

2015-06-03 Thread Samad Agha
I put together a simple working DNS server and called it new-dns2 with the
IP address of 206.117.115.93. My configuration files follow:

[root@new-dns2 ~]# cat /etc/named.conf
options {
 directory /var/named;
 };
zone 0.0.127.in-addr.arpa {
type master;
file db.127.0.0;
};
[root@new-dns2 ~]# cat /var/named/db.127.0.0
$TTL 3D
@   IN  SOA new-dns1.ci.glendale.ca.us
mchavoshi.glendaleca.gov. (
1   ; Serial
8H  ; Refresh
2H  ; Retry
4W  ; Expire
1D) ; Minimum TTL
NS  new-dns1.ci.glendale.ca.us.
1   PTR localhost.
[root@new-dns2 ~]#

So, when I query my new DNS server from itself (206.117.115.93), it
resolves the name to an IP, but when I query my new DNS server from another
Linux box, it fails with the following error message.

[root@new-dns2 ~]# nslookup google.com 206.117.115.93
Server: 206.117.115.93
Address:206.117.115.93#53
Non-authoritative answer:
Name:   google.com
Address: 216.58.217.206
[root@new-dns2 ~]#

[root@oragrid01 ~]# nslookup google.com 206.117.115.93
Server: 206.117.115.93
Address:206.117.115.93#53
** server can't find google.com: REFUSED
[root@oragrid01 ~]#

I have stopped FireWall on new-dns2, my DNS server:

[root@new-dns2 ~]# service iptables status
iptables: Firewall is not running.
[root@new-dns2 ~]#

Can someone please tell me what might be the problem?

Many thanks in advance and have a wonderful day/night.

Sincerely,
Samad Agha
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting an error on a simple DNS configuration

2015-06-03 Thread Samad Agha
Dear Tony, Bob,  Matus,

Thank you very much for your advice, you guys are awesome.

On Wed, Jun 3, 2015 at 1:03 PM, Matus UHLAR - fantomas uh...@fantomas.sk
wrote:

 On 03.06.15 12:34, Samad Agha wrote:

 So, when I query my new DNS server from itself (206.117.115.93), it
 resolves the name to an IP, but when I query my new DNS server from
 another
 Linux box, it fails with the following error message.


 you must allow BIND to provide recursive DNS for other hosts, by
 configuring allow-recursion. otherwise, it will provide DNS resolution
 only for its
 local networks (directly connected to host interfaces).

 [root@new-dns2 ~]# nslookup google.com 206.117.115.93


 don't use nslookup, it's very bad tool for debugging DNS problems.
 learn using host and/or dig

 --
 Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
 Warning: I wish NOT to receive e-mail advertising to this address.
 Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
 Emacs is a complicated operating system without good text editor.

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting an error on a simple DNS configuration

2015-06-03 Thread Matus UHLAR - fantomas

On 03.06.15 12:34, Samad Agha wrote:

So, when I query my new DNS server from itself (206.117.115.93), it
resolves the name to an IP, but when I query my new DNS server from another
Linux box, it fails with the following error message.


you must allow BIND to provide recursive DNS for other hosts, by configuring 
allow-recursion. otherwise, it will provide DNS resolution only for its
local networks (directly connected to host interfaces). 


[root@new-dns2 ~]# nslookup google.com 206.117.115.93


don't use nslookup, it's very bad tool for debugging DNS problems.
learn using host and/or dig

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Getting an error on a simple DNS configuration

2015-06-03 Thread Tony Finch
Samad Agha samad.agha2...@gmail.com wrote:

 So, when I query my new DNS server from itself (206.117.115.93), it
 resolves the name to an IP, but when I query my new DNS server from another
 Linux box, it fails with the following error message.

 ** server can't find google.com: REFUSED

By default, BIND allows queries only from localnets, i.e. subnets to
which the server is directly connected. For details, see
http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch06.html#access_control

Tony.
-- 
f.anthony.n.finch  d...@dotat.at  http://dotat.at/
Forth, Tyne: Variable becoming southeast 3 or 4, occasionally 5 later in Tyne.
Slight, becoming slight or moderate later in Tyne. Fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


GSS-TSIG updates with multiple KSPs on the same BIND server?

2015-06-03 Thread Doug Barton

Folks,

Reading through manuals, HOWTOs, etc. on line it SEEMS possible that 
BIND 9.8+ could be configured to use multiple KSPs. The traditional way 
of configuring GSS-TSIG is the following in options{}:


tkey-domain FOO.BAR;
tkey-gssapi-credential DNS/dns1.foo.bar;

However that configuration restricts the server to use only that one 
KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option 
to specify just the keytab file. According to the 9.9.5 ARM:


tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If 
this option is set and tkey-gssapi-credential is not set, then updates 
will be allowed with any key matching a principal in the specified keytab.


I'm assuming that if I get the [realms] and [domain_realms] configured 
correctly in my krb5.conf file that I would be good to go, but I am far 
from an expert on Kerberos, and while using a single KSP works fine, I 
haven't yet created a test environment for using multiple KSPs. So 
before I do that I thought I would ask if what I want to do is even 
possible, and if so where the landmines are.


In case it's not clear, the use case here is to be able to use the same 
BIND instance as master for multiple AD realms that do not have an 
existing trust relationship.


Thanks,

Doug

--
I am conducting an experiment in the efficacy of PGP/MIME signatures. 
This message should be signed. If it is not, or the signature does not 
validate, please let me know how you received this message (direct, or 
to a list) and the mail software you use. Thanks!




signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Getting an error on a simple DNS configuration

2015-06-03 Thread Bob Harold
If you don't specify recursion (or query-cache or allow-query), then the
default is:
allow-recursion (localnets; localhost;)

Which means only things on the connected subnets are allowed to make
recursive queries, all others get REFUSED.
So add an allow-recursion ( .. subnet list ..);  to your config.  (Do not
allow 'all', please.)



-- 
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk

On Wed, Jun 3, 2015 at 3:34 PM, Samad Agha samad.agha2...@gmail.com wrote:

 I put together a simple working DNS server and called it new-dns2 with the
 IP address of 206.117.115.93. My configuration files follow:

 [root@new-dns2 ~]# cat /etc/named.conf
 options {
  directory /var/named;
  };
 zone 0.0.127.in-addr.arpa {
 type master;
 file db.127.0.0;
 };
 [root@new-dns2 ~]# cat /var/named/db.127.0.0
 $TTL 3D
 @   IN  SOA new-dns1.ci.glendale.ca.us
 mchavoshi.glendaleca.gov. (
 1   ; Serial
 8H  ; Refresh
 2H  ; Retry
 4W  ; Expire
 1D) ; Minimum TTL
 NS  new-dns1.ci.glendale.ca.us.
 1   PTR localhost.
 [root@new-dns2 ~]#

 So, when I query my new DNS server from itself (206.117.115.93), it
 resolves the name to an IP, but when I query my new DNS server from another
 Linux box, it fails with the following error message.

 [root@new-dns2 ~]# nslookup google.com 206.117.115.93
 Server: 206.117.115.93
 Address:206.117.115.93#53
 Non-authoritative answer:
 Name:   google.com
 Address: 216.58.217.206
 [root@new-dns2 ~]#

 [root@oragrid01 ~]# nslookup google.com 206.117.115.93
 Server: 206.117.115.93
 Address:206.117.115.93#53
 ** server can't find google.com: REFUSED
 [root@oragrid01 ~]#

 I have stopped FireWall on new-dns2, my DNS server:

 [root@new-dns2 ~]# service iptables status
 iptables: Firewall is not running.
 [root@new-dns2 ~]#

 Can someone please tell me what might be the problem?

 Many thanks in advance and have a wonderful day/night.

 Sincerely,
 Samad Agha

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Fwd: Getting an error on a simple DNS configuration

2015-06-03 Thread Alan Clegg
allow-recursion { ... };

not

allow-recursion ( ... );

And you need a ; at the end of your list:

 allow-recursion {207.151.36.0;};

On 6/3/15 5:14 PM, Samad Agha wrote:
 I put the allow-recursion clause under my options, the #service named
 restart failed. Where exactly should I place this allow-recursion clause?
  
 [root@new-dns2 ~]# cat /etc/named.conf
 options {
  directory /var/named;
 allow-recursion (207.151.36.0);
  };
  
 zone 0.0.127.in-addr.arpa {
 type master;
 file db.127.0.0;
 };
 [root@new-dns2 ~]#
  
 [root@new-dns2 ~]# service named restart
 Stopping named: .  [  OK  ]
 Starting named:
 Error in named configuration:
 /etc/named.conf:3: '{' expected near '(207.151.36.0)'
[FAILED]
 [root@new-dns2 ~]#
 
 
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Fwd: Getting an error on a simple DNS configuration

2015-06-03 Thread Samad Agha
I put the allow-recursion clause under my options, the #service named
restart failed. Where exactly should I place this allow-recursion clause?

[root@new-dns2 ~]# cat /etc/named.conf
options {
 directory /var/named;
allow-recursion (207.151.36.0);
 };

zone 0.0.127.in-addr.arpa {
type master;
file db.127.0.0;
};
[root@new-dns2 ~]#

[root@new-dns2 ~]# service named restart
Stopping named: .  [  OK  ]
Starting named:
Error in named configuration:
/etc/named.conf:3: '{' expected near '(207.151.36.0)'
   [FAILED]
[root@new-dns2 ~]#
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users