Re: caching nameserver (was Resolving hostnames takes "forever")

[Matthew Seaman]

On Sat, Nov 02, 2002 at 02:31:06PM -0800, paul beard wrote:
> Matthew Seaman wrote:

> >to /etc/rc.conf, and put the IP number of your server as the first
> >choice in /etc/resolv.conf:
> >
> >nameserver 12.34.56.78
> >
> >for the correct value of "12.34.56.78"
> 
> I've done this, but I can't get 192.168.2.1 to resolved addresses 
> in nslookup unless I drop into interactive mode and specify it. 

That's nslookup for you.  You don't seem to have a reverse domain for
2.168.192.in-addr.arpa set up anywhere, so nslookup throws a wobbly
about being asked to look stuff up at an address in that range.
There's a reason it's been deprecated in BIND 9.  Two much better
tools are 'host' and 'dig'.  Try:

host ftp.freebsd.org

dig ftp.freebsd.org
 
> >Note however that this configuration will allow anyone on the net who
> >can get packets to port 53 of your server to use your named to do
> >recursive lookups --- consult the named.conf(5) man page and the
> >documentation at http://www.isc.org/products/BIND/docs/index.html to
> >find out how to configure it better.
> 
> This looks like something you can do with an acl to permit only 
> your local network(s). I'm not sure how I invoke it after I set it.
> 
> As near as I can make out, this is what I need to permit only 
> queries from my local network.
> 
> // acl list
>acl home {
>   192.168.2/255.255.255.0
>};

You're missing a ';' amongst other things --- named.conf likes to have
a liberal sprinkling of semi-colons.

acl "home" {
192.168.2.0/24;
};

Note that it's 'network address / length of netmask'. You don't have
to put quotes around the acl name, but it's good practice to avoid
potential conflict with key words.

The acl definitions are top level statements in the config file,
ie. outside the 'options' block.
 
> allow_query {
>address_match_list (home);
>};

There are four built in acl's that you can use.  'localhost' is a
list of all the configured interfaces on the server and 'localnets'
is a list of all the directly attached networks.  Then there's 'any'
and 'none' which are self explanatory.

Just write the name of the acl literally in the allow-query or
allow-recursion or whatever statement. eg:

allow-query {
localnets;
};

or 

allow-recursion {
"home";
};

If you used quotes in the definition of the acl, then you should use
them for any reference to the acl.

These can be put into the options { }; block, which makes them into
default values for the whole server, or they may be inserted into a
view { }; or zone { }; statement to have a more narrow effect.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
  Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

caching nameserver (was Resolving hostnames takes "forever")

[paul beard]

Matthew Seaman wrote:


Not knowing anything about your site, that's not something I can give
a definite answer to.  However, running a DNS cache on a local LAN
segment is pretty simple to do, and usually improves performance.  If
you run the /etc/namedb/make-localhost script and then fire up the
default named with the config that comes with FreeBSD, it will act as
a caching nameserver.


This answers questions I didn't realize I had . . . .

Couple of niggling details: I found I had to run the 
make-localhost script from w/in /etc/named. It looks in "." for a 
needed file, rather than /etc/named. Pehaps set a value for 
${NAMED_DIR}?

Next I did these:
Add:

named_enable="YES"
named_flags="-u bind -g bind"

to /etc/rc.conf, and put the IP number of your server as the first
choice in /etc/resolv.conf:

nameserver 12.34.56.78

for the correct value of "12.34.56.78"


I've done this, but I can't get 192.168.2.1 to resolved addresses 
in nslookup unless I drop into interactive mode and specify it. 
Examples follow:

[/etc/namedb]# nslookup
*** Can't find server name for address 192.168.2.1: Non-existent 
host/domain
Default Server:  ns1.attbi.com
Address:  204.127.198.4

[/etc/namedb]# nslookup
*** Can't find server name for address 192.168.2.1: Non-existent 
host/domain
Default Server:  ns1.attbi.com
Address:  204.127.198.4

> server 192.168.2.1
Default Server:  [192.168.2.1]
Address:  192.168.2.1

> ftp.freebsd.org
Server:  [192.168.2.1]
Address:  192.168.2.1

Non-authoritative answer:
Name:ftp.beastie.tdk.net
Address:  62.243.72.50
Aliases:  ftp.freebsd.org

Note however that this configuration will allow anyone on the net who
can get packets to port 53 of your server to use your named to do
recursive lookups --- consult the named.conf(5) man page and the
documentation at http://www.isc.org/products/BIND/docs/index.html to
find out how to configure it better.


This looks like something you can do with an acl to permit only 
your local network(s). I'm not sure how I invoke it after I set it.

As near as I can make out, this is what I need to permit only 
queries from my local network.

// acl list
   acl home {
  192.168.2/255.255.255.0
   };

allow_query {
   address_match_list (home);
   };

--
Paul Beard / 8040 27th Ave NE / Seattle WA 98115 /
paulbeard [at] mac [ dot] com / 206 529 8400

weblog @ 

In Seattle, Washington, it is illegal to carry a concealed weapon that
is over six feet in length.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message