subject:"Re\: Views and no answers ..."

Re: Views and no answers ...

2011-07-28 Thread Bob


You also have these acl's, which I find quite useful:

allow-query {acl-list}
allow-query-cache {acl-list}
allow-recursion {acl-list}

As I recall, all of them are valid inside a view.

You could also try to throw in some debug logging.
Here is what I do for troubleshooting:

#> rndc querylog
#> rndc trace 3

Then I tail all the relevant logfiles.


Mvh. / Regards

Bob

On 2011-07-28 18:31, Thomas Schweikle wrote:

Am 28.07.2011 01:18, schrieb Bob:

These two views are identical in any way I can see, so the fault may
be in an included configuration file that is not included in your
message.

Look for allow-query, allow-recursion or allow-cache statements in
your other config files.


Did this. The only "allow" I could find was "allow-transfer".

The only two parts I left out where "options", the included keys and
"logging":

!options {
!directory   "/var/tmp/named";
!pid-file"/var/run/named/named.pid";
!dump-file   "/var/run/named/named_dump.db";
!statistics-file "/var/run/named/named.stats";
!listen-on   { any; };
!#listen-on-v6   { any; };
!
!recursion yes;
!auth-nxdomain no;
!};

!include "/etc/named/mskey.key";
!include "/etc/named/bind.keys";
!include "/etc/bind/key.rndc";

mskey.key:
!key mskey {
!  algorithm hmac-md5;
!  secret ".";
!};

bind.keys:
!managed-keys {
!# NOTE: This key is current as of October 2009.
!# If it fails to initialize correctly, it may have expired;
!# see https://www.isc.org/solutions/dlv for a replacement.
!dlv.isc.org. initial-key 257 3 5
!"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
!brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
!1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
!ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
!Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
!QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
!TDN0YUuWrBNh";
!};

key.rndc:
!key "xompukey" {
!algorithm hmac-md5;
!secret "";
!};


!logging {
!channel security_log {
!file "/var/log/named/security.log";
!severity info;
!print-time yes;
!};
!channel update_log {
!file "/var/log/named/update.log";
!severity info;
!print-time yes;
!};
!channel query_log {
!file "/var/log/named/query.log";
!severity debug 3;
!print-time yes;
!};
!channel debug_log {
!file "/var/log/named/debug.log";
!severity info;
!print-time yes;
!};
!category update { update_log; };
!category queries { query_log; };
!category default { debug_log; };
!category security { security_log; };
!category unmatched { null; };
!};


calling "dig +trace google.com" on systems located 192.168.180.0/23:
!;<<>>  DiG 9.7.3<<>>  +trace google.com
!;; global options: +cmd
!.   518400  IN  NS  e.root-servers.net.
!.   518400  IN  NS  f.root-servers.net.
!.   518400  IN  NS  h.root-servers.net.
!.   518400  IN  NS  i.root-servers.net.
!.   518400  IN  NS  m.root-servers.net.
!.   518400  IN  NS  d.root-servers.net.
!.   518400  IN  NS  a.root-servers.net.
!.   518400  IN  NS  g.root-servers.net.
!.   518400  IN  NS  b.root-servers.net.
!.   518400  IN  NS  c.root-servers.net.
!.   518400  IN  NS  l.root-servers.net.
!.   518400  IN  NS  j.root-servers.net.
!.   518400  IN  NS  k.root-servers.net.
!;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
!0 ms
!
!com.172800  IN  NS  c.gtld-servers.net.
!com.172800  IN  NS  j.gtld-servers.net.
!com.172800  IN  NS  l.gtld-servers.net.
!com.172800  IN  NS  e.gtld-servers.net.
!com.172800  IN  NS  f.gtld-servers.net.
!com.172800  IN  NS  h.gtld-servers.net.
!com.172800  IN  NS  a.gtld-servers.net.
!com.172800  IN  NS  g.gtld-servers.net.
!com.172800  IN  NS  k.gtld-servers.net.
!com.172800  IN  NS  b.gtld-servers.net.
!com.172800  IN  NS  i.gtld-servers.net.
!com.172800  IN  NS  m.gtld-servers.net.
!com.172800  IN  NS  d.gtld-servers.net.
!;; R

Re: Views and no answers ...

2011-07-28 Thread Thomas Schweikle

Am 28.07.2011 01:18, schrieb Bob:
> These two views are identical in any way I can see, so the fault may
> be in an included configuration file that is not included in your
> message.
> 
> Look for allow-query, allow-recursion or allow-cache statements in
> your other config files.

Did this. The only "allow" I could find was "allow-transfer".

The only two parts I left out where "options", the included keys and
"logging":

!options {
!directory   "/var/tmp/named";
!pid-file"/var/run/named/named.pid";
!dump-file   "/var/run/named/named_dump.db";
!statistics-file "/var/run/named/named.stats";
!listen-on   { any; };
!#listen-on-v6   { any; };
!
!recursion yes;
!auth-nxdomain no;
!};

!include "/etc/named/mskey.key";
!include "/etc/named/bind.keys";
!include "/etc/bind/key.rndc";

mskey.key:
!key mskey {
!  algorithm hmac-md5;
!  secret ".";
!};

bind.keys:
!managed-keys {
!# NOTE: This key is current as of October 2009.
!# If it fails to initialize correctly, it may have expired;
!# see https://www.isc.org/solutions/dlv for a replacement.
!dlv.isc.org. initial-key 257 3 5
!"BEPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
!brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
!1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
!ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
!Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
!QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
!TDN0YUuWrBNh";
!};

key.rndc:
!key "xompukey" {
!algorithm hmac-md5;
!secret "";
!};


!logging {
!channel security_log {
!file "/var/log/named/security.log";
!severity info;
!print-time yes;
!};
!channel update_log {
!file "/var/log/named/update.log";
!severity info;
!print-time yes;
!};
!channel query_log {
!file "/var/log/named/query.log";
!severity debug 3;
!print-time yes;
!};
!channel debug_log {
!file "/var/log/named/debug.log";
!severity info;
!print-time yes;
!};
!category update { update_log; };
!category queries { query_log; };
!category default { debug_log; };
!category security { security_log; };
!category unmatched { null; };
!};


calling "dig +trace google.com" on systems located 192.168.180.0/23:
!; <<>> DiG 9.7.3 <<>> +trace google.com
!;; global options: +cmd
!.   518400  IN  NS  e.root-servers.net.
!.   518400  IN  NS  f.root-servers.net.
!.   518400  IN  NS  h.root-servers.net.
!.   518400  IN  NS  i.root-servers.net.
!.   518400  IN  NS  m.root-servers.net.
!.   518400  IN  NS  d.root-servers.net.
!.   518400  IN  NS  a.root-servers.net.
!.   518400  IN  NS  g.root-servers.net.
!.   518400  IN  NS  b.root-servers.net.
!.   518400  IN  NS  c.root-servers.net.
!.   518400  IN  NS  l.root-servers.net.
!.   518400  IN  NS  j.root-servers.net.
!.   518400  IN  NS  k.root-servers.net.
!;; Received 244 bytes from 192.168.180.28#53(ns.example.de) in
!0 ms
!
!com.172800  IN  NS  c.gtld-servers.net.
!com.172800  IN  NS  j.gtld-servers.net.
!com.172800  IN  NS  l.gtld-servers.net.
!com.172800  IN  NS  e.gtld-servers.net.
!com.172800  IN  NS  f.gtld-servers.net.
!com.172800  IN  NS  h.gtld-servers.net.
!com.172800  IN  NS  a.gtld-servers.net.
!com.172800  IN  NS  g.gtld-servers.net.
!com.172800  IN  NS  k.gtld-servers.net.
!com.172800  IN  NS  b.gtld-servers.net.
!com.172800  IN  NS  i.gtld-servers.net.
!com.172800  IN  NS  m.gtld-servers.net.
!com.172800  IN  NS  d.gtld-servers.net.
!;; Received 488 bytes from 128.8.10.90#53(d.root-servers.net) in
!100 ms
!
!google.com. 172800  IN  NS  ns2.google.com.
!google.com. 172800  IN  NS  ns1.google.com.
!google.com. 172800  IN  NS  ns3.google.com.
!google.com. 172800  IN  NS  ns4.google.com.
!;; Received 164 bytes from 192.42.93.30#53(g.gtld-servers.net) in
!161 ms
!
!g

Re: Views and no answers ...

2011-07-27 Thread Bob

These two views are identical in any way I can see, so the fault may be 
in an included configuration file that is not included in your message.


Look for allow-query, allow-recursion or allow-cache statements in your 
other config files.


When using views, I often find it more manageable to move such options 
inside the view definition.


Mvh. / Regards
Bob

On 2011-07-25 16:24, Thomas Schweikle wrote:

Hi!

I have set up a view for one site. It is bound to change answers as
necessary for different IP-ranges. It works as far as I could see.
But with one ip-range there is a problem ...

I can query internal addresses:
!user@kvm2~# host intweb.example.de
!web.example.de has address 192.168.180.46

But external ones do not work:
!user@kvm2:~# host google.com
!user@kvm2:~#

The host I am trying on has address 192.168.112.4 and I've set up my
view as:
!view "ex" {
!match-clients { 192.168.112.0/23; };
!recursion yes;
!
!include "/etc/named/master/rootns.conf";
!include "/etc/named/master/localhost.conf";
!include "/etc/named/master/empty.conf";
!
!zone "example.de." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zhz/fwd.example";
!};
!zone "112.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.1";
!};
!};

!view "in" {
!match-clients { 192.168.180.0/23; };
!recursion yes;
!
!include "/etc/named/master/rootns.conf";
!include "/etc/named/master/localhost.conf";
!include "/etc/named/master/empty.conf";
!
!zone "example.de." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zhz/fwd.example";
!};
!zone "112.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.1";
!};
!};

Any idea why the server resolves internal names, but no external
ones to view "ex", while it does answer internal and external names
to view "in"?
I've set up query logging, but this just tells me queries are
correctly processed. But not why no answer was sent.

In the server logs I can watch queries from 192.168.180.0/23 tagged
with "in" and such from 192.168.112.0/23 with "ex". Addresses
defined by my server are served to both clients "in" and "ex".
Addresses from others like google.com are only served to clients
from "in" not to clients from "ex" (server answers NXDOMAIN).



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Views and no answers ...

2011-06-20 Thread Kevin Darcy


On 6/18/2011 12:08 AM, Thomas Schweikle wrote:

Hi!

I have set up a view for one site. It is bound to change answers as
necessary for different IP-ranges. It works as far as I could see.
But with one ip-range there is a problem ...

I can query internal addresses:
!user@kvm2~# host intweb.example.de
!intweb.example.de has address 192.168.180.46

But external ones do not work:
!user@kvm2:~# host google.com
!user@kvm2:~#

The host I am trying on has address 192.168.112.4 and I've set up my
view as:
!view "ex" {
!match-clients { 192.168.112.0/23; };
!recursion yes;
!
!include "/etc/named/master/rootns.conf";
!include "/etc/named/master/localhost.conf";
!include "/etc/named/master/empty.conf";
!
!zone "example.de." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zhz/fwd.example";
!};
!zone "mgm.example.de." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/fwd.example.mgm";
!};
!
!zone "1.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.1";
!};
!zone "112.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.112";
!};
!zone "113.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.113";
!};
!zone "180.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.180";
!};
!zone "181.168.192.in-addr.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!notify no;
!file "/etc/named/zin/rev.192.168.181";
!};
!
!zone "hz.example.de." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/fwd.example.hz";
!allow-update { key "examplekey"; };
!};
!zone "in.example.de." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/fwd.example.in";
!allow-update { key "examplekey"; };
!};
!zone "no.example.de." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/fwd.example.no";
!allow-update { key "examplekey"; };
!};
!
!zone "1.168.192.in-dyn.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/rev.192.168.1";
!allow-update { key "examplekey"; };
!};
!zone "112.168.192.in-dyn.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/rev.192.168.112";
!allow-update { key "examplekey"; };
!};
!zone "113.168.192.in-dyn.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/rev.192.168.113";
!allow-update { key "examplekey"; };
!};
!zone "180.168.192.in-dyn.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/rev.192.168.180";
!allow-update { key "examplekey"; };
!};
!zone "181.168.192.in-dyn.arpa." {
!type master;
!allow-transfer { key "mskey"; };
!file "/var/lib/named/rev.192.168.181";
!allow-update { key "examplekey"; };
!};
!};

Any idea why the server resolves internal names, but no external
ones to this view, while it does answer internal and external names
to an other view (same setup, only a different "view"-line)?

!view "no" {
!match-clients { 127.0.0.1/8; 192.168.180.0/23; };
!recursion yes;
![... same as above ...]

I've set up query logging, but this just tells me queries are
correctly processed. But not why no answer was sent.
1. Turn on query logging. See where the query is coming from and what 
view is being matched.
2. What's in those "include" files? You're not showing a complete 
picture of your config

3. What on earth is "in-dyn.arpa"?
4. What's with all the trailing dots in your zone names? At the very 
least, they occupy unnecessary space; at the worst, they might be 
confusing named.

Re: Views and no answers ...

Re: Views and no answers ...

Re: Views and no answers ...

Re: Views and no answers ...

4 matches

Site Navigation

Mail list logo

Footer information