Re: Views and no answers ...
You also have these acl's, which I find quite useful: allow-query {acl-list} allow-query-cache {acl-list} allow-recursion {acl-list} As I recall, all of them are valid inside a view. You could also try to throw in some debug logging. Here is what I do for troubleshooting: #> rndc querylog #> rndc trace 3 Then I tail all the relevant logfiles. Mvh. / Regards Bob On 2011-07-28 18:31, Thomas Schweikle wrote: Am 28.07.2011 01:18, schrieb Bob: These two views are identical in any way I can see, so the fault may be in an included configuration file that is not included in your message. Look for allow-query, allow-recursion or allow-cache statements in your other config files. Did this. The only "allow" I could find was "allow-transfer". The only two parts I left out where "options", the included keys and "logging": !options { !directory "/var/tmp/named"; !pid-file"/var/run/named/named.pid"; !dump-file "/var/run/named/named_dump.db"; !statistics-file "/var/run/named/named.stats"; !listen-on { any; }; !#listen-on-v6 { any; }; ! !recursion yes; !auth-nxdomain no; !}; !include "/etc/named/mskey.key"; !include "/etc/named/bind.keys"; !include "/etc/bind/key.rndc"; mskey.key: !key mskey { ! algorithm hmac-md5; ! secret "."; !}; bind.keys: !managed-keys { !# NOTE: This key is current as of October 2009. !# If it fails to initialize correctly, it may have expired; !# see https://www.isc.org/solutions/dlv for a replacement. !dlv.isc.org. initial-key 257 3 5 !"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 !brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ !1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 !ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk !Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM !QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt !TDN0YUuWrBNh"; !}; key.rndc: !key "xompukey" { !algorithm hmac-md5; !secret ""; !}; !logging { !channel security_log { !file "/var/log/named/security.log"; !severity info; !print-time yes; !}; !channel update_log { !file "/var/log/named/update.log"; !severity info; !print-time yes; !}; !channel query_log { !file "/var/log/named/query.log"; !severity debug 3; !print-time yes; !}; !channel debug_log { !file "/var/log/named/debug.log"; !severity info; !print-time yes; !}; !category update { update_log; }; !category queries { query_log; }; !category default { debug_log; }; !category security { security_log; }; !category unmatched { null; }; !}; calling "dig +trace google.com" on systems located 192.168.180.0/23: !;<<>> DiG 9.7.3<<>> +trace google.com !;; global options: +cmd !. 518400 IN NS e.root-servers.net. !. 518400 IN NS f.root-servers.net. !. 518400 IN NS h.root-servers.net. !. 518400 IN NS i.root-servers.net. !. 518400 IN NS m.root-servers.net. !. 518400 IN NS d.root-servers.net. !. 518400 IN NS a.root-servers.net. !. 518400 IN NS g.root-servers.net. !. 518400 IN NS b.root-servers.net. !. 518400 IN NS c.root-servers.net. !. 518400 IN NS l.root-servers.net. !. 518400 IN NS j.root-servers.net. !. 518400 IN NS k.root-servers.net. !;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in !0 ms ! !com.172800 IN NS c.gtld-servers.net. !com.172800 IN NS j.gtld-servers.net. !com.172800 IN NS l.gtld-servers.net. !com.172800 IN NS e.gtld-servers.net. !com.172800 IN NS f.gtld-servers.net. !com.172800 IN NS h.gtld-servers.net. !com.172800 IN NS a.gtld-servers.net. !com.172800 IN NS g.gtld-servers.net. !com.172800 IN NS k.gtld-servers.net. !com.172800 IN NS b.gtld-servers.net. !com.172800 IN NS i.gtld-servers.net. !com.172800 IN NS m.gtld-servers.net. !com.172800 IN NS d.gtld-servers.net. !;; R
Re: Views and no answers ...
Am 28.07.2011 01:18, schrieb Bob: > These two views are identical in any way I can see, so the fault may > be in an included configuration file that is not included in your > message. > > Look for allow-query, allow-recursion or allow-cache statements in > your other config files. Did this. The only "allow" I could find was "allow-transfer". The only two parts I left out where "options", the included keys and "logging": !options { !directory "/var/tmp/named"; !pid-file"/var/run/named/named.pid"; !dump-file "/var/run/named/named_dump.db"; !statistics-file "/var/run/named/named.stats"; !listen-on { any; }; !#listen-on-v6 { any; }; ! !recursion yes; !auth-nxdomain no; !}; !include "/etc/named/mskey.key"; !include "/etc/named/bind.keys"; !include "/etc/bind/key.rndc"; mskey.key: !key mskey { ! algorithm hmac-md5; ! secret "."; !}; bind.keys: !managed-keys { !# NOTE: This key is current as of October 2009. !# If it fails to initialize correctly, it may have expired; !# see https://www.isc.org/solutions/dlv for a replacement. !dlv.isc.org. initial-key 257 3 5 !"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 !brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ !1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 !ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk !Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM !QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt !TDN0YUuWrBNh"; !}; key.rndc: !key "xompukey" { !algorithm hmac-md5; !secret ""; !}; !logging { !channel security_log { !file "/var/log/named/security.log"; !severity info; !print-time yes; !}; !channel update_log { !file "/var/log/named/update.log"; !severity info; !print-time yes; !}; !channel query_log { !file "/var/log/named/query.log"; !severity debug 3; !print-time yes; !}; !channel debug_log { !file "/var/log/named/debug.log"; !severity info; !print-time yes; !}; !category update { update_log; }; !category queries { query_log; }; !category default { debug_log; }; !category security { security_log; }; !category unmatched { null; }; !}; calling "dig +trace google.com" on systems located 192.168.180.0/23: !; <<>> DiG 9.7.3 <<>> +trace google.com !;; global options: +cmd !. 518400 IN NS e.root-servers.net. !. 518400 IN NS f.root-servers.net. !. 518400 IN NS h.root-servers.net. !. 518400 IN NS i.root-servers.net. !. 518400 IN NS m.root-servers.net. !. 518400 IN NS d.root-servers.net. !. 518400 IN NS a.root-servers.net. !. 518400 IN NS g.root-servers.net. !. 518400 IN NS b.root-servers.net. !. 518400 IN NS c.root-servers.net. !. 518400 IN NS l.root-servers.net. !. 518400 IN NS j.root-servers.net. !. 518400 IN NS k.root-servers.net. !;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in !0 ms ! !com.172800 IN NS c.gtld-servers.net. !com.172800 IN NS j.gtld-servers.net. !com.172800 IN NS l.gtld-servers.net. !com.172800 IN NS e.gtld-servers.net. !com.172800 IN NS f.gtld-servers.net. !com.172800 IN NS h.gtld-servers.net. !com.172800 IN NS a.gtld-servers.net. !com.172800 IN NS g.gtld-servers.net. !com.172800 IN NS k.gtld-servers.net. !com.172800 IN NS b.gtld-servers.net. !com.172800 IN NS i.gtld-servers.net. !com.172800 IN NS m.gtld-servers.net. !com.172800 IN NS d.gtld-servers.net. !;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in !100 ms ! !google.com. 172800 IN NS ns2.google.com. !google.com. 172800 IN NS ns1.google.com. !google.com. 172800 IN NS ns3.google.com. !google.com. 172800 IN NS ns4.google.com. !;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in !161 ms ! !g
Re: Views and no answers ...
These two views are identical in any way I can see, so the fault may be in an included configuration file that is not included in your message. Look for allow-query, allow-recursion or allow-cache statements in your other config files. When using views, I often find it more manageable to move such options inside the view definition. Mvh. / Regards Bob On 2011-07-25 16:24, Thomas Schweikle wrote: Hi! I have set up a view for one site. It is bound to change answers as necessary for different IP-ranges. It works as far as I could see. But with one ip-range there is a problem ... I can query internal addresses: !user@kvm2~# host intweb.example.de !web.example.de has address 192.168.180.46 But external ones do not work: !user@kvm2:~# host google.com !user@kvm2:~# The host I am trying on has address 192.168.112.4 and I've set up my view as: !view "ex" { !match-clients { 192.168.112.0/23; }; !recursion yes; ! !include "/etc/named/master/rootns.conf"; !include "/etc/named/master/localhost.conf"; !include "/etc/named/master/empty.conf"; ! !zone "example.de." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zhz/fwd.example"; !}; !zone "112.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.1"; !}; !}; !view "in" { !match-clients { 192.168.180.0/23; }; !recursion yes; ! !include "/etc/named/master/rootns.conf"; !include "/etc/named/master/localhost.conf"; !include "/etc/named/master/empty.conf"; ! !zone "example.de." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zhz/fwd.example"; !}; !zone "112.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.1"; !}; !}; Any idea why the server resolves internal names, but no external ones to view "ex", while it does answer internal and external names to view "in"? I've set up query logging, but this just tells me queries are correctly processed. But not why no answer was sent. In the server logs I can watch queries from 192.168.180.0/23 tagged with "in" and such from 192.168.112.0/23 with "ex". Addresses defined by my server are served to both clients "in" and "ex". Addresses from others like google.com are only served to clients from "in" not to clients from "ex" (server answers NXDOMAIN). ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Views and no answers ...
On 6/18/2011 12:08 AM, Thomas Schweikle wrote: Hi! I have set up a view for one site. It is bound to change answers as necessary for different IP-ranges. It works as far as I could see. But with one ip-range there is a problem ... I can query internal addresses: !user@kvm2~# host intweb.example.de !intweb.example.de has address 192.168.180.46 But external ones do not work: !user@kvm2:~# host google.com !user@kvm2:~# The host I am trying on has address 192.168.112.4 and I've set up my view as: !view "ex" { !match-clients { 192.168.112.0/23; }; !recursion yes; ! !include "/etc/named/master/rootns.conf"; !include "/etc/named/master/localhost.conf"; !include "/etc/named/master/empty.conf"; ! !zone "example.de." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zhz/fwd.example"; !}; !zone "mgm.example.de." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/fwd.example.mgm"; !}; ! !zone "1.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.1"; !}; !zone "112.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.112"; !}; !zone "113.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.113"; !}; !zone "180.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.180"; !}; !zone "181.168.192.in-addr.arpa." { !type master; !allow-transfer { key "mskey"; }; !notify no; !file "/etc/named/zin/rev.192.168.181"; !}; ! !zone "hz.example.de." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/fwd.example.hz"; !allow-update { key "examplekey"; }; !}; !zone "in.example.de." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/fwd.example.in"; !allow-update { key "examplekey"; }; !}; !zone "no.example.de." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/fwd.example.no"; !allow-update { key "examplekey"; }; !}; ! !zone "1.168.192.in-dyn.arpa." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/rev.192.168.1"; !allow-update { key "examplekey"; }; !}; !zone "112.168.192.in-dyn.arpa." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/rev.192.168.112"; !allow-update { key "examplekey"; }; !}; !zone "113.168.192.in-dyn.arpa." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/rev.192.168.113"; !allow-update { key "examplekey"; }; !}; !zone "180.168.192.in-dyn.arpa." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/rev.192.168.180"; !allow-update { key "examplekey"; }; !}; !zone "181.168.192.in-dyn.arpa." { !type master; !allow-transfer { key "mskey"; }; !file "/var/lib/named/rev.192.168.181"; !allow-update { key "examplekey"; }; !}; !}; Any idea why the server resolves internal names, but no external ones to this view, while it does answer internal and external names to an other view (same setup, only a different "view"-line)? !view "no" { !match-clients { 127.0.0.1/8; 192.168.180.0/23; }; !recursion yes; ![... same as above ...] I've set up query logging, but this just tells me queries are correctly processed. But not why no answer was sent. 1. Turn on query logging. See where the query is coming from and what view is being matched. 2. What's in those "include" files? You're not showing a complete picture of your config 3. What on earth is "in-dyn.arpa"? 4. What's with all the trailing dots in your zone names? At the very least, they occupy unnecessary space; at the worst, they might be confusing named.