Re: Authoritative for one domain, caching for the rest
On 24.03.21 17:08, Olivier wrote:
After reading [1]and many trials, I couldn't figure how to set a Bind9
(9.11.5 on Debian Buster) server to operate this way:
- server has two Ethernet interfaces, one connected to foo.lan/
192.168.51.0/24 domain/network, the other connected to bar.lan/
192.168.43.0/24 domain/network
- I want it to resolve for bar.lan and for anything to query a DNS server
available on foo.lan.
My anonymized /etc/bind/named.conf.local content is:
acl "good-guys" {
localnets;
};
zone "bar.lan" {
type master;
file "/etc/bind/db.bar.lan";
forwarders {};
allow-query { "good-guys"; };
};
zone "43.168.192-in-addr.arpa" {
type master;
file "/etc/bind/rev.43.168.192.in-addr.arpa";
forwarders {};
};
zone "foo.lan" {
type master;
file "/etc/bind/db.foo.lan";
forwarders { 192.168.51.1; };
};
zone "51.168.192-in-addr.arpa" {
type master;
file "/etc/bind/rev.51.168.192.in-addr.arpa";
forwarders { 192.168.51.1; };
Resolution works for:
bar.lan,
google.com
host1.foo.lan if entry present in /etc/bind/db.foo.lan
but it does not work for:
host2.foo.lan if entry not present in /etc/bind/db.foo.lan
"file" is used in master and slave zones.
"forwarders" is used in "type forward" zones.
those are mutually-exclusice, so forwarders aren't used for master and
slave zones, while "file" is not used for "type forward" zones.
Maybe you want something like dnsmasq?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Authoritative for one domain, caching for the rest
Hello
After reading [1]and many trials, I couldn't figure how to set a Bind9
(9.11.5 on Debian Buster) server to operate this way:
- server has two Ethernet interfaces, one connected to foo.lan/
192.168.51.0/24 domain/network, the other connected to bar.lan/
192.168.43.0/24 domain/network
- I want it to resolve for bar.lan and for anything to query a DNS server
available on foo.lan.
My anonymized /etc/bind/named.conf.local content is:
acl "good-guys" {
localnets;
};
zone "bar.lan" {
type master;
file "/etc/bind/db.bar.lan";
forwarders {};
allow-query { "good-guys"; };
};
zone "43.168.192-in-addr.arpa" {
type master;
file "/etc/bind/rev.43.168.192.in-addr.arpa";
forwarders {};
};
zone "foo.lan" {
type master;
file "/etc/bind/db.foo.lan";
forwarders { 192.168.51.1; };
};
zone "51.168.192-in-addr.arpa" {
type master;
file "/etc/bind/rev.51.168.192.in-addr.arpa";
forwarders { 192.168.51.1; };
Resolution works for:
bar.lan,
google.com
host1.foo.lan if entry present in /etc/bind/db.foo.lan
but it does not work for:
host2.foo.lan if entry not present in /etc/bind/db.foo.lan
[1]
https://bind9.readthedocs.io/en/latest/configuration.html#sample-configurations
Best regards
PS: Bind9 9.16.11 is present in Buster Backports. Is worth installing it ?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Temporarily no name resolution using second/virtual ip address
Hi everybody,
for the name resolution in my network I use bind-9.16.6 based on openSuse Leap
15.2. On that server I have two IP addresses configured. The one for the server
itself - e.g. 192.168.3.150 - and a second one for the DNS - e.g.
192.168.3.200.
If I send DNS-Queries to the IP 192.168.3.150, all queries will be
answered. Sending queries to the IP 192.168.3.200, some of them become
answered, but most of them not. The DNS-Client like nslookup or dig runs into
timeouts.
I have increased my debug level and what I see is the following:
17-Mar-2021 22:44:06.079 client: debug 3: client @0x7f063000b180
127.0.0.1#55255: UDP request 17-Mar-2021 22:44:06.079 client: debug 5: client
@0x7f063000b180 127.0.0.1#55255: using view '_default' 17-Mar-2021 22:44:06.079
security: debug 3: client @0x7f063000b180 127.0.0.1#55255: request is not
signed 17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180
127.0.0.1#55255: recursion available 17-Mar-2021 22:44:06.079 security: debug
3: client @0x7f063000b180 127.0.0.1#55255 (my.host.domain.de): query
'my.host.domain.de/A/IN' approved 17-Mar-2021 22:44:06.079 security: debug 3:
client @0x7f0630007440 127.0.0.1#35797 (my.host.domain.de): reset client
17-Mar-2021 22:44:06.079 security: debug 3: client @0x7f063000b180
127.0.0.1#55255 (my.host.domain.de): reset client
My bind-config and examples are attached below.
/etc/named.conf
options { directory "/var/lib/named"; managed-keys-directory
"/var/lib/named/dyn/"; dump-file "/var/log/named_dump.db"; statistics-file
"/var/log/named.stats"; forwarders { xxx.xxx.xxx.xxx; }; listen-on port 53 {
127.0.0.1; 192.168.3.150; 192.168.3.200; }; listen-on-v6 { none; };
query-source address 192.168.3.200 port *; transfer-source 192.168.3.200 port
53; allow-query { 127.0.0.1; 192.168.0.0/24; 192.168.1.0/24; 192.168.2.0/24;
192.168.3.0/24; 192.168.4.0/24; }; notify no; disable-empty-zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
allow-transfer { localhost; 192.168.0.170; }; recursion yes; }; logging {
channel default_file { file "/var/log/named.log" size 10m; severity dynamic;
print-time yes; print-severity yes; print-category yes; }; category default{
default_file; }; }; zone "." in { type hint; file "root.hint"; }; zone
"localhost" in { type master; file "localhost.zone"; }; zone
"0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; include
"/etc/bind/zones.conf";
It makes no difference from which subnet the queries come from. For testing I
used a server in the same subnet like my DNS is, so there is no firewall or NAT
in between.
I also captured the network traffic of the DNS-Server and -Client. All I can
see is, that the server receives the query from the client, but no response is
sent from the server.
When I run dig with the +tcp option, all of the queries will be answered.
Any idea why named resets the client? Thanks and regard,
Jonathan
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
