Re: Views and no answers ...
IN A 209.85.148.103 !google.com. 300 IN A 209.85.148.99 !google.com. 300 IN A 209.85.148.104 !google.com. 300 IN A 209.85.148.147 !google.com. 300 IN A 209.85.148.106 !google.com. 300 IN A 209.85.148.105 !;; Received 124 bytes from 216.239.38.10#53(ns4.google.com) in !95 ms calling dig +trace google.com on systems located 192.168.112.0/23: !; DiG 9.7.3 +trace google.com !;; global options: +cmd !. 518400 IN NS l.root-servers.net. !. 518400 IN NS g.root-servers.net. !. 518400 IN NS d.root-servers.net. !. 518400 IN NS i.root-servers.net. !. 518400 IN NS k.root-servers.net. !. 518400 IN NS c.root-servers.net. !. 518400 IN NS j.root-servers.net. !. 518400 IN NS a.root-servers.net. !. 518400 IN NS e.root-servers.net. !. 518400 IN NS f.root-servers.net. !. 518400 IN NS b.root-servers.net. !. 518400 IN NS h.root-servers.net. !. 518400 IN NS m.root-servers.net. !;; Received 228 bytes from 192.168.180.28#53(ns.example.de) in 24 !ms ! !;; connection timed out; no servers could be reached Any of the servers can be reached from both subnets: !# ping a.gtld-servers.net !PING a.gtld-servers.net (192.5.6.30) 56(84) bytes of data. !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=1 ttl=117 !time=127 ms !64 bytes from a.gtld-servers.net (192.5.6.30): icmp_req=2 ttl=117 !time=128 ms and on the other subnet (using ip-address): !$ ping 192.5.6.30 !PING 192.5.6.30 (192.5.6.30) 56(84) bytes of data. !64 bytes from 192.5.6.30: icmp_req=1 ttl=118 time=129 ms !64 bytes from 192.5.6.30: icmp_req=2 ttl=118 time=129 ms !64 bytes from 192.5.6.30: icmp_req=3 ttl=118 time=129 ms ? --- I am a littlebit lost at the moment ... When using views, I often find it more manageable to move such options inside the view definition. Mvh. / Regards Bob On 2011-07-25 16:24, Thomas Schweikle wrote: Hi! I have set up a view for one site. It is bound to change answers as necessary for different IP-ranges. It works as far as I could see. But with one ip-range there is a problem ... I can query internal addresses: !user@kvm2~# host intweb.example.de !web.example.de has address 192.168.180.46 But external ones do not work: !user@kvm2:~# host google.com !user@kvm2:~# The host I am trying on has address 192.168.112.4 and I've set up my view as: !view ex { !match-clients { 192.168.112.0/23; }; !recursion yes; ! !include /etc/named/master/rootns.conf; !include /etc/named/master/localhost.conf; !include /etc/named/master/empty.conf; ! !zone example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zhz/fwd.example; !}; !zone 112.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.1; !}; !}; !view in { !match-clients { 192.168.180.0/23; }; !recursion yes; ! !include /etc/named/master/rootns.conf; !include /etc/named/master/localhost.conf; !include /etc/named/master/empty.conf; ! !zone example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zhz/fwd.example; !}; !zone 112.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.1; !}; !}; Any idea why the server resolves internal names, but no external ones to view ex, while it does answer internal and external names to view in? I've set up query logging, but this just tells me queries are correctly processed. But not why no answer was sent. In the server logs I can watch queries from 192.168.180.0/23 tagged with in and such from 192.168.112.0/23 with ex. Addresses defined by my server are served to both clients in and ex. Addresses from others like google.com are only served to clients from in not to clients from ex (server answers NXDOMAIN). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Views and no answers ...
Hi! I have set up a view for one site. It is bound to change answers as necessary for different IP-ranges. It works as far as I could see. But with one ip-range there is a problem ... I can query internal addresses: !user@kvm2~# host intweb.example.de !web.example.de has address 192.168.180.46 But external ones do not work: !user@kvm2:~# host google.com !user@kvm2:~# The host I am trying on has address 192.168.112.4 and I've set up my view as: !view ex { !match-clients { 192.168.112.0/23; }; !recursion yes; ! !include /etc/named/master/rootns.conf; !include /etc/named/master/localhost.conf; !include /etc/named/master/empty.conf; ! !zone example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zhz/fwd.example; !}; !zone 112.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.1; !}; !}; !view in { !match-clients { 192.168.180.0/23; }; !recursion yes; ! !include /etc/named/master/rootns.conf; !include /etc/named/master/localhost.conf; !include /etc/named/master/empty.conf; ! !zone example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zhz/fwd.example; !}; !zone 112.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.1; !}; !}; Any idea why the server resolves internal names, but no external ones to view ex, while it does answer internal and external names to view in? I've set up query logging, but this just tells me queries are correctly processed. But not why no answer was sent. In the server logs I can watch queries from 192.168.180.0/23 tagged with in and such from 192.168.112.0/23 with ex. Addresses defined by my server are served to both clients in and ex. Addresses from others like google.com are only served to clients from in not to clients from ex (server answers NXDOMAIN). -- Thomas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
Am 18.06.2011 02:54, schrieb Mark Andrews: The root servers no longer serve arpa or in-addr.arpa. See the following for where to transfer these zones from now. http://seclists.org/nanog/2011/Feb/1453 Arr! Seems I'd overlooked that ... :-( I've corrected my config file. Now it works again! Thanks for directing me to the right paper! -- Thomas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
Am 17.06.2011 23:29, schrieb Eivind Olsen: Thomas Schweikle wrote: But not reverse: !user@ks1:~$ host 74.125.79.99 !Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL) ... !zone in-addr.arpa { ! type slave; ! file /var/cache/named/root/in-addr.arpa.slave; ! masters { 192.5.5.241; }; ! notify no; !}; You seem to have set up slaving of the in-addr.arpa from 192.5.5.241 (f.root-servers.net), but that's not one of the authoritative servers for in-addr.arpa. Remove the slaving of in-addr.arpa from your configuration. Or check if it's possible / allowed to slave it from any of the 6 in-addr.arpa nameservers: [a-f].in-addr-servers.arpa I'm guessing your logs also have entries about being unable to do zone transfers of in-addr.arpa. This was one of the problems --- no errors within logs at all. But I could fix the whole thing now with given servers in the announcement letter. All OK again. Hopefully next time I do not miss such an announcement! -- Thomas ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Views and no answers ...
Hi! I have set up a view for one site. It is bound to change answers as necessary for different IP-ranges. It works as far as I could see. But with one ip-range there is a problem ... I can query internal addresses: !user@kvm2~# host intweb.example.de !intweb.example.de has address 192.168.180.46 But external ones do not work: !user@kvm2:~# host google.com !user@kvm2:~# The host I am trying on has address 192.168.112.4 and I've set up my view as: !view ex { !match-clients { 192.168.112.0/23; }; !recursion yes; ! !include /etc/named/master/rootns.conf; !include /etc/named/master/localhost.conf; !include /etc/named/master/empty.conf; ! !zone example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zhz/fwd.example; !}; !zone mgm.example.de. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/fwd.example.mgm; !}; ! !zone 1.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.1; !}; !zone 112.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.112; !}; !zone 113.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.113; !}; !zone 180.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.180; !}; !zone 181.168.192.in-addr.arpa. { !type master; !allow-transfer { key mskey; }; !notify no; !file /etc/named/zin/rev.192.168.181; !}; ! !zone hz.example.de. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/fwd.example.hz; !allow-update { key examplekey; }; !}; !zone in.example.de. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/fwd.example.in; !allow-update { key examplekey; }; !}; !zone no.example.de. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/fwd.example.no; !allow-update { key examplekey; }; !}; ! !zone 1.168.192.in-dyn.arpa. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/rev.192.168.1; !allow-update { key examplekey; }; !}; !zone 112.168.192.in-dyn.arpa. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/rev.192.168.112; !allow-update { key examplekey; }; !}; !zone 113.168.192.in-dyn.arpa. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/rev.192.168.113; !allow-update { key examplekey; }; !}; !zone 180.168.192.in-dyn.arpa. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/rev.192.168.180; !allow-update { key examplekey; }; !}; !zone 181.168.192.in-dyn.arpa. { !type master; !allow-transfer { key mskey; }; !file /var/lib/named/rev.192.168.181; !allow-update { key examplekey; }; !}; !}; Any idea why the server resolves internal names, but no external ones to this view, while it does answer internal and external names to an other view (same setup, only a different view-line)? !view no { !match-clients { 127.0.0.1/8; 192.168.180.0/23; }; !recursion yes; ![... same as above ...] I've set up query logging, but this just tells me queries are correctly processed. But not why no answer was sent. -- Thomas signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forward name resolution OK, but reverse doesn't work ...
Hi! I am having some problem with my nameserver: It resolves forward: !user@ks1:~$ host google.com !google.com has address 74.125.79.147 !google.com has address 74.125.79.99 !google.com has address 74.125.79.104 !google.com mail is handled by 50 alt4.aspmx.l.google.com. !google.com mail is handled by 10 aspmx.l.google.com. !google.com mail is handled by 20 alt1.aspmx.l.google.com. !google.com mail is handled by 30 alt2.aspmx.l.google.com. !google.com mail is handled by 40 alt3.aspmx.l.google.com. But not reverse: !user@ks1:~$ host 74.125.79.99 !Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL) Main configuration (partly shorted): !options { !directory /var/tmp/named; !pid-file/var/run/named/named.pid; !dump-file /var/run/named/named_dump.db; !statistics-file /var/run/named/named.stats; !listen-on { any; }; !#listen-on-v6 { any; }; !recursion yes; !auth-nxdomain no; !}; ! !// slave to root name servers !zone . { ! type slave; ! file /var/cache/named/root/root.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !zone arpa { ! type slave; ! file /var/cache/named/root/arpa.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !zone in-addr.arpa { ! type slave; ! file /var/cache/named/root/in-addr.arpa.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !// RFC 1912 (and BCP 32 for localhost) !zone localhost { ! type master; ! file /etc/named/master/localhost-forward.db; !}; ! !zone 127.in-addr.arpa { ! type master; ! file /etc/named/master/localhost-reverse.db; !}; localhost-forward.db: !$TTL 3h !localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h !; Serial, Refresh, Retry, Expire, Neg. cache TTL ! !NS localhost. ! !A 127.0.0.1 !::1 localhost-reverse.db: !$TTL 3h !@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h !; Serial, Refresh, Retry, Expire, Neg. cache TTL ! !NS localhost. ! !1.0.0 PTR localhost. ! !1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0\ ! PTR localhost. The server has AFAIS all root servers available: !$ORIGIN . !$TTL 86400 ; 1 day !@ IN SOA a.root-servers.net.\ ! nstld.verisign-!grs.com. ( !2011061700 ; serial !1800 ; refresh (30 minutes) !900; retry (15 minutes) !604800 ; expire (1 week) !86400 ; minimum (1 day) !) !RRSIG SOA 8 0 86400 2011062400 ( !2011061623 34525 . !kKIgiv5epNOi/mWtHYtH/Zwj6O6pV+wB09rnMiaTrYRk !HKqH7CCBdnIei6Kc1ghTRgdPwzrpgxzB3VHH/IfjEGbM !3sNGzMOYFtykMD1xjE93hBUU08yd1ojchWW2AXayGEJZ !5UOkaiA7cN3txThTtd1/r+k1zR5pvL+S6Pt7TTE= ) !$TTL 518400 ; 6 days !NS a.root-servers.net. !NS b.root-servers.net. !NS c.root-servers.net. !NS d.root-servers.net. !NS e.root-servers.net. !NS f.root-servers.net. !NS g.root-servers.net. !NS h.root-servers.net. !NS i.root-servers.net. !NS j.root-servers.net. !NS k.root-servers.net. !NS l.root-servers.net. !NS m.root-servers.net. !RRSIG NS 8 0 518400 2011062400 ( !2011061623 34525 . ! KgMPA/Ucp/cFQHQ36kFe8lhVV6ckJx8Zk8Mm2aiKIxOB ! v9fsM3qYyGOOqnNUGPr7V0X604r5xaePysUNy0iET+Ga ! 9WPmPeEX9438srt54qEDCBeCqn5Zbjo1lOVTrykAvtBI ! Y8ONwpp0DcDw9D7mTyBzp+ARLVG56jaZ5AucyGQ= ) [... havily shortened -- the file has about 211k length ...] Any idea, what is wrong here and where to change configuration to make reverse dns-lookups happen? -- Thomas signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users