first, a hearty Thanks for your responses to date. I have tried to apply the suggested changes, but it's not changed the initial behaviour. so i am still missing something...
additional suggestions. i am going to look at host, who,w hois, nslookup for more info, thx, jackc... *default.log:13-Nov-2020 13:30:43.484 query-errors: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A <http://linuxlighthouse.com/IN/A> at ../../../bin/named/query.c:7270default.log:13-Nov-2020 13:30:49.778 query-errors: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A <http://linuxlighthouse.com/IN/A> at ../../../bin/named/query.c:7270* *queries.log:13-Nov-2020 13:30:43.484 queries: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query: linuxlighthouse.com <http://linuxlighthouse.com> IN A -E(0)D (10.0.0.101)queries.log:13-Nov-2020 13:30:49.778 queries: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query: linuxlighthouse.com <http://linuxlighthouse.com> IN A -E(0)D (10.0.0.101)* *security.log:13-Nov-2020 13:30:43.484 client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query 'linuxlighthouse.com/A/IN <http://linuxlighthouse.com/A/IN>' denied* *security.log:13-Nov-2020 13:30:49.778 client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: query 'linuxlighthouse.com/A/IN <http://linuxlighthouse.com/A/IN>' denied* current named.conf options { // Put files that named is allowed to write in the data/ directory: directory "/var/named"; // "Working" directory dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; secroots-file "data/named.secroots"; recursing-file "data/named.recursing"; listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; allow-transfer { 108.220.213.120/29; }; forwarders { 8.8.8.8; 8.8.4.4; }; /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */ /* Enable serving of DNSSEC related data - enable on both authoritative and recursive servers DNSSEC aware servers */ dnssec-enable yes; /* Enable DNSSEC validation on recursive servers */ dnssec-validation yes; /* In Fedora we use /run/named instead of default /var/run/named so we have to configure paths properly. */ pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; managed-keys-directory "/var/named/dynamic"; /* In Fedora we use system-wide Crypto Policy */ /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; /* use querylog all the time rndc */ querylog yes; }; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; }; view "internal-lan-view" { match-clients { internals; }; allow-recursion { internals; }; allow-recursion-on { internals; }; zone "linuxlighthouse.com" { type master; file "/var/named/internal.db"; allow-query { internals; }; }; }; view "external-wan-view" { match-clients { any; }; recursion no; allow-query { any; }; allow-transfer { 108.220.213.120/29; }; zone "linuxlighthouse.com" { type master; file "/var/named/linuxlighthouse.com.db"; }; zone "213.220.108.in-addr.arpa" { type master; file "/var/named/213.220.108.in-addr.arpa"; }; }; On Fri, Nov 13, 2020 at 6:10 AM Petr Menšík <pemen...@redhat.com> wrote: > Hi Jack, > > On 11/13/20 8:02 AM, Jack Craig wrote: > > hi all, > > any dns pros in the house?? > > > > i am trying to debug a split view dns. > > i am using F32 & bind9 where i have internal & external views. > > > > internal network 10.0.0.0/24, external 108.220.213.120/29 > > > > what i think i am seeing is a refusal of query, but Why?? > > > > where can i find a query_log print-severity definition? > > > > dig shows, ... > > > > dig ws.linuxlighthouse.com ns > > > > ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;ws.linuxlighthouse.com. IN NS > > > > ;; Query time: 355 msec > > ;; SERVER: 10.0.0.1#53(10.0.0.1) > > ;; WHEN: Thu Nov 12 22:53:45 PST 2020 > > ;; MSG SIZE rcvd: 51 > > > > dig 108.220.213.121 > > > > ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121 > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338 > > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 > > > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags:; udp: 4096 > > ;; QUESTION SECTION: > > ;108.220.213.121. IN A > > > > ;; ANSWER SECTION: > > 108.220.213.121. 0 IN A 108.220.213.121 > > > > ;; Query time: 1 msec > > ;; SERVER: 10.0.0.1#53(10.0.0.1) > > ;; WHEN: Thu Nov 12 22:54:52 PST 2020 > > ;; MSG SIZE rcvd: 60 > > > > suggestions? > > > > tia, jackc... > > > > > > my named.conf > > > > /* top of file */ > > > > acl slaves { > > 108.220.213.122; > > }; > > > > acl internals { > > 10.0.0.0/24; > > 127.0.0.0/8; > > }; > > > > /* > > 108.220.213.120/29; > > */ > > > > options > > { > > // Put files that named is allowed to write in the data/ directory: > > directory "/var/named"; // "Working" directory > > dump-file "data/cache_dump.db"; > > statistics-file "data/named_stats.txt"; > > memstatistics-file "data/named_mem_stats.txt"; > > secroots-file "data/named.secroots"; > > recursing-file "data/named.recursing"; > > > > listen-on port 53 { localhost; }; > Localhost usually has only 127.0.0.0/8 and ::1 addresses. Without both > internal address and external or any; Outside IPv4 packet would never > reach bind. > > listen-on-v6 port 53 { any; }; > > > > allow-query { internals; }; > Move this to views. allow-query includes recursive and non-recursive > queries. Kind of firewall equivalent. Just let it inside or not. > > allow-query-cache { any; }; > Unless you override this in view, this would make your (internal) cache > open to outside world. It it would act authoritative for outside and > recursive for inside clients, I would recommend removing these two and > using just allow-recursion { internals; }; > allow-recursion-on { internals }; > > in specific view. > > allow-transfer { 108.220.213.120/29; }; > It is better to use keys to authenticate. Check tsig-keygen(8) manual page. > > > > recursion yes; > Remove this one ^^. Instead, configure it only per view > > > > forwarders { > > 8.8.8.8; > > 8.8.4.4; > > }; > > > > /* DNSSEC related options. See information about keys ("Trusted keys", > > bellow) */ > > > > /* Enable serving of DNSSEC related data - enable on both authoritative > > and recursive servers DNSSEC aware servers */ > > dnssec-enable yes; > > > > /* Enable DNSSEC validation on recursive servers */ > > dnssec-validation yes; > > > > /* In Fedora we use /run/named instead of default /var/run/named > > so we have to configure paths properly. */ > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > > > managed-keys-directory "/var/named/dynamic"; > > > > /* In Fedora we use system-wide Crypto Policy */ > > /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ > > include "/etc/crypto-policies/back-ends/bind.config"; > > > > /* use querylog all the time rndc */ > > querylog yes; > > }; > > > > logging { > > channel default_file { > > file "/var/log/named/default.log" versions 3 size 5m; > > severity dynamic; > > print-time yes; > > print-category yes; > > print-severity yes; > > }; > > default.log:12-Nov-2020 22:16:58.021 query-errors: info: client > > @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view > > external-wan-view: query failed (REFUSED) for > ws.linuxlighthouse.com/IN/AAAA > > at ../../../bin/named/query.c:7270 > > default.log:12-Nov-2020 22:16:58.503 query-errors: info: client > > @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view > > external-wan-view: query failed (REFUSED) for > ws.linuxlighthouse.com/IN/A > > at ../../../bin/named/query.c:7270 > > default.log:12-Nov-2020 22:16:59.036 query-errors: info: client > > @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view > > external-wan-view: query failed (REFUSED) for > ws.linuxlighthouse.com/IN/A > > at ../../../bin/named/query.c:7270 > > Client 60.215.138.163 does not match allow-query, so it is refused. > > > > channel security_file { > > severity debug 2; > > file "/var/log/named/security.log" versions 3 size 5m; > > print-time yes; > > print-category yes; > > print-severity yes; > > }; > > security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90 > > 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: > > query 'ws.linuxlighthouse.com/AAAA/IN' denied > > security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90 > > 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: > > query 'ws.linuxlighthouse.com/A/IN' denied > > security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90 > > 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: > > query 'ws.linuxlighthouse.com/A/IN' denied > > > > channel queries_file { > > file "/var/log/named/queries.log" versions 3 size 5m; > > severity debug 3; > > print-time yes; > > print-category yes; > > print-severity yes; > > }; > > queries.log:12-Nov-2020 22:16:58.021 queries: info: client > @0x7f99e01bab90 > > 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: > > query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101) > > queries.log:12-Nov-2020 22:16:58.503 queries: info: client > @0x7f99e01bab90 > > 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: > > query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101) > > queries.log:12-Nov-2020 22:16:59.036 queries: info: client > @0x7f99e01bab90 > > 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: > *query: > > ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> IN A -E(0)DC > > (10.0.0.101)* > > > > > > > > > > category default { default_file; }; > > category general { general_file; }; > > category database { database_file; }; > > category security { security_file; }; > > category config { config_file; }; > > category resolver { resolver_file; }; > > category xfer-in { xfer-in_file; }; > > category xfer-out { xfer-out_file; }; > > category notify { notify_file; }; > > category client { client_file; }; > > category unmatched { unmatched_file; }; > > category queries { queries_file; }; > > category network { network_file; }; > > category update { update_file; }; > > category dispatch { dispatch_file; }; > > category dnssec { dnssec_file; }; > > category lame-servers { lame-servers_file; }; > > }; > > > > include "/etc/rndc.key"; > > > > controls { > > inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; > > }; > > > > /* This view will contain zones you want to serve only to "internal" > clients > > that connect via your directly attached LAN interfaces - "localnets" . > > */ > > > > view "internal-lan-view" > > { > > match-clients { internals; }; > > recursion yes; > > > > zone "linuxlighthouse.com" { > > type master; > > file "/var/named/internal.db"; > > }; > > }; > > > > /* This view will contain zones you want to serve only to "external" > clients > > that have addresses that are not match any above view: */ > > > > view "external-wan-view" > > { > > match-clients { any; }; > > recursion no; > > > > zone "linuxlighthouse.com" { > > type master; > > file "/var/named/linuxlighthouse.com.db"; > > allow-query { any; }; > > /* > > allow-transfer { slaves; }; > > */ > > }; > > > > zone "213.220.108.in-addr.arpa" { > > type master; > > file "/var/named/213.220.108.in-addr.arpa"; > > allow-query { any; }; > > }; > > }; > > > > > > ; Authoritative data for linuxlighthouse.com zone > > ; > > ; $ORIGIN linuxlighthouse.com. > > $TTL 86400 > > @ IN SOA ws.linuxlighthouse.com. > > root.linuxlighthouse.com. ( > > 2020101601 ; serial > > 1D ; refresh > > 1H ; retry > > 1W ; expire > > 86400 ) ; minimum > > ; > > ;jack.craig.ap...@gmail.com > > ; > > @ IN NS ws > > IN MX 10 mail > > IN A 108.220.213.121 > > > > ws IN A 108.220.213.121 > > www IN A 108.220.213.121 > > mail IN A 108.220.213.121 > > > > ; cname later > > ;ws2 IN A 68.94.157.1 > > ;dns157r8.sbcglobal.net. IN A 68.94.157.8 > > > > ; > > ; DNSSEC/CAA setup > > ; example.org. CAA 128 issue "letsencrypt.org" > > > > ; linuxlighthouse.com. CAA 128 issue "letsencrypt.org" > > > > > > ; > > $include "/var/named/linuxlighthouse.com.db" > > > > @ IN A 10.0.0.1 > > ws IN A 10.0.0.101 > > www IN A 10.0.0.101 > > ws2 IN A 10.0.0.102 > > > > [jackc@ws ~$ > > > > > > -- > Petr Menšík > Software Engineer > Red Hat, http://www.redhat.com/ > email: pemen...@redhat.com > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB >
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
