Solved

DESPERATE help needed for setting named

Posted on 2001-08-26
30
387 Views
Last Modified: 2012-08-14
I have currently set up a RH7.1 gateway server for all my windows clients to access the internet. ip address are assigned by the dhcpd on the network 10.10.10.0. I have tried and tried to tweak the named.conf to make it such that named can forward DNS request to my ISP DNS server while caching itself. I'm sure this can be done, but just how? the following is my named.conf thanks




// generated by named-bootconf.pl

options {
directory "/var/named";
forward only;
forwarders { 204.101.251.1; 204.101.251.2; };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "named.cache";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

0
Comment
Question by:foxhound
  • 11
  • 10
  • 2
  • +5
30 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6427437
If your are adamant about using only using a caching-only server, try:

**** /etc/named.conf ****
//
// DNS config file for a caching-only server
//
options {
     directory "/var/named";
     /*
      * If there is a firewall between you and nameservers you want
      * to talk to, you might need to uncomment the query-source
      * directive below.  Previous versions of BIND always asked
      * questions using port 53, but BIND 8.1 uses an unprivileged
      * port by default.
      */
        forward-only;
        forwarders { 204.101.251.1; 204.101.251.2; };
     query-source address * port 53;
};

zone "." {
     type hint;
     file "named.cache";
};

zone "0.0.127.in-addr.arpa" {
     type master;
     file "local.rev";
     allow-update { none; };
};


**** /var/named/local.rev ****
$TTL 3h
@ IN SOA this-host.domain.tld. me.this-host.domain.tld. {
                2001082600  ;Serial
                              3h  ; Refresh after 3 hours
                              1h  ; Retry after 1 hour
                              1w  ; Expire after 1 weel
                              1h  ; Negative caching TTL of 1 hour

                 IN NS   this-host.domain.tld.

1               IN PTR  localhost.

You may want to consider a slightly fancier DNS configuation. Since your LAN is using an RFC 1918 address space, setting up a local DNS server that has records for the system in your local LAN will eliminate problem that you may encounter if local clients access your Linux system or any other Linux/Unix system on the local LAN. I hate trying to type all of the config files for that into an EE comment, but if you'll send an email to jim@entrophy-free.net I'll be glad to return a files that you can use as a starting point.
0
 

Author Comment

by:foxhound
ID: 6427553
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
              IN      NS      localhost.

1       IN      PTR     localhost.



that's my named.local file which looks similar to yours? and the named.conf is almost the same? can you please tell me the difference? and perhaps what trouble i have with my config? thanks, i'm quite lost, since i'm quite a newbie in the DNS thing. the worst thing is i cant even test if the named is forwarding or not? all i know is that when i resolve names, it fails, but have no idea what went wrong. thanks
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6427581
Your file is close enough to what I had to work. I'll assume that you have used the data from my comment for your named.conf file. When you start named are there any interesting messages in /var/log/messages?

What do you have in /etc/resolv.conf? On a system running a nameserver it ought to have only one nameserver line, like:

nameserver 127.0.0.1
0
 

Author Comment

by:foxhound
ID: 6428303
I have the nameserver 127.0.0.1 linx in my /etc/resolv.conf
howwever, the machinene itself cannot resolve any domainnames, let alone, the clients. i have to change it back to the two DNS server ip to surf again. (i'm using PPPoE btw)

here's what my /var/log/messages says when i restart the named

$
Aug 27 08:24:12 localhost named: named shutdown succeeded
Aug 27 08:24:12 localhost named[32156]: starting BIND 9.1.0 -u named
Aug 27 08:24:12 localhost named[32156]: using 1 CPU
Aug 27 08:24:12 localhost named: named startup succeeded
Aug 27 08:24:12 localhost named[32160]: loading configuration from '/etc/named.$
Aug 27 08:24:12 localhost named[32160]: the default for the 'auth-nxdomain' opt$
Aug 27 08:24:12 localhost modprobe: Note: /etc/modules.conf is more recent than$
Aug 27 08:24:12 localhost named[32160]: no IPv6 interfaces found
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface lo, 127.0.0$
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface eth1, 10.10$
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface ppp0, 65.93$
Aug 27 08:24:12 localhost named[32160]: running

just some side information, my network is on 10.10.10.0/255.255.255.0 with server static ip of 10.10.10.1, it uses dsl to connect to internet, in which the ip i get assigned is 65.93.*.*.

thanks for you input
0
 

Author Comment

by:foxhound
ID: 6428312
sorry, didn't realised soem part were cut off, here are them agian


Aug 27 08:24:12 localhost named: named shutdown succeeded
Aug 27 08:24:12 localhost named[32156]: starting BIND 9.1.0 -u named
Aug 27 08:24:12 localhost named[32156]: using 1 CPU
Aug 27 08:24:12 localhost named: named startup succeeded
Aug 27 08:24:12 localhost named[32160]: loading configuration from '/etc/named.conf
Aug 27 08:24:12 localhost named[32160]: the default for the 'auth-nxdomain' option is now 'no'
Aug 27 08:24:12 localhost modprobe: Note: /etc/modules.conf is more recent than /lib/modules/2.4.2-2/modules.dep
Aug 27 08:24:12 localhost named[32160]: no IPv6 interfaces found
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface lo, 127.0.0.1
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface eth1, 10.10.10.1
Aug 27 08:24:12 localhost named[32160]: listening on IPv4 interface ppp0, 65.93.1.88
Aug 27 08:24:12 localhost named[32160]: running
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6433419
I have a very similiar setup on my linux box. I have one name server in my /etc/resolv.conf file, namely 127.0.0.1. Here's my /etc/bind.conf:

## named.conf - configuration for bind
#
# Generated automatically by bindconf, alchemist et al.
options {
        directory "/var/named/";
};
zone  "." {
        type hint;
        file  "named.ca";
};
zone  "0.0.127.in-addr.arpa" {
        type master;
        file  "0.0.127.in-addr.arpa.zone";
};
zone  "localhost" {
        type master;
        file  "localhost.zone";
};
zone  "shortcircuit.dyndns.org" {
        type master;
        file  "shortcircuit.dyndns.org.zone";
};

and my .zone files:
(0.0.127.in-addr.arpa.zone)
$TTL 86400
@       IN      SOA     localhost.      root.localhost (
                        1 ; serial
                        28800 ; refresh
                        7200 ; retry
                        604800 ; expire
                        86400 ; ttk
                        )


@       IN      NS      localhost.

1       IN      PTR     localhost.

(localhost.zone)
$TTL 86400
@       IN      SOA     @  root.localhost (
                        1 ; serial
                        28800 ; refresh
                        7200 ; retry
                        604800 ; expire
                        86400 ; ttl
                        )


@       IN      NS      localhost.


@       IN      A       127.0.0.1

(shortcircuit.dyndns.org.zone)
$TTL 86400
@       IN      SOA     @  root.localhost (
                        1 ; serial
                        28800 ; refresh
                        7200 ; retry
                        604800 ; expire
                        86400 ; ttl
                        )



My /etc/resolv.conf:
nameserver 127.0.0.1

works like a champ.  For example:


[root@shortcircuit named]# host www.experts-exchange.com
www.experts-exchange.com. has address 208.50.148.12

[root@shortcircuit named]# host www.yahoo.com
www.yahoo.com. is an alias for www.yahoo.akadns.net.
www.yahoo.akadns.net. has address 216.115.102.80
www.yahoo.akadns.net. has address 216.115.105.2
www.yahoo.akadns.net. has address 204.71.200.67
www.yahoo.akadns.net. has address 204.71.200.68
www.yahoo.akadns.net. has address 204.71.200.74
www.yahoo.akadns.net. has address 204.71.200.75
www.yahoo.akadns.net. has address 204.71.202.160
www.yahoo.akadns.net. has address 216.115.102.77
www.yahoo.akadns.net. has address 216.115.102.78
www.yahoo.akadns.net. has address 216.115.102.79
0
 
LVL 2

Expert Comment

by:Asem
ID: 6434257
and you don't see messages like the following in /var/log/messages?

Aug 28 22:52:55 gandalf named[373]: Cleaned cache of 0 RRsets
Aug 28 22:52:55 gandalf named[373]: USAGE 999031975 999028375 CPU=0.02u/0.01s CHILDCPU=0u/0s
Aug 28 22:52:55 gandalf named[373]: NSTATS 999031975 999028375 A=67
Aug 28 22:52:55 gandalf named[373]: XSTATS 999031975 999028375 RR=18 RNXD=12 RFwdR=15 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=2 SAns=67 SFwdQ=16 SDupQ=4 SErr=0 RQ=67 RIQ=0 RFwdQ=16 RDupQ=0 RTCP=0 SFwdR=15 SFail=0 SFErr=0 SNaAns=53 SNXD=28 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0

Well, I just use BIND 8.2.3, but i assume there are similar ones with 9.1.0.

Another idea: maybe you additionally set up a firewall (I suppose you do at least some masquerading for your internal network being able to access the internet)? If so, make sure you allowed port 53/udp to your forwarding nameservers in the OUTPUT chain and not just in the FORWARD chain. Simply test it with configuring your /etc/resolv.conf to external DNS and do a `nslookup www.experts-exchange.com`. And, of course, you have to open 53/udp from your internal network in your INPUT chain.

Cheers,
-- asem
0
 

Author Comment

by:foxhound
ID: 6434890
thanks for the suggestion but i even brought down the whole firewall to test. i flushed all chains but still no help.

Dangli i presume u're using dsl as well? then i think have the exact same setup as me? i've copied all your files exactly and still no luck, same named.conf, same resolv.conf. i left the shortcircuit.dyndns.org zone out tho and didn't add anything else simply becoz i don't use dyndns. perhaps can u post more infomration to the setup? are there other files that i need to wathch out?
thanks
0
 

Author Comment

by:foxhound
ID: 6434896
btw, here's what i get

# host www.yahoo.com
Host www.yahoo.com. not found: 2(SERVFAIL)
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6437645
Ok. If you flush all the chains, that (if I'm recalling correctly) leaves a completely locked up box. Try removing IPchains/Iptables/ipfwadmin from the startup seqence all together. Then reboot and see if you can get out. Here's some steps I used to ensure connectivity (I didn't use the forward method you will notice. Never cared for that. I just query name servers directly.)

Step 1) telnet a.root-servers.net 53
(if connection refused, you are in trouble)
step 2) if success, close the telnet session (^[q)
        telnet a.gtld-servers.net 53
(again, if refused, you are in trouble)
step 3) if success, remove ALL forward lines from the named.conf file (make it match the one I placed up as close as you can).
Step 4) /etc/rc.d/init.d/named restart
step 5) Watch the system log for lines beginning in named.
For example:

Aug 29 11:45:30 shortcircuit named: named startup succeeded
Aug 29 11:45:30 shortcircuit named[2164]: starting BIND 9.1.0 -u named
Aug 29 11:45:30 shortcircuit named[2164]: using 1 CPU
Aug 29 11:45:30 shortcircuit named[2168]: loading configuration from '/etc/named.conf'
Aug 29 11:45:30 shortcircuit named[2168]: the default for the 'auth-nxdomain' option is now 'no'
Aug 29 11:45:30 shortcircuit named[2168]: no IPv6 interfaces found
Aug 29 11:45:30 shortcircuit named[2168]: listening on IPv4 interface lo, 127.0.0.1#53
Aug 29 11:45:30 shortcircuit named[2168]: listening on IPv4 interface eth0, 192.168.0.10#53
Aug 29 11:45:30 shortcircuit named[2168]: listening on IPv4 interface ppp0, 207.173.222.149#53
Aug 29 11:45:31 shortcircuit named[2168]: running

step 4) telnet localhost 53
(if you get connection refused here your named is not bind()ing the port 53 properly.)
step 5) telnet (internal net addr) 53
step 6) telnet (ppp0's address) 53

if all of those work, now its time to actually if named will answer name queries.
step 7) ensure the ONLY line in /etc/resolv.conf is
 nameserver 127.0.0.1
step 8) host a.root-servers.net
  you should get a responce:
a.root-servers.net. has address 198.41.0.4
step 9) host a.gtld-servers.net
  expected responce:
a.gtld-servers.net. has address 192.5.6.30
step 10) host <pick your site>. For example:
  host www.xmission.com
www.xmission.com. has address 198.60.22.4

If you fail at any one of these steps, let us know which step failed.
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6437651
Also, your config file says bind 8. You should upgrade to bind 9. Many bug fixes.
0
 

Author Comment

by:foxhound
ID: 6438995
i cant get past step 8. whenever i host, i get that message again. every steps before was no problem at all. just making sure, the telnet says connected for all those connections but no login or stuff, it's right, ya?
thanks
i'm ysing bind 9.1.0-10
0
 
LVL 1

Accepted Solution

by:
DanEgli earned 100 total points
ID: 6441117
That is correct. Telneting to port 53 simply opens a connection to your name server (bind) which then waits for an inquery.

Hmmm. Cannot get past 8 eh?

Ok. Lets check if you are even getting out. Change your /etc/resolv.conf to be like this (just for testing)

nameserver 198.60.22.2

then do a couple of host queries. If host fails still, then something is funky. I'd say remove host and recompile from the bind source.

If you CAN get valid host messages from 198.60.22.2, but not from 127.0.0.1, then it's time for a socket trace (strace).

do a ps ax | grep named

find the PID for the named instance, then, AS ROOT,
strace -p <PID> > trace.out. i.e. if it says named is pid 3216 then type as root:
strace -p 3216 > trace.out

Ok. Now mail that file to me at dan@shortcircuit.dyndns.org. I'll compare that with my strace.

Also, it may help to find out what release of which OS you are using? If linux, Distribution and release? (RedHat linux 7.1? Solaris 2? AIX vXXX.YYYY?)

Thanks!
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6441178
Correction. MY Bad. Strace doesn't work very well for bind. Do this instead:

step 1) /etc/rc.d/init.d/named stop
< replace with whatever command you use to shutdown named>
step 2) named -g -d 9 >& bind.out &
< should run bind in the background, recording low level debug messages to bind.out >
step 3) edit /etc/resolv.conf and remove all name servers
except 127.0.0.1
step 4) run host and ask for a domain name.
step 5) if it fails, kill the named process running and email me the bind.out file
0
 

Author Comment

by:foxhound
ID: 6442363
i can get host resolved with 198.60.22.2, and of course with my own ISP dns server. so i went on to do what u told me in your last message. but when i type

named -g -d 9 >& bind.out &

it says
[1] 3306
bash: bind.out: ambiguous redirect
[1]+  Exit 1                  named -g -d 9>&bind.out

i tried removing both & then i get

named: unknown option '-d'

thanks

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:foxhound
ID: 6442367
btw i'm using RH7.1
0
 

Author Comment

by:foxhound
ID: 6442389
also, i realised if i just "named" i get

Aug 30 16:30:33 server named[3330]: couldn't open pid file '/var/run/named/named.pid': Permission denied
Aug 30 16:30:33 server named[3330]: exiting (due to early fatal error)


however, "/etc/..../named start" will work fine, dunno if that helps.
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6442612
Ok. if you are not running named as root, you can get that error. I think that is whats happening.

Try this:

/etc/init.d/named start
<wait 3-5 seconds>
ps ax | grep named

You should see 3-6 instances of named. If you don't that is why you are having problems.

IF you do, then I think this is something that I'd like to look at. IF you have no qualm about it, I can log into your box and check on how named is working or not.

0
 

Author Comment

by:foxhound
ID: 6442638
etc/rc.d/init.d/named start is no problm
i can also see the process from ps, 5 threads
so i think u should take a look?
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6442671
Fine by me. I need you to email me the following:

A non privledged user (non-root) I can login to the server as
a root user (and password) I can swap to after logging on
the name/ip of your server.

email to: dan@shortcircuit.dyndns.org
0
 
LVL 3

Expert Comment

by:jcgd
ID: 6447131
Use traceroute www.yahoo.com , where is the last ip number? in your network or ISP
0
 
LVL 2

Expert Comment

by:ksemat
ID: 6461345
btw, I do remember serious bugs with Bind 9.1.0 which stopped me from resolving lots of stuff.  I had to downgrade to 8.2.3-REL which is bug free and yet behaves.
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6461467
Bind 9.1 works great on my system Here. I use it daily. It's the name server for a small inter-office network.

If 9.1 had problems for you, perhaps it was how it was compiled?

And FoxHound, I'm still happy to look over your setup, but I would need root access. Email me (addr is above) with the root password to your box and I'll log in to see if I can see whats up.
0
 

Author Comment

by:foxhound
ID: 6462612
I am currently on holidays away from my servers, sorry for the delay, let me get back to you guys in a week or so! thanks for all your help!
0
 
LVL 2

Expert Comment

by:ksemat
ID: 6463859
not really it behaved the same on both freebsd, suse and redhat. even when I used the standard rpms from the distros and also with .tar.gz. It could not do zone transfers, give out zone transfers, and also could not query non bind name servers such as windows name servers. I submitted a bug report to ISC on this and others were having the same problems. Maybe the version you got was a fixed one.
0
 
LVL 8

Expert Comment

by:Anthony2000
ID: 6674472
listening...
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6675494
So FoxHound, ever get it worked out?
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6840632
Question(s) below appears to have been abandoned. Your options are:
 
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you. You must tell the participants why you wish to do this, and allow for Expert response.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question. Again, please comment to advise the other participants why you wish to do this.

For special handling needs, please post a zero point question in the link below and include the question QID/link(s) that it regards.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click the Help Desk link on the left for Member Guidelines, Member Agreement and the Question/Answer process.  Click you Member Profile to view your question history and keep them all current with updates as the collaboration effort continues, in the event new items have been created since this listing was pulled.

http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20129614.html
http://www.experts-exchange.com/questions/Q.20137917.html
http://www.experts-exchange.com/questions/Q.20139553.html
http://www.experts-exchange.com/questions/Q.20139820.html
http://www.experts-exchange.com/questions/Q.20140531.html
http://www.experts-exchange.com/questions/Q.20140543.html
http://www.experts-exchange.com/questions/Q.20140949.html
http://www.experts-exchange.com/questions/Q.20141688.html
http://www.experts-exchange.com/questions/Q.20143098.html
http://www.experts-exchange.com/questions/Q.20146578.html
http://www.experts-exchange.com/questions/Q.20174252.html
http://www.experts-exchange.com/questions/Q.20192563.html
http://www.experts-exchange.com/questions/Q.20196328.html


PLEASE DO NOT AWARD THE POINTS TO ME.  
 
------------>  EXPERTS:  Please leave any comments regarding this question here on closing recommendations if this item remains inactive another three days.
 
Thank you everyone.
 
Moondancer
Moderator @ Experts Exchange


P.S.  For any year 2000 questions, special attention is needed to ensure the first correct response is awarded, since they are not in the comment date order, but rather in Member ID order.
0
 
LVL 1

Expert Comment

by:DanEgli
ID: 6841734
I'm assuming FoxHound finally got it worked out. If he didn't I'm still happy to work with him.  If he does not want or need my help that is fine.

0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6862407
Thank you, foxhound, for returning and finalize this.
Moondancer - EE Moderator
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now