Re: migration to new isp - now private addresses showing up publicly?
Hi Mark, it looks like things are fixed!! :-) :-) :-) Just checking with mxtoolbox now and all lights are green. Thank you so much, I really appreciate it! Best Regards, Kaya On 5/24/23 00:26, Mark Andrews wrote: Follow example 4 on <https://kb.isc.org/docs/aa-0085>. You haven’t got named to read the keys into named.conf nor told named to use the keys for notify and zone transfers. Also just use TSIG in your allow-transfer acls. include “external.key”; include “internal.key”; masters { 10.0.0.1 key external; }; masters { 10.0.0.1 key internal; }; also-notify { 10.0.0.2 key external; }; also-notify { 10.0.0.2 key internal; }; allow-transfer { key external; }; allow-transfer { key internal; }; Mark On 24 May 2023, at 08:13, Kaya Saman wrote: Not sure if I did something wrong? Unfortunately the same thing has happened, the internal zone file got transferred as the external zone file? I followed your suggestion and this article here: https://bind9.readthedocs.io/en/v9_18_4/chapter6.html which I think you mentioned at the bottom? I created keys called internal. and external. from the example in the docs: $ tsig-keygen host1-host2. > host1-host2.key they got stored in files called external.key and internal.key within the namedb directory So my named.conf file now contains: acl internals { 127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; }; acl all-keys {key internal.; key external.;}; I then referenced the keys like so on the master for both internal and external views (I'm only showing external in this example): view "external" { match-clients { key external.; !all-keys; !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type master; file "/var/named/var/named/domain-external.db"; notify explicit; also-notify { int_dns2; int_dns3; }; allow-transfer { int_dns2; int_dns3; }; allow-query { ext_dns2; ext_dns3; !internals; any; }; allow-update { key external. ;}; }; }; and on the slave: view "external" { match-clients { key external.; !all-keys; !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type slave; file "/var/named/var/named/domain-external.db"; masters { int_dns1; }; // allow-notify { ext_dns1; }; allow-query { int_dns1; !internals; any; }; }; }; I'm sure there are extra steps needed which I have omitted somewhere?? On 5/23/23 22:03, Mark Andrews wrote: Use different TSIG keys rather than IP address to select which view matches for notify and zone transfers. acl all-keys {key internal; key external;}; match-clients {key internal; !all-keys; …}; The !all-keys is to prevent matching by IP for the listed keys. Do similar for all views. Then add keys to primary definitions and server clauses with keys at the view level for notify. I’m pretty sure there is a knowledge base article with full details. -- Mark Andrews On 24 May 2023, at 05:40, Kaya Saman wrote: On 5/23/23 20:18, Sten Carlsen wrote: On 23 May 2023, at 19.46, Kaya Saman wrote: On 5/23/23 18:07, Sten Carlsen wrote: On 23 May 2023, at 19.00, Kaya Saman wrote: On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg. https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Finally, I under
Re: migration to new isp - now private addresses showing up publicly?
Not sure if I did something wrong? Unfortunately the same thing has happened, the internal zone file got transferred as the external zone file? I followed your suggestion and this article here: https://bind9.readthedocs.io/en/v9_18_4/chapter6.html which I think you mentioned at the bottom? I created keys called internal. and external. from the example in the docs: $ tsig-keygen host1-host2. > host1-host2.key they got stored in files called external.key and internal.key within the namedb directory So my named.conf file now contains: acl internals { 127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; }; acl all-keys {key internal.; key external.;}; I then referenced the keys like so on the master for both internal and external views (I'm only showing external in this example): view "external" { match-clients { key external.; !all-keys; !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type master; file "/var/named/var/named/domain-external.db"; notify explicit; also-notify { int_dns2; int_dns3; }; allow-transfer { int_dns2; int_dns3; }; allow-query { ext_dns2; ext_dns3; !internals; any; }; allow-update { key external. ;}; }; }; and on the slave: view "external" { match-clients { key external.; !all-keys; !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type slave; file "/var/named/var/named/domain-external.db"; masters { int_dns1; }; // allow-notify { ext_dns1; }; allow-query { int_dns1; !internals; any; }; }; }; I'm sure there are extra steps needed which I have omitted somewhere?? On 5/23/23 22:03, Mark Andrews wrote: Use different TSIG keys rather than IP address to select which view matches for notify and zone transfers. acl all-keys {key internal; key external;}; match-clients {key internal; !all-keys; …}; The !all-keys is to prevent matching by IP for the listed keys. Do similar for all views. Then add keys to primary definitions and server clauses with keys at the view level for notify. I’m pretty sure there is a knowledge base article with full details. -- Mark Andrews On 24 May 2023, at 05:40, Kaya Saman wrote: On 5/23/23 20:18, Sten Carlsen wrote: On 23 May 2023, at 19.46, Kaya Saman wrote: On 5/23/23 18:07, Sten Carlsen wrote: On 23 May 2023, at 19.00, Kaya Saman wrote: On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg.https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Finally, I understand what is going on and things get stranger The internal IP addressing is being served up by the slave servers. They seem to have pulled the file domain.db and renamed it to domain-external.db??? Of course the 'master' machine is already serving up domain-external.db to the public domain. This has the correct IP addressing with everything else such as dkim and dmarc. So, currently I think the whole problem is stemming from the fact that the zone transfers are not working correctly for my external view between 'master' and 'slave' servers. How can I do that without needing to traverse my NAT? When migrating ISP, are you sure that there is not another NAT in the ISP router? That would explain this. The internet would present itself as 192.168.xx.xx and
Re: migration to new isp - now private addresses showing up publicly?
On 5/23/23 20:18, Sten Carlsen wrote: On 23 May 2023, at 19.46, Kaya Saman wrote: On 5/23/23 18:07, Sten Carlsen wrote: On 23 May 2023, at 19.00, Kaya Saman wrote: On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg.https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Finally, I understand what is going on and things get stranger The internal IP addressing is being served up by the slave servers. They seem to have pulled the file domain.db and renamed it to domain-external.db??? Of course the 'master' machine is already serving up domain-external.db to the public domain. This has the correct IP addressing with everything else such as dkim and dmarc. So, currently I think the whole problem is stemming from the fact that the zone transfers are not working correctly for my external view between 'master' and 'slave' servers. How can I do that without needing to traverse my NAT? When migrating ISP, are you sure that there is not another NAT in the ISP router? That would explain this. The internet would present itself as 192.168.xx.xx and match your internals. I can certainly ask. Though I am on a business package with multiple static public IPv4 addresses. I think I have a /28 block if memory serves me well You might find that it has some kind of address translation built-in "to protect your business" or whatever. To me it still smells that way. You might look at the IP address for the port you think is the internet - if that has an 192.168.x.x. or 172.16.x.x. or 10.x.x.x it would be clear that is what your problem is. It can still be solved but other setup details will be needed. I'm not sure what you mean by "port to the internet"? The actual DNS servers themselves don't have a public IP address. They are all running internal addressing and have been for many years, another words the address on the NIC itself is private. What I am doing is using NAT/PAT to translate the public address to the private address of the server itself. So essentially on my side I am doing int_dns -> ext_dns -> internet Reverse then becomes internet -> ext_dns (port 53 udp/tcp) -> int_dns (port 53 udp/tcp) That's how I am handling things. I wonder if that is the cause or if there is something that my ISP has in place? Hence the fact that I'm using "views" to differentiate between 'internal' and 'external' addresses. Actually I did run a tcpdump on the server and my firewall/gateway both and the addresses coming in are both from public domain. No internal addressing hitting the server WAN side, even when my NAT/PAT translates my ext_ip to int_ip, the public address of say the mxtoolbox checker is still there. I should know in a few days if there is anything my ISP is doing in the middle. But* I really am not sure if it is something that I am doing within the config, though I have posted pretty much all of my named.conf file up. Though it still doesn't explain how the IP addresses keep 'flapping' - especially in mxtoolbox using the DNS Check. Sometimes I see internal addresses and sometimes I see external addresses?? It just seems like random occurrence really unless I badly misconfigured something? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration to new isp - now private addresses showing up publicly?
On 5/23/23 18:07, Sten Carlsen wrote: On 23 May 2023, at 19.00, Kaya Saman wrote: On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg.https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Finally, I understand what is going on and things get stranger The internal IP addressing is being served up by the slave servers. They seem to have pulled the file domain.db and renamed it to domain-external.db??? Of course the 'master' machine is already serving up domain-external.db to the public domain. This has the correct IP addressing with everything else such as dkim and dmarc. So, currently I think the whole problem is stemming from the fact that the zone transfers are not working correctly for my external view between 'master' and 'slave' servers. How can I do that without needing to traverse my NAT? When migrating ISP, are you sure that there is not another NAT in the ISP router? That would explain this. The internet would present itself as 192.168.xx.xx and match your internals. I can certainly ask. Though I am on a business package with multiple static public IPv4 addresses. I think I have a /28 block if memory serves me well The crazy thing is that I am using the DNS check tool from mxtoolbox. So far it's telling me: Bad Glue Detected Parent server gave glue for ns2.domain.com to be int_dns2 but we resolve that hostname to ext_dns2 Another weird issue is that it's reading the serial from the zone file to be: Serial numbers match 2022022801 That's my 'internal' zone! Not the 'external' zone and should not be anywhere on the public internet at all. Currently I tried putting this into my master config: zone "domain.com" { type master; file "/var/named/var/named/domain-external.db"; notify explicit; also-notify { int_dns2; int_dns3; }; allow-transfer { ext_dns2; ext_dns3; }; allow-query { ext_dns2; ext_dns3; !internals; any; }; }; And this into my slave config: zone "domain.com" { type slave; file "/var/named/var/named/domain-external.db"; masters { ext_dns1; }; // allow-notify { ext_dns1; }; allow-query { int_dns1; !internals; any; }; }; But it doesn't seem to mesh up? The general.log file is telling me this: zone domain.com/IN/external: refresh: retry limit for master ext_dns1#53 exceeded (source 0.0.0.0#0) -- Visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us athttps://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration to new isp - now private addresses showing up publicly?
On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg. https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Finally, I understand what is going on and things get stranger The internal IP addressing is being served up by the slave servers. They seem to have pulled the file domain.db and renamed it to domain-external.db??? Of course the 'master' machine is already serving up domain-external.db to the public domain. This has the correct IP addressing with everything else such as dkim and dmarc. So, currently I think the whole problem is stemming from the fact that the zone transfers are not working correctly for my external view between 'master' and 'slave' servers. How can I do that without needing to traverse my NAT? Currently I tried putting this into my master config: zone "domain.com" { type master; file "/var/named/var/named/domain-external.db"; notify explicit; also-notify { int_dns2; int_dns3; }; allow-transfer { ext_dns2; ext_dns3; }; allow-query { ext_dns2; ext_dns3; !internals; any; }; }; And this into my slave config: zone "domain.com" { type slave; file "/var/named/var/named/domain-external.db"; masters { ext_dns1; }; // allow-notify { ext_dns1; }; allow-query { int_dns1; !internals; any; }; }; But it doesn't seem to mesh up? The general.log file is telling me this: zone domain.com/IN/external: refresh: retry limit for master ext_dns1#53 exceeded (source 0.0.0.0#0) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration to new isp - now private addresses showing up publicly?
On 5/23/23 12:47, Matus UHLAR - fantomas wrote: On 23.05.23 12:22, Kaya Saman wrote: I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg. https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; [...] view "external" { match-clients { !internals; any; }; I don't see your definition of "internals". Also, I don't see your definition of internal view. if internal IP addresses are visible on the internet, obviously the internet sources fall into your internal view, not into this one. Hi, I omitted those but here they are: acl internals { 127.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; 10.0.0.0/8; }; // These zones are already covered by the empty zones listed below. // If you remove the related empty zones below, comment these lines out. disable-empty-zone "255.255.255.255.IN-ADDR.ARPA"; disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA"; // If you enable a local name server, don't forget to enter 127.0.0.1 // first in your /etc/resolv.conf so this server will be queried. // Also, make sure to enable it in /etc/rc.conf. // The traditional root hints mechanism. Use this, OR the slave zones below. zone "." { type hint; file "/usr/local/etc/namedb/named.root"; }; // RFCs 1912, 5735 and 6303 (and BCP 32 for localhost) zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; }; zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // RFC 1912-style zone for IPv6 localhost address (RFC 6303) zone "0.ip6.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; }; // "This" Network (RFCs 1912, 5735 and 6303) zone "0.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; // Private Use Networks (RFCs 1918, 5735 and 6303) zone "10.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "16.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "17.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "18.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "19.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "20.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "21.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "22.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "23.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "24.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "25.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "26.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "27.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "28.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; }; zone "29.172.in-addr.arpa" { type master; file "/usr/local/etc/namedb
migration to new isp - now private addresses showing up publicly?
Hi, I've got a very strange problem that has emerged somehow after migrating my isp. My setup previously used 2x servers in master/slave configuration for my public "view" and then had 3x servers for the "internal" view. This was working fine for years and I have been regularly testing using online dns healthcheck sites such as mxtoolbox etc... Now when I try to run any type of check from mxtoolbox or other site eg. https://dnschecker.org/ I am getting my private IP's showing instead of the public ones? Initially it started off by my external zone files not transferring which I managed to see that the information was trying to traverse my NAT (I know, not the best practice to have all dns servers on the same network). As a result external emails from my mail server are not working too well with a hit and miss type thing going on right now. Just to go over, my zone files are fine as the 'external' ones only have public ip addresses in them and do not include any type of internal addressing whatsoever. Here's an example of the config in named.conf for the master: view "external" { match-clients { !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type master; file "/var/named/var/named/domain-external.db"; notify yes; also-notify { pub_dns2; pub_dns3; }; allow-transfer { pub_dns2; pub_dns3; }; allow-query { pub_dns2; pub_dns3; !internals; any; }; }; ... ; This shows the slave: view "external" { match-clients { !internals; any; }; allow-recursion { 127.0.0.1; }; zone "domain.com" { type slave; file "/var/named/var/named/domain-external.db"; masters { pub_dns1; }; allow-notify { pub_dns1; }; allow-query { pub_dns1; !internals; any; }; }; ... ; Both have the !internals macro there, so the servers should not throw up anything from the 'internal' view. It doesn't make sense that mxtoolbox and others, even sending mail from Google sees the private address of the machine? There's no chroot environment either contrary to the file path... I converted this back to normal many years ago when I started using Jails. Additionally for the domain to transfer using the internal (private) network, do I need to change the 'allow-transfer' portion to the private addresses? I have read around a little bit but wasn't quite sure, though someone did suggest to use the 'notify explicit' statement, though I'm not sure of the difference exactly. Closest read on that I could find is from here: https://www.zytrax.com/books/dns/ch7/xfer.html#notify Is it possible to suggest anything to get my servers working properly again? I'm running version 9.16.40 on the master and 9.16.39 on both slaves all built from FreeBSD ports. Regards, Kaya -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I fake a part of domain?
[...] Erm, are you *sure* that you want to do this? Really really sure? It's probably a bad idea, but Step 1: Make yourself authoritative for www2, www3 -- in named.conf: zone www2.example.com { type master; file /etc/namedb/www2.example.com; }; zone www3.example.com { type master; file /etc/namedb/www3.example.com; }; Step 2: Make zone files www2.example.com (and obviously, www3): $TTL 1h www2.example.com. IN SOA localhost ( hostmaster.localhost 2010062700 1h 15m 4w 1h ) NS localhost. A 11.11.11.11 Step 3: Repeat This was a bad idea and I feel dirty... W [...] Just on the ethical side of this to stray away from the technical discussion if I may; The local telco and backbone ISP in the country I live in (not mentioning which one) has done this to block YouTube and Google even due to some ridiculous court ruling in that they offend the country or some rubbish like that?? Originally it was easy to get around by using a different recursive DNS resolver and of course having one's own DNS servers directly resolving the 'hinted root zone' helps tremendously, however most people just used Google's public DNS servers. Anyway now they've done a complete ACL block on the system so the IP addresses even get routed to different destinations or denied altogether!! Means no more music vids for the nation :-( Only way round it is a VPN IPsec tunnel into a different Geo location and re-route the proper IP addresses and domains to a remote gateway. Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best way to run Bind on public DNS servers??
Jason Fesler wrote: On Jan 11, 2010, at 9:39 AM, Kaya Saman wrote: Hi, since I got no responses for this question could I rephrase it to asking if Bind will do a zone transfer over public internet if the servers have private IP addresses and are behind NAT with static port definitions? Tell bind to slave from the public IP that is forward to the private side. Thanks Jason! Will this work as Bind will examine the packet and will have a different IP in the sendto: part Otherwise is easy if it can actually be done this way :-) Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best way to run Bind on public DNS servers??
Jason Fesler wrote: On Jan 14, 2010, at 3:00 AM, Kaya Saman wrote: Thanks Jason! Will this work as Bind will examine the packet and will have a different IP in the sendto: part If your firewall/NAT is forwarding a public address to your private internal address, it will rewrite the packets in order to do so, to reach the private internal address. You can use tcpdump to confirm the traffic seen by either dns server. Many thanks Jason for the support! Since everyone has mentioned I can do this I'm certain it will be a swift an easy job for my migration! Best regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best way to run Bind on public DNS servers??
Kaya Saman wrote: Hi all, this is the first time I'm going to be playing around with a setup like this so I'd like to get some advice: I would like to run a master/slave configuration of Bind servers but am confused about how to implement such a setup and the underlying network fabric involved!! First up, currently in my lab I am running an authoritative DNS server through NAT so when people make queries it goes through port 53 on my Cisco 857's ADSL interface then reaches the server with an internal private IP address. I know that I can use 2 different public IP addresses and implement this via NAT opening up static NAT definitions from both WAN IP's to internal private IP's of the servers; however. is this the best practice or should I give the servers public addresses on one of their NICs then run the named service from their??? I plan to upgrade to a Cisco 1800 series which has two routable ports in either Ethernet or ADSL and Ethernet configurations and has a managed 8 port switch which I am sure can be included to be outside the NAT making it easy to tie the servers in to the network. I've never dealt with a setup like this before as everything I've done so far has been behind NAT so I'm a little confused about how to go about it. I know this is probably more of a thing for the Cisco Netpro forum but since I am going to be dealing with Bind there maybe a way I can get around with NAT depending on what the experts or more experienced people say! Many thanks for any responses! Best regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Hi, since I got no responses for this question could I rephrase it to asking if Bind will do a zone transfer over public internet if the servers have private IP addresses and are behind NAT with static port definitions? Regards, Kaya P.s. as an extra what or how is the best way to learn about DNS? Of course on this mailing list there are many pros and knowledgeable people but for someone like me who is keen and enthusiastic but hasn't had the opportunity to work for a company that deals in DNS, network design or data centers I find myself with more questions then answers! Basically no professional experience is what's holding me back I feel - Thanks ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Best way to run Bind on public DNS servers??
Hi all, this is the first time I'm going to be playing around with a setup like this so I'd like to get some advice: I would like to run a master/slave configuration of Bind servers but am confused about how to implement such a setup and the underlying network fabric involved!! First up, currently in my lab I am running an authoritative DNS server through NAT so when people make queries it goes through port 53 on my Cisco 857's ADSL interface then reaches the server with an internal private IP address. I know that I can use 2 different public IP addresses and implement this via NAT opening up static NAT definitions from both WAN IP's to internal private IP's of the servers; however. is this the best practice or should I give the servers public addresses on one of their NICs then run the named service from their??? I plan to upgrade to a Cisco 1800 series which has two routable ports in either Ethernet or ADSL and Ethernet configurations and has a managed 8 port switch which I am sure can be included to be outside the NAT making it easy to tie the servers in to the network. I've never dealt with a setup like this before as everything I've done so far has been behind NAT so I'm a little confused about how to go about it. I know this is probably more of a thing for the Cisco Netpro forum but since I am going to be dealing with Bind there maybe a way I can get around with NAT depending on what the experts or more experienced people say! Many thanks for any responses! Best regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best way to run Bind on public DNS servers??
Sorry, just to mention in addition that I currently run a master/slave configuration for internal DNS queries within the NAT! Since the current location of servers has only one static IP available I have only exposed one of the servers to the web but in the new location I plan to get as many IP addresses as needed so that each one of my servers has it's own public IP! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving an internal IP address for a domain from an external DNS server?
Ok I will try to explain with a diagram as I'm pretty certain that still no one gets what I'm on about: +-+ +-+ |Remote Network| | local Network| |DNS server | | radio server | |local subnets: | | local subnets: | |192.168.0.0/22| | 192.168.1.0/24 | |public IP: | | public IP:| |81.178.2.118 |--+--+--| 212.156.209.87 | || | Internet | | | +--+ || +-+ +--+ DNS server A record: ns1.optiplex-networks.com Radio server A record: rd1.optipelx-networks.com DNS server IP address 192.168.1.100 Radio server IP address 192.168.1.100 DNS server connected to internet via NAT on main gateway I have a laptop in my local network, of which the radio server is also on that network. Basically I would like to know if it is possible to use the DNS server in the remote network to be authoritative for the radio server in the local network! So that if I point my laptops /etc/resolv.conf file to 81.178.2.118 and do an nslookup for rd1.optiplex-networks.com it will give me a result of 192.168.1.100 As mentioned I have already tried this and failed dramatically as I get an error of the server not being found. All other queries work however! Is this even possible or do I need a local DNS server which is authoritative for both domains in the local network?? Currently as shown before I have 1 master zone on the remote DNS server with A records all pointing to the remote network but the local A records pointing to the local network. Also I have a separate view for the local network as well to be able to lookup hinted root servers as well as authoritative domains in the zone file. Apologies if I'm mixing things up however I am not that advanced with Bind and up till now only used it for simple things! Many thanks and best regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving an internal IP address for a domain from an external DNS server?
Ok I think I've figured this out as I did a little test to change the IP within the remote authoritative DNS server to 172.16.1.100. of course there is no machine at that IP address within my networks but there was some address confusion as the DNS server had the same IP address as the radio server!!! Which is probably main reason for nothing resolving! Badly or poorly designed network infrastructure on my behalf (at least this wasn't a fully professional production environment otherwise I would loose my job and be frowned at by the whole industry). Time to change the local subnet for me! Again apologies for poor description and messing up so poorly - just hope that I haven't disgraced CCNA graduates too badly :-P Thanks for all the attempted help!!! Best regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolving an internal IP address for a domain from an external DNS server?
Hi Kevin, first up thanks for the response! Secondly the non-recursive query you asked for shows this: % dig +norec rd1.optiplex-networks.com ; DiG 9.5.1-P2.1 +norec rd1.optiplex-networks.com ;; global options: printcmd ;; connection timed out; no servers could be reached Sorry for the bad explanation, literally what I want to do is this: I would like to use my external DNS server located in another country with IP address: 81.178.2.118 to be able to resolve local IP addresses within my network. Currently I am using 192.168.1.0/24 network and mask (CIDR notation) in my current location and have my radio server located at IP 192.168.1.100. Perhaps if I explain like this it maybe easier: DNS server: 81.178.2.118 (remote machine) Radio server: 192.168.1.100 (local LAN) Laptop: 192.168.1.2 (local LAN) I would like to resolve the domain name: rd1.optiplex-networks.com to 192.168.1.100 but using the DNS server located at 81.178.2.118 whose DNS name is ns1.optiplex-networks.com The issue is that I would like to use the same domain to resolve the services I run in the network located at 81.178.2.118 which includes mail, wwwetc too. Meaning that www.optiplex-networks.com, mail.optiplex-networks.com etc... all points to 81.178.2.118, but then point rd1.optiplex-networks.com to 192.168.1.100! For that I need to have a zone file which has the remote IP of 81.178.2.118 in it for all domains/subdomains also point a record to my local radio server which is 192.168.1.100. Currently I can resolve everything just the local IP and none of the logging I've activated is telling me what's blocking the system. I mean I need dig to show something like this: % dig optiplex-networks.com ; DiG 9.5.1-P2.1 optiplex-networks.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 42121 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;optiplex-networks.com.INA ;; ANSWER SECTION: optiplex-networks.com.86400INA81.178.2.118 ;; AUTHORITY SECTION: optiplex-networks.com.86400INNSns1.optiplex-networks.com. ;; ADDITIONAL SECTION: ns1.optiplex-networks.com. 86400 INA81.178.2.118 ;; Query time: 79 msec ;; SERVER: 81.178.2.118#53(81.178.2.118) ;; WHEN: Fri Jan 8 00:55:45 2010 ;; MSG SIZE rcvd: 89 for the domain rd1.optiplex-networks.com but in the answer section have: rd1.optiplex-networks.com. 86400 IN A 192.168.1.100 Currently as stated previously I used to have 2 views at the remote network; one for internal clients and one for external. Since I am trying to patch in my new network to the old network I created another view specifically for this new network. The kiziltoprak view contains a master zone for this specific network only rather then tying this into my external view as I want to keep each entity separate. I hope things make sense now?? Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
Thanks guys, sorry needed some down time to recharge my batteries - am gona combine all answers into one lump mail :-) Frank Pikelner wrote: Do your bind logs give any clues as to what is going on? On the master make sure you have read permission and the file is being loaded. On the slave it should be attempting a transfer. Frank Pikelner On 2009-12-01, at 6:21 PM, Kaya Saman samank...@netscape.net wrote: Unfortunately the only place I can find anything to do with Bind log-wise is in /var/adm/messages there is no specific /var/log/bind or named log like in Linux with my system or it is in such a weird place I haven't found it yet! I've also tried looking for it several times but never managed to find it. What do you mean the Blastwave version? I've got BIND 9.6.0-P1 running on Solaris 9 with patches that are current as of Sept 2008... My version was, however, compiled on the machine it is running on though. See domain hicks-net.net or hicks-net.org... Two of my nameservers are external. I believe that the 'external' view transfers... Gregory, http://www.blastwave.org/ pkg repo for Solaris/OpenSolaris, kind of similar to yum or apt-get for Linux. external views transfer but just not the reverse? But then since my network only has 1 single WAN IP I am trying to transfer everything internally through the intranet using local IP's and wondering if some issues could be there? type master; allow-transfer { other.servers.ip.addresses; }; perhaps? I tend to do options { ... allow-transfer {none;}; ... }; But this wouldn't explain why all the rest can transfer and the one zone can't. Have you made sure that the slaved copies for the internal view and the external view go to DIFFERENT files? Otherwise they overwrite each other and strange timing effects occur. Just thoughts. Joseph, yes definitely they are going to different files as I have 14 different zone files 7 in each 'view' - with 13 files getting transferred.. I don't know if there's any way to start Bind verbosely or alternatively a command that will check the zone transfers? I only have these available to me: bash-2.05# ls /opt/csw/sbin dnssec-dsfromkey dnssec-signzone named named-compilezonesasldblistusers2 wget.static dnssec-keyfromlabel logwatch named-checkconf rndc saslpasswd2 dnssec-keygenlwresd named-checkzone rndc-confgen squid Is one of these capable? --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
Joseph S D Yao wrote: On Thu, Dec 03, 2009 at 12:59:51AM +0200, Kaya Saman wrote: ... I just hope this doesn't take up many CPU cycles and memory as the debug commands do in Cisco devices rendering them almost unusable in a fully setup network environment. ... I'm glad the logging helped! Query logging can take a lot of space - look up whether the default is for the server to not log queries, and how and why it switches over. I remember it can be done manually, but ISTM there are other reasons it switches. Thank you so much for all the help!! I think however I should turn this off as I only have a 4.3GB HD in the machine.. The reality of the situation is that I need another WAN IP address. Without it I can't really do much as having a secondary DNS server is impossible. Am just holding off for now as I soon depending on how things go for myself I may move the whole network infrastructure to the country I am in no being Turkey, rather then keeping things going in UK. Few that's sorted and understood :-) Best Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slaveserver??
Major thanks Joseph Added below: // logging clause - who, what, where, why, when, how, how long? logging { channel querylog { file /var/log/named/query.log versions 15 size 25m; // severity debug; severity info; print-time yes; print-category yes; print-severity yes; }; channel securlog { file /var/log/named/security.log versions 15 size 25m; // severity debug 9; severity info; print-time yes; print-category yes; print-severity yes; }; channel all { file /var/log/named/named.log versions 15 size 25m; severity info; print-time yes; print-category yes; print-severity yes; }; category queries { querylog; }; category security { securlog; }; category lame-servers { null; };// ignore category default { all; }; }; with addition of this: category xfer-out { default_syslog; default_debug; }; Inside the logging statement! The response I got below: 03-Dec-2009 00:52:20.105 general: info: zone 2.178.81.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.100#53 (source 0.0.0.0#0) This is for my slave server! I think it's because the authoritative answer is coming off my ISP, however though if the zone file is valid is should be authoritative and irrelevant whoever else has the zone to my understanding anyway. - oh hang on, on second thought of course it's not authoritative due to the IP address that's sending the information! I believe that's been my issue all along. Now however I really do like the log output as I can actually see what's going on :-) I just hope this doesn't take up many CPU cycles and memory as the debug commands do in Cisco devices rendering them almost unusable in a fully setup network environment. --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using a different domain name as the DNS server for a domain
Hi, I'm wondering if it's possible in Bind like my domain providers DNS servers to use a different domain as the name server ns record for another domain?? Excuse the horrific explanation I will try to describe what I mean: I am about to start hosting a domain called birimgrup.com in my network but do not wish to create a sub domain as ns.birimgrup.com; instead I would like to use my own domain which is called optiplex-networks.com as the ns server, meaning ns1.optiplex-networks.com: as example: dig optiplex-networks.com ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 optiplex-networks.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 48891 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;optiplex-networks.com.INA ;; ANSWER SECTION: optiplex-networks.com.86400INA192.168.1.150 ;; AUTHORITY SECTION: optiplex-networks.com.86400INNSns1.optiplex-networks.com. optiplex-networks.com.86400INNSns2.optiplex-networks.com. ;; ADDITIONAL SECTION: ns1.optiplex-networks.com. 86400 INA192.168.1.100 ns2.optiplex-networks.com. 86400 INA192.168.1.101 ;; Query time: 21 msec ;; SERVER: 192.168.1.100#53(192.168.1.100) ;; WHEN: Tue Dec 1 19:03:00 2009 ;; MSG SIZE rcvd: 123 So practically when someone does a dig for birimgrup.com it will come out of ns1.optiplex-networks.com!! Can this be done? I am assuming that I could create a zone with record: birimgrup in a ns1.optiplex-networks.com but I am just wondering if it will complain that the data is out of zone?? As a quick addition also I have never dealt with .net .org etc TLD's before when setting up DNS so I'm assuming that for reverse DNS the PTR records will simply go into the 192.168.1.rev file I have setup?? Many thanks in advance! --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a different domain name as the DNS server for a domain
Ok I think I have got somewhere but still a bit unsure of what's going on!! dig birimgrup.com ; DiG 9.6.0-P1 birimgrup.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 567 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;birimgrup.com. IN A ;; ANSWER SECTION: birimgrup.com. 86400 IN A 192.168.1.170 ;; AUTHORITY SECTION: birimgrup.com. 86400 IN NS ns2.optiplex-networks.com. birimgrup.com. 86400 IN NS ns1.optiplex-networks.com. ;; ADDITIONAL SECTION: ns1.optiplex-networks.com. 86400 IN A 192.168.1.100 ns2.optiplex-networks.com. 86400 IN A 192.168.1.101 ;; Query time: 7 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 1 19:31:53 2009 ;; MSG SIZE rcvd: 133 On top of that my zone file looks like so: ; ; BIND data file for example.com ; $TTL1d @ IN SOA ns1.optiplex-networks.com. mail.optiplex-networks.com. ( 2009120101 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 86400); Default TTL ; IN NS ns1.optiplex-networks.com. IN NS ns2.optiplex-networks.com. ns1.optiplex-networks.com. IN A 192.168.1.100 ns2.optiplex-networks.com. IN A 192.168.1.101 birimgrup.com. IN A 192.168.1.170 www.birimgrup.com. IN A 192.168.1.170 However as I thought I have ignoring out of zone data error in my log. Dec 1 19:31:16 NetraT1-RAY named[3646]: [ID 873579 daemon.warning] /var/named/birimgrup.db:14: ignoring out-of-zone data (ns1.optiplex-networks.com) Dec 1 19:31:16 NetraT1-RAY named[3646]: [ID 873579 daemon.warning] /var/named/birimgrup.db:15: ignoring out-of-zone data (ns2.optiplex-networks.com) Since line 14 and 15 are: ns1.optiplex-networks.com. IN A 192.168.1.100 and ns2.optiplex-networks.com. IN A 192.168.1.101 respectively I think I can remove them and all will be fine! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a different domain name as the DNS server for a domain
Many thanks for the response Chris As you where writing and sending this I sort of worked it out but this makes things much clearer :-) I really do appreciate all the help! --Kaya Chris Buxton wrote: You can create the NS record as you have described (type = NS, not A), but remember to put a dot on the end: birimgrup.com. in NS ns1.optiplex-networks.com. This is quite common. Here are some real-world examples: com.IN NS a.gtld-servers.net. menandmice.com. IN NS ns0.c.is. As for reverse records, these are indexed by the IP address, not be the domain name on the right hand side. Your PTR records will go in the reverse zone you already have. Chris Buxton Professional Services Men Mice On Dec 1, 2009, at 9:11 AM, Kaya Saman wrote: ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a different domain name as the DNS server for a domain
Chris Buxton wrote: Yes, remove the A records for the name servers. They shouldn't be here - they belong in the zone named optiplex-networks.com. Also, the last line of your zone looks quite odd. You should never have an IP address on the left side of a DNS record. Chris Buxton Professional Services Men Mice On Dec 1, 2009, at 9:35 AM, Kaya Saman wrote: Chris if you're referring to this: birimgrup.com. IN A 192.168.1.170 www.birimgrup.com. IN A 192.168.1.170 It didn't come out right on the email the actual version is like so: birimgrup.com. IN A 192.168.1.170 www.birimgrup.com. IN A 192.168.1.170 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a different domain name as the DNS server for a domain
birimgrup.com. IN A 192.168.1.170 www.birimgrup.com. IN A 192.168.1.170 ___ ok this is really weird! In the actual zone file they are stacked on top of each other like supposed to be! Either Seamonkey isn't formatting my emails properly or it's something to do with my SSH tunnel into the UK right now.. probably cat command is my bet. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reverse zone file in external view not transferring to slave server??
Hi, now that I have my zones and reverse files sorted out I have managed to come across a problem which seems I had before even beginning any of this! Basically for some reason my reverse zone for the external view isn't transferring to my slave server this is quite strange as all the other forward zones for the external view work fine?? Here is config: named.conf file snippit for both servers: view external { match-clients { any; !192.168.0.0/22; !127.0.0.1; }; allow-recursion { 127.0.0.1; }; include /etc/opt/csw/bind/named.conf.external; }; named.conf.external file from master server: zone optiplex-networks.com { type master; file /var/named/optiplex-networks-external.db; allow-query { any; !192.168.0.0/22; 192.168.1.101; }; }; zone 2.178.81.in-addr.arpa { type master; file /var/named/81.178.2.rev; allow-query { any; !192.168.0.0/22; 192.168.1.101; }; }; named.conf.external file from slave server: zone optiplex-networks.com { type slave; file /var/named/optiplex-networks-external.db; masters { 192.168.1.100; }; allow-notify { 192.168.1.100; }; allow-query { any; !192.168.0.0/22; 192.168.1.100; }; }; zone 2.178.81.in-addr.arpa { type slave; file /var/named/81.178.2.rev; masters { 192.168.1.100; }; allow-notify { 192.168.1.100; }; allow-query { any; !192.168.0.0/22; 192.168.1.100; }; }; If any one can help me figure out why this is happening as the reverse zone for my internal view works perfectly fine with similar config and all the other forward zones for the external work perfectly fine?? Many thanks, --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slave server??
Acl's are first match. What you had devolves to match-clients { any; }; Try. match-clients { !192.168.0.0/22; !127.0.0.1; any; }; Adjust all the other acls Ok so these are similar to Cisco IOS Acl's now I get it :-) Unfortunately the reverse zone is still not transferring?? This is what I have now after re-jig: named.conf: view external { match-clients { !192.168.0.0/22; !127.0.0.1; any; }; allow-recursion { 127.0.0.1; }; include /etc/opt/csw/bind/named.conf.external; }; named.conf.external: zone 2.178.81.in-addr.arpa { type slave; file /var/named/81.178.2.rev; masters { 192.168.1.100; }; allow-notify { 192.168.1.100; }; allow-query { 192.168.1.100; !192.168.0.0/22; any; }; }; Of course this is the slave, however the master is quite similar with allow-notify and query being 192.168.1.101 instead.. Still no go though :-( # ls /var/named 192.168.1.rev birim-it-external.db birimgrup.db birimguvenlik-net-external.db optiplex-networks.db benimadimfs-external.dbbirim-it.db birimguvenlik-com-external.db birimguvenlik-net.db benimadimfs.db birimgrup-external.db birimguvenlik-com.db optiplex-networks-external.db ?? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse zone file in external view not transferring to slave server??
Many thanks for all the help first up :-) I really do appreciate it! Am just wondering, I'm running BIND 9.6.0-P1 on Solaris 9 to achieve this, so could this be a bug or something else yet not implemented into Bind or perhaps somehow the way it was compiled as I'm using the Blastwave version.. ?? Unfortunately no chance of upgrading at the moment either the system or the OS as I'm in another country and the systems are along way a way with no-one other then myself capable of doing anything with them. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing to bind
gmspro wrote: I want to set-up dns server ,where to start from? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Google is first place!! http://www.google.com/search?hl=ensource=hpq=setting+up+a+dns+server+bindaq=foq=aqi= See: http://www.redhat.com/magazine/025nov06/features/dns/ http://www.howtoforge.com/traditional_dns_howto http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch18_:_Configuring_DNS ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??
Hi, I'm not sure if there is a syntax error or if I've missed to include something but for some reason my forward zone files don't seem to be working :-( I pulled the skeleton of the files straight off my working Solaris 9 boxes which use Bind 9 from Blastwave! I checked and double checked the paths in named.conf as Blastwave has all it's files stored in /opt/csw/ and /etc/opt/csw... directories; while with native Sol10 and OpenSol Bind I can use /etc and /var/named respectively. The zone files 'domain' are just so that I can use the Sun Secure Global Desktop software in a test platform which is why I have decided to allocated the FQDN of sgd.test. These are the zone files: {Forward} ; ; BIND data file for example.com ; $TTL1d @ IN SOA ns-m.test. mail.test. ( 2009103007 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 86400); Default TTL ; IN NS ns-m.test. ns-m.test. IN A 192.168.2.24 sgd.test.IN A 192.168.2.24 {Reverse} $TTL 1d ; $ORIGIN 2.168.192.IN-ADDR.ARPA. @ IN SOA ns-m.test. mail.test. ( 2009103002 7200 120 2419200 86400 ) IN NS ns-m.test. 24 IN PTR ns-m.test. 24 IN PTR sgd.test. This is the error I receive from OpenSol: Oct 30 13:24:11 sgd named[2025]: [ID 873579 daemon.notice] starting BIND 9.3.6-P1 Oct 30 13:24:11 sgd named[2025]: [ID 873579 daemon.notice] command channel listening on 127.0.0.1#953 Oct 30 13:24:11 sgd named[2025]: [ID 873579 daemon.warning] /var/named/sgd.db:13: ignoring out-of-zone data (ns-m.test) Oct 30 13:24:11 sgd named[2025]: [ID 873579 daemon.notice] running Also the same error for Sol10: Oct 30 13:43:31 sgd named[1857]: [ID 873579 daemon.notice] starting BIND 9.3.6-P1 Oct 30 13:43:31 sgd named[1857]: [ID 873579 daemon.notice] command channel listening on 127.0.0.1#953 Oct 30 13:43:31 sgd named[1857]: [ID 873579 daemon.warning] /var/named/sgd.db:13: ignoring out-of-zone data (ns-m.test) Oct 30 13:43:31 sgd named[1857]: [ID 873579 daemon.notice] running Reverse lookups are all perfectly ok!! What am I missing here??? In Debian Etch ages ago I had to include the statement: test.IN NS ns-m.test. but of course with this version of Bind it doesn't like it. I am completely lost as I've said above on my Sol9 boxes running Bind 9 from Blastwave all is fine using exact same syntax in zone files so why don't my forward zone files work now??? Many thanks for any help! --Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??
Kevin Darcy wrote: If you're loading a zone as sgd.test, then an owner name of ns-m.test doesn't belong in it, and BIND is correct to reject it. Either change that name to something under sgd.test, or set up a separate zone for ns-m.test or anything above that in the hierarchy (i.e. test or root). I don't know why this would have worked in your old environment, but then again I don't know what version BIND 9 from Blastwave is, or what you mean by skeleton of the files. - Kevin Hi Keven, thanks for responding :-) By skeleton I meant format. Sorry if put badly but basically I have noticed that through different versions of Bind the overall layout and format of the zone files does change for some reason especially since I have gone from various Linux distros to Solaris now; To give you an example of what I mean, taking the domain as domain.com: ; ; BIND data file for example.com ; $TTL 1d @ IN SOA ns-m.domain.com. mail.domain.com. ( 2009103007 ; Serial 7200 ; Refresh 120 ; Retry 2419200 ; Expire 86400) ; Default TTL ; IN NS ns-m.domain.com. ns-m.domain.com. IN A 192.168.2.24 sgd.domain.com. IN A 192.168.2.24 Then reference this in named.conf calling the zone 'domain', like so: zone domain { type master; file /var/named/domain.db; allow-query { internals; }; } Actually I think I see what you mean about: If you're loading a zone as sgd.test, then an owner name of ns-m.test doesn't belong in it, and BIND is correct to reject it. as the zone should be called test within named.conf not sgd.test!! This is quite a good learning point actually since the $ORIGIN statement then gets negated as the zone's origin becomes 'test' at least in my case. Am I correct in my evaluation with the last two sentences??? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??
Am I right in assuming this?? Otherwise, with my setup taking an example of google.com - I was trying to use the .com with the .test where I actually wanted to use the .test as the secondary level domain of google but not append a TLD to it. I think this is against all DNS rules no?? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone files not working on Bind 9.3.6-P1 for Solaris and OpenSolaris??
Luc I. Suryo wrote: you have to become auth for the .test and then in that zone define the subdomain's NS make sense? nb: old company we had .prv for internal use :) -ls Thanks Luc, I think I understand now! The TLD for my domain has become .test therefor the secondary level domain becomes sgd so inevitably the ns must be ns-m.sgd.test then. and zone should be called sgd then?? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
Other means: The BIND manual tells how to turn on bind's query log, which is normally turned off for performance/resource reasons. On a very lightly loaded DNS server, it can be left on, and on a medium-loaded server, it may be practical to turn it on for a short while to collect some usage data. On a Solaris system, snoop can help (as can tcpdump on other *nix systems), e.g. to get a frame of reference regarding your load, inspect 1000 packets to port 53, measuring how many seconds it takes to collect them. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Thanks for the response John! I'm assuming that a modern multi core system in a SOHO or small business environment can have the query log turned on continuously as should be more then powerful enough from what many other people have said. Of course full enterprise scale is another matter!! Will try snoop soon as I have already managed to get Bind working using OpenSolaris on Sun's Virtual Box in a small-zone configuration. Of course just for testing purposes is running on a laptop and only has root name servers and very limited records meaning round 5 in forwards and reverse zone. But handles the load perfectly as I can actually take the laptop off the main primary and secondary DNS in the host OS and just use the DNS server in the zone from the guest OS in Vbox. Now from this little escapade of mine I have learned two things: the first being the power of modern hardware and virtualization and the second being that one doesn't need to go OTT for a DNS server in a small to moderate sized network - only a virtualized system or Solaris zone will do the trick or chroot combined with many other services as most rack infrastructure today can handle upto 24GB RAM+. This has been excellent guys - many thanks to all constructive comments and help ;-) Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
James Pratt wrote: You should really improve your google skills. If you can't even figure out where I'm *at* well you probably really should not be in the DNS business at all.. :) -Original Message- From: Kaya Saman [mailto:samank...@netscape.net] Sent: Friday, September 18, 2009 11:44 PM To: James Pratt Subject: Re: Migrating DNS servers, need advice on hardware Hmm... are you a student or admin?? As your email states you from Norwich university! Is that Norwich in UK or US?? Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Didn't check Google at all as it didn't come to mind, sorry!!! You wound me up so much in your personal mail that my mind was pre-occupied with wondering what I was doing trying to get into networks and related services completely and why I shouldn't just go join the local supermarket. Even after studying Elec Eng. at the third top university in UK, and burying myself in a Cisco CCNA course for the last year and not even going outside due to study - but what's the point if by your and other 'experts' views I'm nothing then why do I bother killing myself Ok after checking google I found you on Linkedin which I'm also a member of!! http://www.linkedin.com/in/jprattnu is your page if not mistaken.. Anyway you see how bad you can make one feel just from them asking one innocent question! With many more years of experience then myself fine my questions may seem trivial and arbitrary but unfortunately there is no junior Bind mailing list for people with less experience - we have to swim in the deep end with everyone else but yet endure all the remarks and abuse which isn't fair! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
Frank Bulk wrote: Perhaps the inverse would be more interesting: what's the lowest-spec hardware that could host an OS that would run the latest version of BIND. =) Frank Silly guess, but a cell phone running linux?? (with static IP could be a mobile domain server) As stated previously I have it running on 440MHz SPARC currently with 360MB RAM. I guess this could be pushed down to a PI or PII, --- I am aware of the differences between the CISC based 64bit SPARC chip and the RISC based 32bit Intel ;-) incase any one has any objections... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
Kaya Saman wrote: Frank Bulk wrote: Perhaps the inverse would be more interesting: what's the lowest-spec hardware that could host an OS that would run the latest version of BIND. =) Frank Silly guess, but a cell phone running linux?? (with static IP could be a mobile domain server) As stated previously I have it running on 440MHz SPARC currently with 360MB RAM. I guess this could be pushed down to a PI or PII, --- I am aware of the differences between the CISC based 64bit SPARC chip and the RISC based 32bit Intel ;-) incase any one has any objections... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users It's not Bind or perhaps is some sort of hacked out version but basically since Cisco IOS comes with it's own DNS server which I have dabbled in on my 857W at home, being based round BSD I presume with the right OS one could run Bind comfortably on that?? Taken from output of show version: Cisco 857W (MPC8272) processor (revision 0x200) with 59392K/6144K bytes of memory. I'm pretty sure the little 857W would run Bind if someone actually was able to build BSD on it or so.. it has 64MB of RAM too so should be good enough for at least 5 people. {provided one takes out the systems routing capability though as the way I use the router is maxed out lol} ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Migrating DNS servers, need advice on hardware
Hi, currently I have 2 Solaris 9 boxes in my home based data center running as primary and secondary dns servers; they are Sun Netra T105's with 440MHz SPARC prcossors and 320MB of RAM. http://www.optiplex-networks.com/lab/lab.html Basically as I am going to be moving abroad since I have finished my studies now and am about to get a job I will need to replace them in my new residence and was just wondering if anyone had any idea of the hardware specs I would need. As in should I be going for a single socket or dual socket server and how much memory would I need also if I should virtualize the systems at all? - Basically get one dual socket quad core system then run something like Sun xVM or Citrix Xen on it and then have an instance of Primary and Secondary or just use Solaris Zones as I will be whacking OpenSolaris most likely onto them anyway I am quite confident that 1-2GB of memory should be sufficient to handle the OS and multiple lookups as I'm planning on tying 3 sites together with them plus using them as main servers for my domain also. I mean an idea of hardware was to get 1 or 2 Sun Fire X2250s solely for DNS then run the Named service in a Small-Zone which I feel is equivalent to running them chrooted on a linux system?? Which I used to run bind on Debian Etch chrooted before the Netra's came along and I started learning Solaris! What can anyone recommend??? Many thanks for any responses :-) Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
Since you haven't mentioned how many zones and records you're hosting, how do you expect anyone to guess how much hardware you need? Yes thank you for pointing that out! I do apologize as I mentioned I've just finished my studies and am as of yet quite in-experienced yet with certain things so please do not frown upon me for that! - I know many people here are top notch pro's and I do not fall into that category but someone who is eager to get there :-) Anyhow, I have 4 zone files for 1 domain currently and I'm using 2 views; internal and external. I hope to expand too once I have more finances available to me and start mirroring Linux distros and perhaps even OpenSolaris and BSD as well. But for now it's fairly simple stuff! I have noticed however that with the current setup my secondary DNS is getting used quite a bit too as both systems are doing quite a few translations - luckily I have a Cisco router in place so my WAN connection is stable and does not crash like with a consumer based router.. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Migrating DNS servers, need advice on hardware
In private email, he told me he has 59 forward and reverse records in the internal view, and 22 of each in the external view. This is nothing. A 10-year-old Pentium should be able to handle this without breaking a sweat. Thanks Barry, as I did mention in the beginning it is a home lab setup for me to learn about network services and infrastructure a little so that when I do get to industry I understand the basics and at least have junior admin capabilities. But still I will be looking for a new machine so probably what I will do is grab a Sun Fire X2250 single socket quad core Xeon with 2GB of memory so that I can either use as virtualized primary and secondary or alternatively run other services such as web server, mail server etc on top! How can observer the query count? Is there a command or table or something or is it just how many hits the systems gets on port 53 identified from some form of logging software? Sorry if this thread wasted everyones time! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Named is causing my server to Kernel panic?
[...] Then. maybe you want to exchange Fedora with Red Hat's paid and supported offering (RHEL ?). If that Server is mission critical for you, the few bucks of yearly support contract shouldn't be that much of a problem. [...] I have had many problems with Fedora 11 on a PPC as I run it for web services!! Basically Anacron doesn't work Try CentOS (x86 32/64 only though), I run 5.3 on two of my collaboration suite servers. It's ultra stable and free also - it claims to be 100% Red Hat binary compatible too. Also Solaris 11 comes with named installed too (not sure of version but that maybe something to check out too:-) ) In form of OpenSolaris or SXCE. Hope this helps any Regards, Kaya ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users