Thanks Jake,
That's what I was able to glean from the info I read. I am not sure how
I am going to ultimately set this up yet. This is all making me rethink
my entire rack configuration. I have been trying to simplify this and
it only seems to be getting more complex.
Is it OK to see entries like this in my message file. My understanding
is the only one that is critical is the host unreachable, but I have
periodically checked it and it's working correctly.
Sep 23 11:15:25 laetitia named[22986]: unexpected RCODE (SERVFAIL)
resolving '95.193.115.189.in-addr.arpa/CNAME/IN': 200.175.89.133#53
Sep 23 11:15:25 laetitia named[22986]: unexpected RCODE (SERVFAIL)
resolving '95.193.115.189.in-addr.arpa/PTR/IN': 200.175.89.133#53
Sep 23 11:17:03 laetitia named[22986]: client 127.0.0.1#53386: error
sending response: host unreachable
Sep 23 12:05:43 laetitia named[22986]: unexpected RCODE (REFUSED)
resolving 'pdnssr01.ebnccsb.com.my/AAAA/IN': 161.142.2.17#53
Sep 23 12:05:43 laetitia named[22986]: unexpected RCODE (REFUSED)
resolving 'pdnssr01.ebnccsb.com.my/A/IN': 161.142.2.17#53
Sep 23 12:05:46 laetitia named[22986]: lame server resolving
'maybank.my' (in 'maybank.my'?): 202.187.45.2#53
Sep 23 12:06:12 laetitia named[22986]: client 127.0.0.1#33727: error
sending response: host unreachable
Sep 23 12:06:45 laetitia named[22986]: client 127.0.0.1#43177: error
sending response: host unreachable
Sep 23 12:09:38 laetitia named[22986]: lame server resolving
'205.111.106.86.in-addr.arpa' (in '111.106.86.in-addr.arpa'?): 89.38.57.5#53
Sep 23 12:09:39 laetitia named[22986]: lame server resolving
'205.111.106.86.in-addr.arpa' (in '111.106.86.in-addr.arpa'?):
86.55.208.16#53
CJ
Jake Vickers wrote:
> Eric Shubert wrote:
>> I don't know off hand.
>>
>> Hey Jake, what do you know about this? (I'm guessing quite a bit!)
>>
>> Maxwell Smart wrote:
>>> Eric,
>>>
>>> I think I am getting it sorted. Here is a snip of my named.conf
>>> file. Do I need to allow-query;? Also do I need the forwarders,
>>> ISP's DNS servers since the db.cache is the ROOT SERVERS? From what
>>> I have read it is the recommended way to set it up.
>>>
>>> options {
>>> directory "/etc";
>>> pid-file "/var/run/named/named.pid";
>>> version "request not permitted";
>>> allow-notify {64.168.70.132;};
>>> allow-transfer {"none";};
>>> forwarders {
>>> 63.203.35.55;
>>> 206.13.28.12;
>>> 206.13.30.12;
>>> };
>>> };
>>>
>>> zone "." {
>>> type hint;
>>> file "/etc/db.cache";
>>> };
>>>
>
> There are 2 mind sets to forwarders. If you do not define your ISPs,
> your server will use the root servers. You are obviously getting the
> highest authority on answers there, but resolve times can lag a little.
> By using your ISPs upstream servers for forwarders, you're cutting
> down on network traffic since your request is only going to the ISP
> office/colo instead of one of the root DNS servers (which may be in
> another state). So you have to look at it both as a security view, and
> a bandwidth view. I think by now all of the ISP DNS servers are
> patched for the cache poisoning so that is probably not a concern,
> but if your ISP does DNS redirecting for unknown/unresolvable domains
> then you may need to take that into consideration.
>
> For allow query, you're now going to be moving into the realm of an
> authoritative and resolving server in the same box. Perfectly fine, if
> you configure correctly. Normally with allow-query you would define an
> acl (access list) that is allowed to query your server. You can even
> do some fancy stuff like I do here in my office and have different DNS
> zones for your internal network and your external network.
>
>
> ---------------------------------------------------------------------------------
>
> Qmailtoaster is sponsored by Vickers Consulting Group
> (www.vickersconsulting.com)
> Vickers Consulting Group offers Qmailtoaster support and
> installations.
> If you need professional help with your setup, contact them today!
> ---------------------------------------------------------------------------------
>
> Please visit qmailtoaster.com for the latest news, updates, and
> packages.
> To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
> For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
>
>
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
