RE: Bind 9.9 upgrade and RFC 1918 Errors

[Chris Wilson]

Thanks Matus,

The below tips fixed things ;). I did make a mistake on the zone entry.

Best Regards,

Chris W. 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Matus UHLAR - fantomas
Sent: Wednesday, March 14, 2018 7:53 AM
To: bind-users@lists.isc.org
Subject: Re: Bind 9.9 upgrade and RFC 1918 Errors

On 14.03.18 04:44, Chris Wilson wrote:
>I just recently upgraded one of our servers to bind 9.9, and I'm having 
>some issues.
>
>We have a legacy software application running that likes to see both 
>forward/reverse dns, however since the upgrade reverse dns is no longer 
>working. We have this server working with DHCPD to automatically update 
>zone records.


>When I try to query the server I get:
>
>[root@server1 cswilson]# nslookup 192.160.1.149
>
>** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN

are you aware that 192.160.1.149 is NOT a RFC1918 address?

>And in the log:
>
>Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884
>(2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for 
>2.1.168.192.in-addr.arpa

bind apparently refused your reverse zones. Try restarting it and see what's
in the logs.

>disable-empty-zone "168.192.in-addr.arpa";

you don't need that. Let BIND create empty 168.192.in-addr.arpa and
configure your zones properly.

>zone "0.1.168.192.in-addr.arpa" {
>
>type master;
>
>file "/var/named/192.168.1.0.rev";
>
>allow-update { key DHCP_UPDATER; };
>
>};

0.1.168.192.in-addr.arpa is only for one IP - 192.168.1.0.

for 192.168.1.0/24 you need reverse zone 1.168.192.in-addr.arpa


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9 upgrade and RFC 1918 Errors

[Matus UHLAR - fantomas]

On 14.03.18 04:44, Chris Wilson wrote:

I just recently upgraded one of our servers to bind 9.9, and I'm having some
issues.

We have a legacy software application running that likes to see both
forward/reverse dns, however since the upgrade reverse dns is no longer
working. We have this server working with DHCPD to automatically update zone
records.




When I try to query the server I get:

[root@server1 cswilson]# nslookup 192.160.1.149

** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN


are you aware that 192.160.1.149 is NOT a RFC1918 address?


And in the log:

Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884
(2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for
2.1.168.192.in-addr.arpa


bind apparently refused your reverse zones. Try restarting it and see what's
in the logs.


   disable-empty-zone "168.192.in-addr.arpa";


you don't need that. Let BIND create empty 168.192.in-addr.arpa and
configure your zones properly.


zone "0.1.168.192.in-addr.arpa" {

   type master;

   file "/var/named/192.168.1.0.rev";

   allow-update { key DHCP_UPDATER; };

   };


0.1.168.192.in-addr.arpa is only for one IP - 192.168.1.0.

for 192.168.1.0/24 you need reverse zone 1.168.192.in-addr.arpa


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind 9.9 upgrade and RFC 1918 Errors

[Chris Wilson]

Hello Everyone,

 

I just recently upgraded one of our servers to bind 9.9, and I'm having some
issues. 

 

We have a legacy software application running that likes to see both
forward/reverse dns, however since the upgrade reverse dns is no longer
working. We have this server working with DHCPD to automatically update zone
records. 

 

When I try to query the server I get:

 

[root@server1 cswilson]# nslookup 192.160.1.149

Server: 127.0.0.1

Address:127.0.0.1#53

 

** server can't find 149.1.160.192.in-addr.arpa.: NXDOMAIN

 

And in the log:

Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#44884
(2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for
2.1.168.192.in-addr.arpa

Mar 14 04:35:06 server1 named[2128]: client 127.0.0.1#37262
(2.1.168.192.in-addr.arpa): RFC 1918 response from Internet for
2.1.168.192.in-addr.arpa 

 

(I have also noticed the above errors occur when doing forward lookups from
hosts on 192.168.1.x)

 

I have read up a bit on configuring 9.9 to work and be compliant with new
practices, however all I have done seems to fail. This server is located
behind a private network and does not serve any clients on the internet or
otherwise. I am probably overlooking something, but none the less after
quite a few hours of frustration I thought I would reach out for some help
and guidance as I want to make sure things stay compliant and people stay
happy ;). If anyone sees anything out of place besides the local reverse
zone as well, feel free to let me know. 

 

Any insight would be greatly appreciated Thanks a bunch in advance. 

 

Best Regards,

 

Chris W.  

 

 

I am posting my configuration just in case:

 

named.conf:

 

key DHCP_UPDATER {

algorithm HMAC-MD5.SIG-ALG.REG.INT;

secret "tJLR2IOnrk15bqfJ5kSCgw==";

};

acl recurseallow { 192.168.1.0/24; 127.0.0.1; };

options {

check-names master ignore;

check-names slave ignore;

check-names response ignore;

listen-on port 53 { 127.0.0.1; 192.168.1.2; };

listen-on-v6 { none; };

directory   "/var/named";

disable-empty-zone "168.192.in-addr.arpa";

dump-file   "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { any; };

allow-query-cache { any; };

dnssec-enable yes;

dnssec-validation yes;

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

allow-recursion { recurseallow; };

recursion yes;

};

 

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

 

zone "." IN {

type hint;

file "named.ca";

};

 

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

 

zone "horizon.local" {

type master;

file "/var/named/horizon.local.hosts";

allow-update { key DHCP_UPDATER; };

};

zone "0.1.168.192.in-addr.arpa" {

type master;

file "/var/named/192.168.1.0.rev";

allow-update { key DHCP_UPDATER; };

};

key rndc-key {

algorithm hmac-md5;

secret "wZNgqFie+NPZ+dT6lT0EIw==";

};

controls {

inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };

};

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users