RE: Bind 9.9 upgrade and RFC 1918 Errors
Thanks Matus, The below tips fixed things ;). I did make a mistake on the zone entry. Best Regards, Chris W. -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Wednesday, March 14, 2018 7:53 AM To: bind-users@lists.isc.org Subject: Re: Bind 9.9 upgrade and RFC 1918 Errors On 14.03.18 04:44, Chris Wilson wrote: >I just recently upgraded one of our servers to bind 9.9, and I'm having >some issues. > >We have a legacy software application running that likes to see both >forward/reverse dns, however since the upgrade reverse dns is no longer >working. We have this server working with DHCPD to automatically update >zone records. >When I try to query the server I get: > >[root@server1 cswilson]# nslookup 192.160.1.149 > >** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN are you aware that 192.160.1.149 is NOT a RFC1918 address? >And in the log: > >Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884 >(2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for >2.1.168.192.in-addr.arpa bind apparently refused your reverse zones. Try restarting it and see what's in the logs. >disable-empty-zone "168.192.in-addr.arpa"; you don't need that. Let BIND create empty 168.192.in-addr.arpa and configure your zones properly. >zone "0.1.168.192.in-addr.arpa" { > >type master; > >file "/var/named/192.168.1.0.rev"; > >allow-update { key DHCP_UPDATER; }; > >}; 0.1.168.192.in-addr.arpa is only for one IP - 192.168.1.0. for 192.168.1.0/24 you need reverse zone 1.168.192.in-addr.arpa -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9 upgrade and RFC 1918 Errors
On 14.03.18 04:44, Chris Wilson wrote: I just recently upgraded one of our servers to bind 9.9, and I'm having some issues. We have a legacy software application running that likes to see both forward/reverse dns, however since the upgrade reverse dns is no longer working. We have this server working with DHCPD to automatically update zone records. When I try to query the server I get: [root@server1 cswilson]# nslookup 192.160.1.149 ** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN are you aware that 192.160.1.149 is NOT a RFC1918 address? And in the log: Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884 (2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa bind apparently refused your reverse zones. Try restarting it and see what's in the logs. disable-empty-zone "168.192.in-addr.arpa"; you don't need that. Let BIND create empty 168.192.in-addr.arpa and configure your zones properly. zone "0.1.168.192.in-addr.arpa" { type master; file "/var/named/192.168.1.0.rev"; allow-update { key DHCP_UPDATER; }; }; 0.1.168.192.in-addr.arpa is only for one IP - 192.168.1.0. for 192.168.1.0/24 you need reverse zone 1.168.192.in-addr.arpa -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9.9 upgrade and RFC 1918 Errors
Hello Everyone, I just recently upgraded one of our servers to bind 9.9, and I'm having some issues. We have a legacy software application running that likes to see both forward/reverse dns, however since the upgrade reverse dns is no longer working. We have this server working with DHCPD to automatically update zone records. When I try to query the server I get: [root@server1 cswilson]# nslookup 192.160.1.149 Server: 127.0.0.1 Address:127.0.0.1#53 ** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN And in the log: Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884 (2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#37262 (2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for 2.1.168.192.in-addr.arpa (I have also noticed the above errors occur when doing forward lookups from hosts on 192.168.1.x) I have read up a bit on configuring 9.9 to work and be compliant with new practices, however all I have done seems to fail. This server is located behind a private network and does not serve any clients on the internet or otherwise. I am probably overlooking something, but none the less after quite a few hours of frustration I thought I would reach out for some help and guidance as I want to make sure things stay compliant and people stay happy ;). If anyone sees anything out of place besides the local reverse zone as well, feel free to let me know. Any insight would be greatly appreciated Thanks a bunch in advance. Best Regards, Chris W. I am posting my configuration just in case: named.conf: key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret "tJLR2IOnrk15bqfJ5kSCgw=="; }; acl recurseallow { 192.168.1.0/24; 127.0.0.1; }; options { check-names master ignore; check-names slave ignore; check-names response ignore; listen-on port 53 { 127.0.0.1; 192.168.1.2; }; listen-on-v6 { none; }; directory "/var/named"; disable-empty-zone "168.192.in-addr.arpa"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-query-cache { any; }; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; allow-recursion { recurseallow; }; recursion yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "horizon.local" { type master; file "/var/named/horizon.local.hosts"; allow-update { key DHCP_UPDATER; }; }; zone "0.1.168.192.in-addr.arpa" { type master; file "/var/named/192.168.1.0.rev"; allow-update { key DHCP_UPDATER; }; }; key rndc-key { algorithm hmac-md5; secret "wZNgqFie+NPZ+dT6lT0EIw=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users