Little confusion about BIND/AD [DNS] Setup
Hi there, I have little confusion about bind and Windows AD/DNS Setup and woudl appreciate if someone can shed some light on my query. Well, I have BIND/RPZ setup in my environment and I have AD/DNS server, users are configured to talk to Windows DNS server and it has forwarder set to my BIND/RPZ. Now the issue I faced is on my BIND/RPZ is; I had forwarder set as 9.9.9.9 which was flaggin one of site wrongly while 8.8.8.8 is resolving that perfectly. Hence users while accessing site via AD/DNS -> RPZ -> 9.9.9.9 initially was consistently getting error. Later I decided to change the forwarder in my BIND and added as 8.8.8.8. Restarted the service that must have cleared the cache but users who were using AD/DNS were still getting that wrong pages. I guess that was being served from DNS cache since it was showing a TTL value of almost 24 hrs. Hence wondering if TTL value from my BIND/RPZ can be lowered? Will that really make any difference? And which DNS server is responsible for giving the TTL value to users? How can I eventually set the lower TTL value in my environment so that records from end users may get flushed faster? Windows, BIND RPZ or NS of end portal which is being accessed? Thanks and Regards, Lionel F ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL on IPv6 tunnelbroker network
Is it possible that I have 2 routers on 1 server and 2 views? Should I just use 1 connection to the same server? I connect to to internet connection 1 for me downloading etc, and 1 for the input for web, email, etc... But I connected 2. The big problem is that I cannot turn off the server 2nd view, I need exactly the 2 views and I still get a SERVFAIL, but after I do it again, it will work, or on my workstation I have to refresh the browser like many times. Plus by now it cached my ip address, this is what is weird, that the first time it is like that SERVFAIL and I have know idea what it is doing. *Eg , the log:* 25-Jul-2018 09:18:27.737 client @0x7faa8c062b10 192.168.78.30#55939 ( ipv4.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv4.nop.hu/IN/ at ../../../bin/named/query.c:6885 25-Jul-2018 09:18:27.738 client @0x7faa8c062b10 192.168.78.30#55939 ( ipv4.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv4.nop.hu/IN/ at ../../../bin/named/query.c:6885 25-Jul-2018 09:18:28.401 client @0x7faa8c062b10 192.168.78.30#50670 ( ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:8402 25-Jul-2018 09:18:28.401 client @0x7faac0184500 192.168.78.30#50670 ( ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:6885 25-Jul-2018 09:18:28.402 client @0x7faa8c034d00 2001:470:1f1b:5b3::b4a#41540 (ipv6.nop.hu): view internal-enp1s0f3: query failed (SERVFAIL) for ipv6.nop.hu/IN/A at ../../../bin/named/query.c:6885 *So as you told me to do it as:* patrikx3@workstation:/media/linux-nvme/home/patrikx3$ dig @192.168.81.20 com soa ; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.81.20 com soa ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43117 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2f5d97d5314b65c4037161895b584e70ccafb7ee026ea3d0 (good) ;; QUESTION SECTION: ;com. IN SOA ;; ANSWER SECTION: com. 899 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1532513892 1800 900 604800 86400 ;; AUTHORITY SECTION: . 10083 IN NS f.root-servers.net. . 10083 IN NS k.root-servers.net. . 10083 IN NS e.root-servers.net. . 10083 IN NS m.root-servers.net. . 10083 IN NS a.root-servers.net. . 10083 IN NS j.root-servers.net. . 10083 IN NS i.root-servers.net. . 10083 IN NS g.root-servers.net. . 10083 IN NS d.root-servers.net. . 10083 IN NS c.root-servers.net. . 10083 IN NS h.root-servers.net. . 10083 IN NS l.root-servers.net. . 10083 IN NS b.root-servers.net. ;; Query time: 34 msec ;; SERVER: 192.168.81.20#53(192.168.81.20) ;; WHEN: Wed Jul 25 12:18:24 CEST 2018 ;; MSG SIZE rcvd: 341 patrikx3@workstation:/media/linux-nvme/home/patrikx3$ dig @192.168.81.20 production.cloudflare.docker.com +trace ; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> @192.168.81.20 production.cloudflare.docker.com +trace ; (1 server found) ;; global options: +cmd ;; Received 56 bytes from 192.168.81.20#53(192.168.81.20) in 0 ms patrikx3@workstation:/media/linux-nvme/home/patrikx3$ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL on IPv6 tunnelbroker network
Hi Patrik,
192.168.81.20 appears to be matched to the internal-enp1s0f3 view.
This view might not be able to resolve these external dns entries correctly
what do you get when you try
dig @192.168.81.20 com soa
and
dig @192.168.81.20 production.cloudflare.docker.com +trace
Kind Regards Peter
On 25/07/2018 12:08, Patrik wrote:
Hello!
Thank you very much.
So what do you mean "internal-enp1s0f3" view is configured to bump
this domain?
Is this a setting?
It looks like this for my views:
view "internal-enp1s0f3" {
match-clients { "internal-enp1s0f3"; };
match-recursive-only yes;
recursion yes;
allow-recursion { "internal-enp1s0f3"; };
notify yes;
allow-update { none; };
allow-query { any; };
allow-transfer { xfer; };
include "/etc/bind/named.conf.default-zones";
zone "patrikx3.com
Re: SERVFAIL on IPv6 tunnelbroker network
Hello!
Thank you very much.
So what do you mean "internal-enp1s0f3" view is configured to bump this
domain?
Is this a setting?
It looks like this for my views:
view "internal-enp1s0f3" {
match-clients { "internal-enp1s0f3"; };
match-recursive-only yes;
recursion yes;
allow-recursion { "internal-enp1s0f3"; };
notify yes;
allow-update { none; };
allow-query { any; };
allow-transfer { xfer; };
include "/etc/bind/named.conf.default-zones";
zone "patrikx3.com" {
type master;
file "/etc/bind/zones/enp1s0f3/patrikx3.com";
include "/var/lib/samba/private/named.conf.update";
};
zone "corifeus.com" {
type master;
file "/etc/bind/zones/enp1s0f3/corifeus.com";
};
include "/var/lib/samba/private/named.conf";
};
view "internal-enp1s0f2" {
match-clients { "internal-enp1s0f2"; };
match-recursive-only yes;
recursion yes;
allow-recursion { "internal-enp1s0f2"; };
notify yes;
allow-update { none; };
allow-query { any; };
allow-transfer { xfer; };
include "/etc/bind/named.conf.default-zones";
zone "patrikx3.com" {
type master;
file "/etc/bind/zones/enp1s0f2/patrikx3.com";
//include "/var/lib/samba/private/named.conf.update";
};
zone "corifeus.com" {
type master;
file "/etc/bind/zones/enp1s0f2/corifeus.com";
};
//include "/var/lib/samba/private/named.conf";
};
view "external" {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
//allow-transfer { any; }; // temporarily allowed for debugging purposes
allow-transfer { none; };
//zone "namesystem.tk" IN {
//type master;
//file "/etc/bind/zones/external.namesystem.tk";
//};
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: SERVFAIL on IPv6 tunnelbroker network
Hello!
Thank you very much.
So what do you mean "internal-enp1s0f3" view is configured to bump this
domain?
Is this a setting?
It looks like this for my views:
view "internal-enp1s0f3" {
match-clients { "internal-enp1s0f3"; };
match-recursive-only yes;
recursion yes;
allow-recursion { "internal-enp1s0f3"; };
notify yes;
allow-update { none; };
allow-query { any; };
allow-transfer { xfer; };
include "/etc/bind/named.conf.default-zones";
zone "patrikx3.com" {
type master;
file "/etc/bind/zones/enp1s0f3/patrikx3.com";
include "/var/lib/samba/private/named.conf.update";
};
zone "corifeus.com" {
type master;
file "/etc/bind/zones/enp1s0f3/corifeus.com";
};
include "/var/lib/samba/private/named.conf";
};
view "internal-enp1s0f2" {
match-clients { "internal-enp1s0f2"; };
match-recursive-only yes;
recursion yes;
allow-recursion { "internal-enp1s0f2"; };
notify yes;
allow-update { none; };
allow-query { any; };
allow-transfer { xfer; };
include "/etc/bind/named.conf.default-zones";
zone "patrikx3.com" {
type master;
file "/etc/bind/zones/enp1s0f2/patrikx3.com";
//include "/var/lib/samba/private/named.conf.update";
};
zone "corifeus.com" {
type master;
file "/etc/bind/zones/enp1s0f2/corifeus.com";
};
//include "/var/lib/samba/private/named.conf";
};
view "external" {
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
//allow-transfer { any; }; // temporarily allowed for debugging purposes
allow-transfer { none; };
//zone "namesystem.tk" IN {
//type master;
//file "/etc/bind/zones/external.namesystem.tk";
//};
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
