On Tue, 2017-09-19 at 08:16 -0500, Chris wrote: > On Tue, 2017-09-19 at 07:45 -0500, David Jones wrote: > > > > On 09/18/2017 06:03 PM, Chris wrote: > [snip] > > > > > > > > > > > localhost dnsmasq[2323]: started, version 2.75 cachesize 150 > > > localhost dnsmasq[2323]: compile time options: IPv6 GNU-getopt > > > DBus > > > i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC > > > loop- > > > detect inotify > > > localhost dnsmasq-dhcp[2323]: DHCP, IP range 192.168.122.2 -- > > > 192.168.122.254, lease time 1h > > > localhost dnsmasq-dhcp[2323]: DHCP, sockets bound exclusively to > > > interface virbr0 > > > localhost dnsmasq[2323]: reading /etc/resolv.conf > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53 > > > localhost dnsmasq[2323]: using nameserver 127.0.0.1#53 > > > localhost dnsmasq[2323]: read /etc/hosts - 7 addresses > > > localhost dnsmasq[2323]: read > > > /var/lib/libvirt/dnsmasq/default.addnhosts - 0 addresses > > > localhost dnsmasq-dhcp[2323]: read > > > /var/lib/libvirt/dnsmasq/default.hostsfile > > > > > > I'm not really running a mail server in the true sense of the > > > word > > > I > > > believe. Fetchmail queries my email accounts and pipes the > > > messages > > > through procmail. Anything that doesn't already have a recipe is > > > run > > > through SA. I'm just using Bind to speed up the queries that SA > > > makes. > > > I believe I'm stating that correctly but who knows could be way > > > off. > > > > > > If I can give any other information I'll be glad to do it. Again, > > > I > > > have no idea why the queries are going to 168.150.251.35. There > > > hasn't > > > been another query to isipp since a bit after noon. I'll see what > > > happens the next time there is one. > > > > > Run 'netstat -tunlap | grep ":53 "' and see what is listening on > > port > > 53 > > as your DNS server. You probably need to remove/uninstall dnsmasq. > > > > Here's my output: > > > > # netstat -tunlap | grep ":53 " > > tcp 0 0 127.0.0.1:53 0.0.0.0:* > > LISTEN 24019/pdns_recursor > > udp 0 0 127.0.0.1:53 0.0.0.0:* > > 24019/pdns_recursor > > > > Once you know you are only running named on port 53, then make sure > > your > > named.conf doesn't have any forwarders defined in the options > > section. > > > > Now check your logs and see if you are still getting a lot of > > refused > > responses. BIND should be doing full recursive lookups directly to > > the > > authoritative DNS servers just like you saw with the "dig +trace" > > command. > > > David, here's my output. I ran as sudo to see all inclusive: > > sudo netstat -tunlap | grep ":53" > [sudo] password for chris: > tcp 0 0 > 192.168.122.1:53 0.0.0.0:* LISTEN 1245/name > d > > tcp 0 0 > 127.0.1.1:53 0.0.0.0:* LISTEN 1316/dnsm > as > q > tcp 0 0 > 192.168.0.51:53 0.0.0.0:* LISTEN 1245/name > d > > tcp 0 0 > 127.0.0.1:53 0.0.0.0:* LISTEN 1245/name > d > > tcp 0 0 > 192.168.0.51:56697 192.52.178.30:53 TIME_WAIT - > > > tcp 1 1 > 192.168.0.51:33475 198.97.190.53:53 CLOSING - > > > tcp 0 0 > 192.168.0.51:52483 192.5.6.30:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:57335 192.5.6.30:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:56609 192.52.178.30:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:36143 199.19.56.1:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:47629 199.7.83.42:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:58201 192.48.79.30:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:53145 199.19.56.1:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:55073 199.7.83.42:53 TIME_WAIT - > > > tcp 0 0 > 192.168.0.51:41719 192.48.79.30:53 TIME_WAIT - > > > tcp 1 1 > 192.168.0.51:40633 198.97.190.53:53 CLOSING - > > > udp 0 0 > 192.168.122.1:53 0.0.0.0:* 2323/dnsm > as > q > udp 0 0 > 192.168.122.1:53 0.0.0.0:* 1245/name > d > > udp 0 0 > 127.0.1.1:53 0.0.0.0:* 1316/dnsm > as > q > udp 0 0 > 192.168.0.51:53 0.0.0.0:* 1245/name > d > > udp 0 0 > 127.0.0.1:53 0.0.0.0:* 1245/name > d > > udp 0 0 > 0.0.0.0:5353 0.0.0.0:* 1533/snap > we > b > udp 0 0 > 0.0.0.0:5353 0.0.0.0:* 1004/avah > i- > daemon: > udp6 0 0 > :::5353 :::* 1533/snap > we > b > udp6 0 0 > :::5353 :::* 1004/avah > i- > daemon: >
I neglected to insert my /etc/bind/named.conf.options file
acl goodclients {
127.0.0.1;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
geoip-directory "/usr/share/GeoIP";
recursion yes;
allow-query { goodclients; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow
multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
replacing
// the all-0's placeholder.
//forwarders {
//127.0.0.1;
//};
//=============================================================
===========
// If BIND logs error messages about the root key being
expired,
// you will need to update your keys. See https://www.isc.org/
bind-keys
//=============================================================
===========
//dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
listen-on { any; };
};
--
Chris
KeyID 0xE372A7DA98E6705C
31.11972; -97.90167 (Elev. 1092 ft)
08:23:13 up 16:02, 1 user, load average: 1.80, 1.00, 0.68
Description: Ubuntu 16.04.3 LTS, kernel 4.10.0-35-generic
signature.asc
Description: This is a digitally signed message part
