Re: Question on query-source, transfer-source, notify-source
In message 20100804184239.4ee3b47...@britaine.cis.anl.gov, Barry Finkel write s: Another question about query-source: Is there a difference between query-source address 1.2.3.4; and query-source 1.2.3.4; No. My reading of the ARM simplies that the two are the same, but I may be getting different results. I am not sure. Two of my colleagues ran a test last week that seemed to imply a difference, but I was not around to see exactly what tests they ran. This is BIND 9.7.1-P2. I have looked at querylogs on a server with one DNS address and one non-DNS address. I have tried both formats of query-source above; I see no difference. What I do see is this - an SOA query via the DNS address followed by an IXFR via the DNS address. This IXFR is REFUSED because this is a test server, and the master server (not under my control) does not allow zone transfers from this test address. Then I see an SOA query and an AXFR query, both on the DNS address. This AXFR is also REFUSED. Then I see an SOA query and an IXFR query via the non-DNS address! I have not looked at the code to see what BIND might be doing in sending a DNS packet via the non-DNS address. The BIND config on this machine has transfer-source 1.2.3.4 port 53; so it should not be sending an IXFR or AXFR request via the non-DNS address. See alt-transfer-source and use-alt-transfer-source. An addendum to my recent postings about two machines each with three addresses. The only reason I need all three addresses on each machine is that I have published all six addresses, and these addresses are configured in all of the machines on the three Class-B subnets that my DNS server manages. I do not want to have all of the system administrators change their machine DNS server IP addresses. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question on query-source, transfer-source, notify-source
On 7/28/10, I wrote: I have a BIND config question. First some history. My initial two DNS servers (A and B) had three NICs and three IP addresses. Then I installed two additional servers (C and D), each with one NIC; each server has one base address and one DNS address. All four servers run Solaris. When I installed C and D, I placed in the config file query-source address dns-address; transfer-source dns-address; notify-source dns-address; Then we changed servers A and B to new hardware, and we have in addition to the three NICs each, a base, non-DNS address for each. We made no config file changes, and no users have reported problems. These new servers A and B have been running for a few years. Now, I am converting all four servers to an Ubuntu platform, and I am revisiting the config file. In looking through various firewall and DNS query logs, I see that machines A and B are using the non-DNS and queries to the hidden BIND master via the non-DNS addresses. The Internet queries are being blocked at the firewall because we do not allow non-registered DNS addresses to send DNS queries to the Internet, and the non-DNS addresses have no firewall conduits. I can add three options directives above, as I have done on servers C and D, but the ARM seems to imply that I can list only one address in each directive, and I have three DNS addresses for each server. The BIND is 9.7.x on all machines. Does anyone have suggestions? Thanks. and Chris Buxton chris.p.bux...@gmail.com replied: Why do you need 3 DNS interfaces on one box? Why do you need the extra interface? Perhaps you could simplify, or split the three addresses across multiple hosts, or even run multiple instances of named on each box. Historical. The DNS servers serve three Class-B subnets, and it was decided when the servers were placed in production many years ago that they should have an address on each of the Class-B subnets. One of the subnets had a /22 that was used for buildings on campus that did not have IP connectivity; they got their IP via the phone system copper and a device plugged in to the phone jack. We had to have a DNS server on that /22. We have decided that since we can only place one address in the query-source address dns-address; transfer-source dns-address; notify-source dns-address; statements, we will choose one of the three addresses on each server and use it. I believe that it makes no difference if we use the same address in each of the three statements, or if we use a different address in each. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question on query-source, transfer-source, notify-source
I have a BIND config question. First some history. My initial two DNS servers (A and B) had three NICs and three IP addresses. Then I installed two additional servers (C and D), each with one NIC; each server has one base address and one DNS address. All four servers run Solaris. When I installed C and D, I placed in the config file query-source address dns-address; transfer-source dns-address; notify-source dns-address; Then we changed servers A and B to new hardware, and we have in addition to the three NICs each, a base, non-DNS address for each. We made no config file changes, and no users have reported problems. These new servers A and B have been running for a few years. Now, I am converting all four servers to an Ubuntu platform, and I am revisiting the config file. In looking through various firewall and DNS query logs, I see that machines A and B are using the non-DNS address for DNS activity. A and B are sending queries to the Internet and queries to the hidden BIND master via the non-DNS addresses. The Internet queries are being blocked at the firewall because we do not allow non-registered DNS addresses to send DNS queries to the Internet, and the non-DNS addresses have no firewall conduits. I can add three options directives above, as I have done on servers C and D, but the ARM seems to imply that I can list only one address in each directive, and I have three DNS addresses for each server. The BIND is 9.7.x on all machines. Does anyone have suggestions? Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question on query-source, transfer-source, notify-source
Why do you need 3 DNS interfaces on one box? Why do you need the extra interface? Perhaps you could simplify, or split the three addresses across multiple hosts, or even run multiple instances of named on each box. Regards, Chris On 7/28/10, Barry Finkel b19...@anl.gov wrote: I have a BIND config question. First some history. My initial two DNS servers (A and B) had three NICs and three IP addresses. Then I installed two additional servers (C and D), each with one NIC; each server has one base address and one DNS address. All four servers run Solaris. When I installed C and D, I placed in the config file query-source address dns-address; transfer-source dns-address; notify-source dns-address; Then we changed servers A and B to new hardware, and we have in addition to the three NICs each, a base, non-DNS address for each. We made no config file changes, and no users have reported problems. These new servers A and B have been running for a few years. Now, I am converting all four servers to an Ubuntu platform, and I am revisiting the config file. In looking through various firewall and DNS query logs, I see that machines A and B are using the non-DNS address for DNS activity. A and B are sending queries to the Internet and queries to the hidden BIND master via the non-DNS addresses. The Internet queries are being blocked at the firewall because we do not allow non-registered DNS addresses to send DNS queries to the Internet, and the non-DNS addresses have no firewall conduits. I can add three options directives above, as I have done on servers C and D, but the ARM seems to imply that I can list only one address in each directive, and I have three DNS addresses for each server. The BIND is 9.7.x on all machines. Does anyone have suggestions? Thanks. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 240, Room 5.B.8 Internet: bsfin...@anl.gov Argonne, IL 60439-4828 IBMMAIL: I1004994 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Sent from my mobile device ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users