Getting an error on a simple DNS configuration
I put together a simple working DNS server and called it new-dns2 with the IP address of 206.117.115.93. My configuration files follow: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# cat /var/named/db.127.0.0 $TTL 3D @ IN SOA new-dns1.ci.glendale.ca.us mchavoshi.glendaleca.gov. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS new-dns1.ci.glendale.ca.us. 1 PTR localhost. [root@new-dns2 ~]# So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. [root@new-dns2 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 Non-authoritative answer: Name: google.com Address: 216.58.217.206 [root@new-dns2 ~]# [root@oragrid01 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 ** server can't find google.com: REFUSED [root@oragrid01 ~]# I have stopped FireWall on new-dns2, my DNS server: [root@new-dns2 ~]# service iptables status iptables: Firewall is not running. [root@new-dns2 ~]# Can someone please tell me what might be the problem? Many thanks in advance and have a wonderful day/night. Sincerely, Samad Agha ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
Dear Tony, Bob, Matus, Thank you very much for your advice, you guys are awesome. On Wed, Jun 3, 2015 at 1:03 PM, Matus UHLAR - fantomas uh...@fantomas.sk wrote: On 03.06.15 12:34, Samad Agha wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. you must allow BIND to provide recursive DNS for other hosts, by configuring allow-recursion. otherwise, it will provide DNS resolution only for its local networks (directly connected to host interfaces). [root@new-dns2 ~]# nslookup google.com 206.117.115.93 don't use nslookup, it's very bad tool for debugging DNS problems. learn using host and/or dig -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
On 03.06.15 12:34, Samad Agha wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. you must allow BIND to provide recursive DNS for other hosts, by configuring allow-recursion. otherwise, it will provide DNS resolution only for its local networks (directly connected to host interfaces). [root@new-dns2 ~]# nslookup google.com 206.117.115.93 don't use nslookup, it's very bad tool for debugging DNS problems. learn using host and/or dig -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
Samad Agha samad.agha2...@gmail.com wrote: So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. ** server can't find google.com: REFUSED By default, BIND allows queries only from localnets, i.e. subnets to which the server is directly connected. For details, see http://ftp.isc.org/isc/bind9/9.10.2/doc/arm/Bv9ARM.ch06.html#access_control Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forth, Tyne: Variable becoming southeast 3 or 4, occasionally 5 later in Tyne. Slight, becoming slight or moderate later in Tyne. Fair. Good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Getting an error on a simple DNS configuration
If you don't specify recursion (or query-cache or allow-query), then the default is: allow-recursion (localnets; localhost;) Which means only things on the connected subnets are allowed to make recursive queries, all others get REFUSED. So add an allow-recursion ( .. subnet list ..); to your config. (Do not allow 'all', please.) -- Bob Harold hostmaster, UMnet, ITcom Information and Technology Services (ITS) rharo...@umich.edu 734-647-6524 desk On Wed, Jun 3, 2015 at 3:34 PM, Samad Agha samad.agha2...@gmail.com wrote: I put together a simple working DNS server and called it new-dns2 with the IP address of 206.117.115.93. My configuration files follow: [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# cat /var/named/db.127.0.0 $TTL 3D @ IN SOA new-dns1.ci.glendale.ca.us mchavoshi.glendaleca.gov. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS new-dns1.ci.glendale.ca.us. 1 PTR localhost. [root@new-dns2 ~]# So, when I query my new DNS server from itself (206.117.115.93), it resolves the name to an IP, but when I query my new DNS server from another Linux box, it fails with the following error message. [root@new-dns2 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 Non-authoritative answer: Name: google.com Address: 216.58.217.206 [root@new-dns2 ~]# [root@oragrid01 ~]# nslookup google.com 206.117.115.93 Server: 206.117.115.93 Address:206.117.115.93#53 ** server can't find google.com: REFUSED [root@oragrid01 ~]# I have stopped FireWall on new-dns2, my DNS server: [root@new-dns2 ~]# service iptables status iptables: Firewall is not running. [root@new-dns2 ~]# Can someone please tell me what might be the problem? Many thanks in advance and have a wonderful day/night. Sincerely, Samad Agha ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Getting an error on a simple DNS configuration
allow-recursion { ... }; not allow-recursion ( ... ); And you need a ; at the end of your list: allow-recursion {207.151.36.0;}; On 6/3/15 5:14 PM, Samad Agha wrote: I put the allow-recursion clause under my options, the #service named restart failed. Where exactly should I place this allow-recursion clause? [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion (207.151.36.0); }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# [root@new-dns2 ~]# service named restart Stopping named: . [ OK ] Starting named: Error in named configuration: /etc/named.conf:3: '{' expected near '(207.151.36.0)' [FAILED] [root@new-dns2 ~]# ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Getting an error on a simple DNS configuration
I put the allow-recursion clause under my options, the #service named restart failed. Where exactly should I place this allow-recursion clause? [root@new-dns2 ~]# cat /etc/named.conf options { directory /var/named; allow-recursion (207.151.36.0); }; zone 0.0.127.in-addr.arpa { type master; file db.127.0.0; }; [root@new-dns2 ~]# [root@new-dns2 ~]# service named restart Stopping named: . [ OK ] Starting named: Error in named configuration: /etc/named.conf:3: '{' expected near '(207.151.36.0)' [FAILED] [root@new-dns2 ~]# ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users