Re: Authoritative for one domain, caching for the rest
On 24.03.21 17:08, Olivier wrote: After reading [1]and many trials, I couldn't figure how to set a Bind9 (9.11.5 on Debian Buster) server to operate this way: - server has two Ethernet interfaces, one connected to foo.lan/ 192.168.51.0/24 domain/network, the other connected to bar.lan/ 192.168.43.0/24 domain/network - I want it to resolve for bar.lan and for anything to query a DNS server available on foo.lan. My anonymized /etc/bind/named.conf.local content is: acl "good-guys" { localnets; }; zone "bar.lan" { type master; file "/etc/bind/db.bar.lan"; forwarders {}; allow-query { "good-guys"; }; }; zone "43.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.43.168.192.in-addr.arpa"; forwarders {}; }; zone "foo.lan" { type master; file "/etc/bind/db.foo.lan"; forwarders { 192.168.51.1; }; }; zone "51.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.51.168.192.in-addr.arpa"; forwarders { 192.168.51.1; }; Resolution works for: bar.lan, google.com host1.foo.lan if entry present in /etc/bind/db.foo.lan but it does not work for: host2.foo.lan if entry not present in /etc/bind/db.foo.lan "file" is used in master and slave zones. "forwarders" is used in "type forward" zones. those are mutually-exclusice, so forwarders aren't used for master and slave zones, while "file" is not used for "type forward" zones. Maybe you want something like dnsmasq? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. We are but packets in the Internet of life (userfriendly.org) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Authoritative for one domain, caching for the rest
Hello After reading [1]and many trials, I couldn't figure how to set a Bind9 (9.11.5 on Debian Buster) server to operate this way: - server has two Ethernet interfaces, one connected to foo.lan/ 192.168.51.0/24 domain/network, the other connected to bar.lan/ 192.168.43.0/24 domain/network - I want it to resolve for bar.lan and for anything to query a DNS server available on foo.lan. My anonymized /etc/bind/named.conf.local content is: acl "good-guys" { localnets; }; zone "bar.lan" { type master; file "/etc/bind/db.bar.lan"; forwarders {}; allow-query { "good-guys"; }; }; zone "43.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.43.168.192.in-addr.arpa"; forwarders {}; }; zone "foo.lan" { type master; file "/etc/bind/db.foo.lan"; forwarders { 192.168.51.1; }; }; zone "51.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.51.168.192.in-addr.arpa"; forwarders { 192.168.51.1; }; Resolution works for: bar.lan, google.com host1.foo.lan if entry present in /etc/bind/db.foo.lan but it does not work for: host2.foo.lan if entry not present in /etc/bind/db.foo.lan [1] https://bind9.readthedocs.io/en/latest/configuration.html#sample-configurations Best regards PS: Bind9 9.16.11 is present in Buster Backports. Is worth installing it ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Temporarily no name resolution using second/virtual ip address
Hi everybody, for the name resolution in my network I use bind-9.16.6 based on openSuse Leap 15.2. On that server I have two IP addresses configured. The one for the server itself - e.g. 192.168.3.150 - and a second one for the DNS - e.g. 192.168.3.200. If I send DNS-Queries to the IP 192.168.3.150, all queries will be answered. Sending queries to the IP 192.168.3.200, some of them become answered, but most of them not. The DNS-Client like nslookup or dig runs into timeouts. I have increased my debug level and what I see is the following: 17-Mar-2021 22:44:06.079 client: debug 3: client @0x7f063000b180 127.0.0.1#55255: UDP request 17-Mar-2021 22:44:06.079 client: debug 5: client @0x7f063000b180 127.0.0.1#55255: using view '_default' 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255: request is not signed 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255: recursion available 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255 (my.host.domain.de): query 'my.host.domain.de/A/IN' approved 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f0630007440 127.0.0.1#35797 (my.host.domain.de): reset client 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180 127.0.0.1#55255 (my.host.domain.de): reset client My bind-config and examples are attached below. /etc/named.conf options { directory "/var/lib/named"; managed-keys-directory "/var/lib/named/dyn/"; dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; forwarders { xxx.xxx.xxx.xxx; }; listen-on port 53 { 127.0.0.1; 192.168.3.150; 192.168.3.200; }; listen-on-v6 { none; }; query-source address 192.168.3.200 port *; transfer-source 192.168.3.200 port 53; allow-query { 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; 192.168.2.0/24; 192.168.3.0/24; 192.168.4.0/24; }; notify no; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; allow-transfer { localhost; 192.168.0.170; }; recursion yes; }; logging { channel default_file { file "/var/log/named.log" size 10m; severity dynamic; print-time yes; print-severity yes; print-category yes; }; category default{ default_file; }; }; zone "." in { type hint; file "root.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; include "/etc/bind/zones.conf"; It makes no difference from which subnet the queries come from. For testing I used a server in the same subnet like my DNS is, so there is no firewall or NAT in between. I also captured the network traffic of the DNS-Server and -Client. All I can see is, that the server receives the query from the client, but no response is sent from the server. When I run dig with the +tcp option, all of the queries will be answered. Any idea why named resets the client? Thanks and regard, Jonathan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users