Getting an error on a simple DNS configuration
I put together a simple working DNS server and called it new-dns2 with the IP address of 206.117.115.93. My configuration files follow: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# cat /var/named/db.127.0.0 $TTL 3D @ IN SOA new-dns1.ci.glendale.ca.us mchavoshi.glendaleca.gov. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS new-dns1.ci.glendale.ca.us. 1 PTR localhost. [root@new-dns2 ~]# So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. [root@new-dns2 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 Non-authoritative answer: Name: google.com Address: 216.58.217.206 [root@new-dns2 ~]# [root@oragrid01 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 ** server can't find google.com: REFUSED [root@oragrid01 ~]# I have stopped FireWall on new-dns2, my DNS server: [root@new-dns2 ~]# service iptables status iptables: Firewall is not running. [root@new-dns2 ~]# Can someone please tell me what might be the problem? Many thanks in advance and have a wonderful day/night. Sincerely, Samad Agha ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
Dear Tony, Bob, Matus, Thank you very much for your advice, you guys are awesome. On Wed, Jun 3, 2015 at 1:03 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 03.06.15 12:34, Samad Agha wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. you must allow BIND to provide recursive DNS for other hosts, by configuring allow-recursion. otherwise, it will provide DNS resolution only for its local networks (directly connected to host interfaces). [root@new-dns2 ~]# nslookup google.com 206.117.115.93 don't use nslookup, it's very bad tool for debugging DNS problems. learn using host and/or dig -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
On 03.06.15 12:34, Samad Agha wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. you must allow BIND to provide recursive DNS for other hosts, by configuring allow-recursion. otherwise, it will provide DNS resolution only for its local networks (directly connected to host interfaces). [root@new-dns2 ~]# nslookup google.com 206.117.115.93 don't use nslookup, it's very bad tool for debugging DNS problems. learn using host and/or dig -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
Samad Agha samad.agha2...@gmail.com wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. ** server can't find google.com: REFUSED By default, BIND allows queries only from localnets, i.e. subnets to which the server is directly connected. For details, see http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch06.html#access_control Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forth, Tyne: Variable becoming southeast 3 or 4, occasionally 5 later in Tyne. Slight, becoming slight or moderate later in Tyne. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
GSS-TSIG updates with multiple KSPs on the same BIND server?
Folks, Reading through manuals, HOWTOs, etc. on line it SEEMS possible that BIND 9.8+ could be configured to use multiple KSPs. The traditional way of configuring GSS-TSIG is the following in options{}: tkey-domain FOO.BAR; tkey-gssapi-credential DNS/dns1.foo.bar; However that configuration restricts the server to use only that one KSP. What I'd like to do instead is to use the tkey-gssapi-keytab option to specify just the keytab file. According to the 9.9.5 ARM: tkey-gssapi-keytab The KRB5 keytab file to use for GSS-TSIG updates. If this option is set and tkey-gssapi-credential is not set, then updates will be allowed with any key matching a principal in the specified keytab. I'm assuming that if I get the [realms] and [domain_realms] configured correctly in my krb5.conf file that I would be good to go, but I am far from an expert on Kerberos, and while using a single KSP works fine, I haven't yet created a test environment for using multiple KSPs. So before I do that I thought I would ask if what I want to do is even possible, and if so where the landmines are. In case it's not clear, the use case here is to be able to use the same BIND instance as master for multiple AD realms that do not have an existing trust relationship. Thanks, Doug -- I am conducting an experiment in the efficacy of PGP/MIME signatures. This message should be signed. If it is not, or the signature does not validate, please let me know how you received this message (direct, or to a list) and the mail software you use. Thanks! signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
If you don't specify recursion (or query-cache or allow-query), then the default is: allow-recursion (localnets; localhost;) Which means only things on the connected subnets are allowed to make recursive queries, all others get REFUSED. So add an allow-recursion ( .. subnet list ..); to your config. (Do not allow 'all', please.) -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Wed, Jun 3, 2015 at 3:34 PM, Samad Agha samad.agha2...@gmail.com wrote: I put together a simple working DNS server and called it new-dns2 with the IP address of 206.117.115.93. My configuration files follow: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# cat /var/named/db.127.0.0 $TTL 3D @ IN SOA new-dns1.ci.glendale.ca.us mchavoshi.glendaleca.gov. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS new-dns1.ci.glendale.ca.us. 1 PTR localhost. [root@new-dns2 ~]# So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. [root@new-dns2 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 Non-authoritative answer: Name: google.com Address: 216.58.217.206 [root@new-dns2 ~]# [root@oragrid01 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 ** server can't find google.com: REFUSED [root@oragrid01 ~]# I have stopped FireWall on new-dns2, my DNS server: [root@new-dns2 ~]# service iptables status iptables: Firewall is not running. [root@new-dns2 ~]# Can someone please tell me what might be the problem? Many thanks in advance and have a wonderful day/night. Sincerely, Samad Agha ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Getting an error on a simple DNS configuration
allow-recursion { ... }; not allow-recursion ( ... ); And you need a ; at the end of your list: allow-recursion {207.151.36.0;}; On 6/3/15 5:14 PM, Samad Agha wrote: I put the allow-recursion clause under my options, the #service named restart failed. Where exactly should I place this allow-recursion clause? [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion (207.151.36.0); }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# [root@new-dns2 ~]# service named restart Stopping named: . [ OK ] Starting named: Error in named configuration: /etc/named.conf:3: '{' expected near '(207.151.36.0)' [FAILED] [root@new-dns2 ~]# ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Getting an error on a simple DNS configuration
I put the allow-recursion clause under my options, the #service named restart failed. Where exactly should I place this allow-recursion clause? [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion (207.151.36.0); }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# [root@new-dns2 ~]# service named restart Stopping named: . [ OK ] Starting named: Error in named configuration: /etc/named.conf:3: '{' expected near '(207.151.36.0)' [FAILED] [root@new-dns2 ~]# ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users