Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Bob Harold 
On Fri, Apr 17, 2020 at 12:45 PM Tim Daneliuk  wrote:

> On 4/17/20 10:17 AM, julien soula wrote:
> > On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote:
> >> On 4/17/20 9:50 AM, Bob Harold wrote:
> >>>
> >>> Agree, that's odd, and not what the man page says.  Any chance that
> there is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
> >>
> >> Nope.  This is vanilla FreeBSD with vanilla bind running.
> >>
> >>> 'dig' should tell you what address it used, at the bottom of the
> output - what does it say?
> >>
> >>
> >>
> >> ;; Query time: 0 msec
> >> ;; SERVER: ::1#53(::1)
> >> ;; WHEN: Fri Apr 17 09:53:51 CDT 2020
> >> ;; MSG SIZE  rcvd: 83
> >>
> >>
> >> Does the SERVER line indicate it's trying to get to the local instance
> via
> >> IPV6 or is this just standard notation?  (This is an IPV4 only
> environment).
> >
> > "::1" is locahost in IPv6. It is not the same as 127.0.0.1 . A least,
> > you should add this IP to trustedhosts to check if it works.
> >
> > best regard,
> >
>
>
> Aha!  That was it.  What is curious to me is that bind uses this even in
> the absence
> of any IPV6 in the environment.
>
> Problem solved.  Thanks all!
>
>
>
> --
>
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
>
As a separate issue:  Check the logs to see if BIND is trying to use IPv6
to resolve queries.  Look for messages like:
address not available resolving  with some IPv6 address
I have to start named with the "-4" option on my servers that do not yet
have IPv6 connectivity.

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Timothe Litt 
On 17-Apr-20 10:56, Tim Daneliuk wrote:
> On 4/17/20 9:50 AM, Bob Harold wrote:
>> Agree, that's odd, and not what the man page says.  Any chance that there is 
>> some other DNS helper running, like resolved, nscd, dnsmasq, etc?
> Nope.  This is vanilla FreeBSD with vanilla bind running.
>
>> 'dig' should tell you what address it used, at the bottom of the output - 
>> what does it say?
>
>
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Apr 17 09:53:51 CDT 2020
> ;; MSG SIZE  rcvd: 83
>
>
> Does the SERVER line indicate it's trying to get to the local instance via
> IPV6 or is this just standard notation?  (This is an IPV4 only environment).
>
>
You seem to be selecting views based on IP address.

If the host on which you are running dig is multi-homed, the OS may pick
a source
address other than what you intend.  Use -b to explicitly bind to a
particular interface.

(Or, if you use TSIG to match views, -k)


Timothe Litt
ACM Distinguished Engineer
--
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Tim Daneliuk 
On 4/17/20 10:17 AM, julien soula wrote:
> On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote:
>> On 4/17/20 9:50 AM, Bob Harold wrote:
>>>
>>> Agree, that's odd, and not what the man page says.  Any chance that there 
>>> is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
>>
>> Nope.  This is vanilla FreeBSD with vanilla bind running.
>>
>>> 'dig' should tell you what address it used, at the bottom of the output - 
>>> what does it say?
>>
>>
>>
>> ;; Query time: 0 msec
>> ;; SERVER: ::1#53(::1)
>> ;; WHEN: Fri Apr 17 09:53:51 CDT 2020
>> ;; MSG SIZE  rcvd: 83
>>
>>
>> Does the SERVER line indicate it's trying to get to the local instance via
>> IPV6 or is this just standard notation?  (This is an IPV4 only environment).
> 
> "::1" is locahost in IPv6. It is not the same as 127.0.0.1 . A least,
> you should add this IP to trustedhosts to check if it works.
> 
> best regard,
> 


Aha!  That was it.  What is curious to me is that bind uses this even in the 
absence
of any IPV6 in the environment.

Problem solved.  Thanks all!



-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread julien soula 
On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote:
> On 4/17/20 9:50 AM, Bob Harold wrote:
> > 
> > Agree, that's odd, and not what the man page says.  Any chance that there 
> > is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
> 
> Nope.  This is vanilla FreeBSD with vanilla bind running.
> 
> > 'dig' should tell you what address it used, at the bottom of the output - 
> > what does it say?
> 
> 
> 
> ;; Query time: 0 msec
> ;; SERVER: ::1#53(::1)
> ;; WHEN: Fri Apr 17 09:53:51 CDT 2020
> ;; MSG SIZE  rcvd: 83
> 
> 
> Does the SERVER line indicate it's trying to get to the local instance via
> IPV6 or is this just standard notation?  (This is an IPV4 only environment).

"::1" is locahost in IPv6. It is not the same as 127.0.0.1 . A least,
you should add this IP to trustedhosts to check if it works.

best regard,
-- 
Julien
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Bob Harold 
On Fri, Apr 17, 2020 at 11:03 AM Konstantin Stefanov 
wrote:

> On 17.04.2020 17:56, Tim Daneliuk wrote:
> > On 4/17/20 9:50 AM, Bob Harold wrote:
> >>
> >> Agree, that's odd, and not what the man page says.  Any chance that
> there is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
> >
> > Nope.  This is vanilla FreeBSD with vanilla bind running.
> Lately vanilla FreeBSD has unbound as caching and recursive DNS server.
> Did you turn it off?
>
> >
> >> 'dig' should tell you what address it used, at the bottom of the output
> - what does it say?
> >
> >
> >
> > ;; Query time: 0 msec
> > ;; SERVER: ::1#53(::1)
> > ;; WHEN: Fri Apr 17 09:53:51 CDT 2020
> > ;; MSG SIZE  rcvd: 83
> >
> >
> > Does the SERVER line indicate it's trying to get to the local instance
> via
> > IPV6 or is this just standard notation?  (This is an IPV4 only
> environment).
>

The server is using IPv6 locally, so you need to include "::1" in the
"trustedhosts"
and view match statements.
Or just create /etc/resolv.conf with: nameserver 127.0.0.1
So the man page was right, just not specific.

-- 
Bob Harold


>
> --
> Konstantin Stefanov
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Konstantin Stefanov 

On 17.04.2020 17:56, Tim Daneliuk wrote:

On 4/17/20 9:50 AM, Bob Harold wrote:


Agree, that's odd, and not what the man page says.  Any chance that there is 
some other DNS helper running, like resolved, nscd, dnsmasq, etc?


Nope.  This is vanilla FreeBSD with vanilla bind running.
Lately vanilla FreeBSD has unbound as caching and recursive DNS server. 
Did you turn it off?





'dig' should tell you what address it used, at the bottom of the output - what 
does it say?




;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Apr 17 09:53:51 CDT 2020
;; MSG SIZE  rcvd: 83


Does the SERVER line indicate it's trying to get to the local instance via
IPV6 or is this just standard notation?  (This is an IPV4 only environment).





--
Konstantin Stefanov
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Tim Daneliuk 
On 4/17/20 9:50 AM, Bob Harold wrote:
> 
> Agree, that's odd, and not what the man page says.  Any chance that there is 
> some other DNS helper running, like resolved, nscd, dnsmasq, etc?

Nope.  This is vanilla FreeBSD with vanilla bind running.

> 'dig' should tell you what address it used, at the bottom of the output - 
> what does it say?



;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Fri Apr 17 09:53:51 CDT 2020
;; MSG SIZE  rcvd: 83


Does the SERVER line indicate it's trying to get to the local instance via
IPV6 or is this just standard notation?  (This is an IPV4 only environment).



-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Bob Harold 
On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk  wrote:

> On 4/17/20 7:26 AM, Bob Harold wrote:
> >
> > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk  > wrote:
> >
> > We have split horizon setup and enable our internal and trusted hosts
> > to do things as follows:
> >
> > allow-recursion { trustedhosts; };
> > allow-transfer  { trustedhosts; };
> >
> > 'trustedhosts' includes a number of public facing IPs as well as the
> > 192.168.0/24 CIDR block.  It also includes the IPs of the Master and
> > Slave bind servers.
> >
> > So here's the part that has me wondering.  If I do a reverse lookup
> of
> > an IP, it works as expected _except_ if I do it on either the Master
> > or Slave machines. They will not only look up reverses on our
> > own IPs, they won't do it for ANY IP and returns the warning:
> >
> > WARNING: recursion requested but not available
> >
> > This is replicable with 9.14 or 9.16 (or was until today's assert
> borkage)
> > running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave
> is
> > on a physical machine.  Neither instance is jailed.
> >
> > Ideas?
> >
> > --
> >
>  
> > Tim Daneliuk tun...@tundraware.com  >
> > PGP Key: http://www.tundraware.com/PGP/
> >
> >
> > Is 127.0.0.1 in the 'trustedhosts' list?
>
> Yes
>
> > Are you telling 'dig' what server to use  - dig @*MailScanner warning:
> numerical links are often malicious:* 127.0.0.1 
>
> No.  But when I do, it works properly.  Doesn't dig default to localhost
> (in this case the host running bind)?
>
> > What servers are listed in /etc/resolv.conf?  Do they resolve the
> reverse zones?
>
> There is no resolv.conf on these machines.  They are the ones running the
> nameservers.
>
> > Are local queries hitting the right 'view' (if you have multiple views) ?
>
> Yes, IF I explicitly point dig to the right nameserver.
>
>
> So ... what's going on is that dig appears to not be using localhost first
> to resolve reverses.
>
>
Agree, that's odd, and not what the man page says.  Any chance that there
is some other DNS helper running, like resolved, nscd, dnsmasq, etc?
'dig' should tell you what address it used, at the bottom of the output -
what does it say?

-- 
Bob Harold


> >
> > --
> > Bob Harold
> >
>
>
> --
>
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Tim Daneliuk 
On 4/17/20 7:26 AM, Bob Harold wrote:
> 
> On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk  > wrote:
> 
> We have split horizon setup and enable our internal and trusted hosts
> to do things as follows:
> 
>     allow-recursion { trustedhosts; };
>     allow-transfer  { trustedhosts; };
> 
> 'trustedhosts' includes a number of public facing IPs as well as the
> 192.168.0/24 CIDR block.  It also includes the IPs of the Master and
> Slave bind servers.
> 
> So here's the part that has me wondering.  If I do a reverse lookup of
> an IP, it works as expected _except_ if I do it on either the Master
> or Slave machines. They will not only look up reverses on our
> own IPs, they won't do it for ANY IP and returns the warning:
> 
>     WARNING: recursion requested but not available
> 
> This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
> running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave is
> on a physical machine.  Neither instance is jailed.
> 
> Ideas?
> 
> -- 
> 
> 
> Tim Daneliuk     tun...@tundraware.com 
> PGP Key:         http://www.tundraware.com/PGP/
> 
> 
> Is 127.0.0.1 in the 'trustedhosts' list?

Yes

> Are you telling 'dig' what server to use  - dig @*MailScanner warning: 
> numerical links are often malicious:* 127.0.0.1 

No.  But when I do, it works properly.  Doesn't dig default to localhost (in 
this case the host running bind)?

> What servers are listed in /etc/resolv.conf?  Do they resolve the reverse 
> zones?

There is no resolv.conf on these machines.  They are the ones running the 
nameservers.

> Are local queries hitting the right 'view' (if you have multiple views) ?

Yes, IF I explicitly point dig to the right nameserver.


So ... what's going on is that dig appears to not be using localhost first to 
resolve reverses.



> 
> -- 
> Bob Harold
> 


-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question About Recursion In A Split Horizon Setup

2020-04-17 Thread Bob Harold 
On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk  wrote:

> We have split horizon setup and enable our internal and trusted hosts
> to do things as follows:
>
> allow-recursion { trustedhosts; };
> allow-transfer  { trustedhosts; };
>
> 'trustedhosts' includes a number of public facing IPs as well as the
> 192.168.0/24 CIDR block.  It also includes the IPs of the Master and
> Slave bind servers.
>
> So here's the part that has me wondering.  If I do a reverse lookup of
> an IP, it works as expected _except_ if I do it on either the Master
> or Slave machines. They will not only look up reverses on our
> own IPs, they won't do it for ANY IP and returns the warning:
>
> WARNING: recursion requested but not available
>
> This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
> running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave is
> on a physical machine.  Neither instance is jailed.
>
> Ideas?
>
> --
>
> 
> Tim Daneliuk tun...@tundraware.com
> PGP Key: http://www.tundraware.com/PGP/


Is 127.0.0.1 in the 'trustedhosts' list?
Are you telling 'dig' what server to use  - dig @127.0.0.1
What servers are listed in /etc/resolv.conf?  Do they resolve the reverse
zones?
Are local queries hitting the right 'view' (if you have multiple views) ?

-- 
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question About Recursion In A Split Horizon Setup

2020-04-16 Thread Tim Daneliuk 
We have split horizon setup and enable our internal and trusted hosts
to do things as follows:

allow-recursion { trustedhosts; };
allow-transfer  { trustedhosts; };

'trustedhosts' includes a number of public facing IPs as well as the
192.168.0/24 CIDR block.  It also includes the IPs of the Master and
Slave bind servers.

So here's the part that has me wondering.  If I do a reverse lookup of
an IP, it works as expected _except_ if I do it on either the Master
or Slave machines. They will not only look up reverses on our
own IPs, they won't do it for ANY IP and returns the warning:

WARNING: recursion requested but not available

This is replicable with 9.14 or 9.16 (or was until today's assert borkage)
running on FreeBSD 11.3-STABLE.  Master is on a cloud server, Slave is
on a physical machine.  Neither instance is jailed.

Ideas?

-- 

Tim Daneliuk tun...@tundraware.com
PGP Key: http://www.tundraware.com/PGP/

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users