Advice on Bind9/ISC DHCP cluster
Hello, I would like to implement a 3 hosts cluster with the following features: 1- host1 is a bind9 master 2- host2 is a bind9 slave/ISC DHCP primary 3- host3 is a bind9 slave/ISC DHCP secondary 4- primary ISC DHCP instance sends dynamic updates to bind9 master 5- secondary ISC DHCP instance sends dynamic updates to bind9 master 6- DNS clients queries Bind9 slaves (hosts 2 and 3) 7- DNS updates are made on Bind9 master I can accept to loose (either static or dynamic) updates if host1 is down 1. Is it possible to implement both 4 and 5 ? 2. Any alternative architecture (I can use up to 5 hosts) ? Best regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Authoritative for one domain, caching for the rest
Hello After reading [1]and many trials, I couldn't figure how to set a Bind9 (9.11.5 on Debian Buster) server to operate this way: - server has two Ethernet interfaces, one connected to foo.lan/ 192.168.51.0/24 domain/network, the other connected to bar.lan/ 192.168.43.0/24 domain/network - I want it to resolve for bar.lan and for anything to query a DNS server available on foo.lan. My anonymized /etc/bind/named.conf.local content is: acl "good-guys" { localnets; }; zone "bar.lan" { type master; file "/etc/bind/db.bar.lan"; forwarders {}; allow-query { "good-guys"; }; }; zone "43.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.43.168.192.in-addr.arpa"; forwarders {}; }; zone "foo.lan" { type master; file "/etc/bind/db.foo.lan"; forwarders { 192.168.51.1; }; }; zone "51.168.192-in-addr.arpa" { type master; file "/etc/bind/rev.51.168.192.in-addr.arpa"; forwarders { 192.168.51.1; }; Resolution works for: bar.lan, google.com host1.foo.lan if entry present in /etc/bind/db.foo.lan but it does not work for: host2.foo.lan if entry not present in /etc/bind/db.foo.lan [1] https://bind9.readthedocs.io/en/latest/configuration.html#sample-configurations Best regards PS: Bind9 9.16.11 is present in Buster Backports. Is worth installing it ? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to compute db.192.168.x names from network addresses ?
Hello, Here or there, you can read configuration files named like db.192.168.42 when holding data for a 192.168.42.0/24 network. For networks with a /24 mask, simply striping ending 0/24 substring from 192.168.42.0/24 is enough. But what about network with a different prefix ? 1. How can you compute this "db.192.168.whatever" from 192.168.x.y/z network address ? Example in Python would be appreciated. 2. Instead of using short "db.192.168.42" names, I used a long "db.192.168.42.0". I didn't notice any issue. Did I overlooked something ? Best regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: AppArmor, DHCP, Bind9 issue [SOLVED]
Hello, Thank you all for replying ! Thanks to your suggestions, creating an /etc/bind/subdir directory, and tweaking /etc/apparmor.d/usr.sbin.named allowed me to let ISC DHCP update Bind9 entries. 1. I'm hesitant to file a bug on Debian about this. As this both involves Bind9 and AppArmor, would you say it deserves to be implemented and documented in default Bind9 installation or that it is too specific for this ? 2. If it deserves to to be implemented, how would you name this /etc/bind/subdir directory ? I personally used "/etc/bind/ddns-zones" but surely there exist alternatives that better describe the purpose of this directory (hosting config that bind9 needs to rewrite) such as : writable_conf rw_conf rwconf Detailed steps I followed on Debian Buster to work around the issue were: mkdir /etc/bind/ddns-zones chown root:bind /etc/bind/ddns-zones # I don't know if plain 775 better fits. Comments welcome chmod 2775 /etc/bind/ddns-zones Adding into /etc/apparmor.d/usr.sbin.named, a line: /etc/bind/ddns-zones/** rw, before line /etc/bind/** r, Best regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
AppArmor, DHCP, Bind9 issue
Hello, I've got one ISC-DHCP server instance (4.4.1) and one Bind9 (9.11.5) instance installed on a Debian Buster box. Both come from Debian stable repo. I would like my DHCP server to update Bind9 database when leases are allocated to DHCP clients. I followed instructions from [1]. I then met the following error: Sep 21 16:17:54 foo kernel: [ 8867.630002] audit: type=1400 audit(1600697874.163:25): apparmor="DENIED" operation="mknod" profile="/usr/sbin/named" name="/etc/bind/db.bar.com.jnl" pid=1482 comm="isc-worker" requested_mask="c" denied_mask="c" fsuid=107 ouid=107 Sep 21 16:17:54 foo named[1482]: /etc/bind/db.bar.com.jnl: create: permission denied I edited /etc/apparmor.d/usr.sbin.named and it now includes the following content: ... # /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz # Next line added to work around apparmor issue /etc/bind/*.jnl rw, # End of addition /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, ... Now, /var/log/syslog includes: Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: signer "ddns_update" approved Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' A 192.168.42.104 Sep 22 08:43:25 foo named[449]: client @0x7efd7850f500 127.0.0.1#59205/key ddns_update: updating zone 'bar.com/IN': adding an RR at 'acerok.bar.com' TXT "0097d51fa2194acbea0809316da0885aa0" Sep 22 08:43:25 foo named[449]: /etc/bind/db.bar.com.jnl: create: permission denied ls -l /etc drwxr-sr-x 2 root bind 4096 sept. 21 16:01 bind ls -l /var/cache drwxrwxr-x 2 root bind 4096 sept. 22 16:25 bind ls -l /var/cache/bind lrwxrwxrwx 1 root root 23 sept. 21 14:29 db.192.168.42 -> /etc/bind/db.192.168.42 lrwxrwxrwx 1 root root 29 sept. 21 14:28 db.bar.com -> /etc/bind/db.bar.com -rw-r--r-- 1 root root 0 sept. 21 16:36 db.bar.com.jnl ... How can I solve this ? [1] https://wiki.debian.org/DDNS Best regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding a subzone of a master zone
On Tue, Apr 19, 2011 at 01:37:23AM -0700, chris.p.bux...@gmail.com wrote: You're getting a bit confused, because your configuration is complex. Some of your observations are in contradiction with your disabling of recursion, so I believe you are partially mistaken. - You're mixing authoritative and recursive service in one config. This often leads to confusion. - Your recursion algorithm must be able to track down a particular domain while not being able to resolve from the Internet root. Rather than turning off recursion, why not just set up your own root zone (type master)? That way, your server can recurse to sub.example.com based on the delegation, while returning immediate negative answers for anything unknown. Just make sure you delegate example.com (and all other zones) from your private root zone. A forwarders list in example.com or a zone of type forward named sub.example.com will not have any effect so long as recursion is disabled. Forwarding is a configuration aspect of the recursion algorithm. Hi Chris, Thank you very much for the clarification. With your help and this message http://fixunix.com/dns/549124-re-disable-root-hints.html (from you too ;-), I get it working now! Thanks, Have a nice day. -- Olivier Cherrier - Symacx.com mailto:o...@symacx.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forwarding a subzone of a master zone
Hi, I am experiencing problems to get a working forwarding configuration. I am using BIND 9.3.6-P1 and the server has the global recursion parameter on. The server is not on a public network (not on Internet -- no access to root servers). I have a zone called example.com for which the server is master. A delegation called sub.example.com is in place and is working well. I want to change the recursion parameter from 'yes' to 'no' in order to get rid of the timeouts we get when we query something that is not defined in our DNS server (like www.google.com). Doing this breaks the delegation sub.example.com, meaning the server doesn't do the research anymore for the subzone. So I deleted the delegation and configured a forward zone to the right IP addresses. The problem is named doesn't even try to query those forwarders and directly reply: No answer While it works for some other forwarded zones (reverse and non-reverse), I fail to understand why it doesn't work for that particular zone. The only difference I see is that this forwarded zone is a subzone of example.com for which the server is master. So my question: Is there any limitation to forward a subzone while we are master for the parent zone? Thanks a lot! Best regards. -- Olivier Cherrier - Symacx.com mailto:o...@symacx.com ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reverse dns issue
Hi, I'm using a software which uses bind and I'm experiencing a problem with the reverse dns function of bind. I only have private adresses on my network but the nodes also have dns names. There is a server on this network, which is also a name server, that has internet through a gateway. When my nodes are doing a dns query to the server, eveything is ok and they get their corresponding (private) IP address. The problem occurs when a node is sending a reverse dns query to the server. The server should return the name that matches the IP address but instead I have this error in the bind log 21-Mar-2011 14:53:44.389 security: warning: client 10.100.2.129#61940: view internal: RFC 1918 response from Internet for 5.2.100.10.in- addr.arpa In this case 10.100.2.5 (or 5.2.100.10) is the server itself so it should able to get his own name This response from Internet seems weird to me because it should not ask an internet name server since it is private address. I checked with tcpdump and I didn't see any dns query going out of the server so it's not doing recursive lookups Anyone can help with this? Does bind have a special option for private addresses? I've seen that there is a reverse folder in /etc/namedb with files names like this 10.0.252.db, are these files used for the reverse dns resolution? I tried to add a file for the subnetwork I use (10.100.2) but this didn't change anything Here is a tcpdump of the communication between the node and the server showing the failing query 10:42:35.494523 IP 10.100.2.129.60331 boss.vlan100.domain: 42377+ PTR? 5.2.100.10.in-addr.arpa. (41) 10:42:35.494691 IP boss.vlan100.domain 10.100.2.129.60331: 42377 NXDomain 0/1/0 (118) 10:42:35.495019 IP 10.100.2.129.54934 boss.vlan100.domain: 42378+ A? UNKNOWN.vlan100. (33) 10:42:35.495090 IP boss.vlan100.domain 10.100.2.129.54934: 42378 NXDomain* 0/1/0 (86) 10:42:35.495416 IP 10.100.2.129.64666 boss.vlan100.domain: 42379+ A? UNKNOWN. (25) 10:42:35.495469 IP boss.vlan100.domain 10.100.2.129.64666: 42379 NXDomain 0/1/0 (100) Thanks in advance ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users