BIND not working - denied requests
Hello
I am trying to setup a BIND server running on an Ubuntu 8.1 server to act a my primary DNS for a single domain. Secondary DNS should be provided by DynDns. I don't have any fancy need, I just want a few CNAME and MX to point to google - using Google apps.
Unfortunately despite lots of efforts I can't seem to have my setup working...
Let's start with my named.conf
--------------------------
options {
directory "/etc";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version "Surely you must be joking";
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "PUSNeyNcuyQep6BbzLYYGAeOL
};
logging {
channel channel_info {
file "/etc/bind.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel channel_notice {
file "/etc/bindnotice.log" versions 3 size 5m;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
# default -> Match toutes les categories qui n ont pas un chanel d assigne
category default { channel_notice; };
category general { channel_notice; };
category client { channel_notice; };
category config { channel_notice; };
category database { channel_notice; };
category dnssec { channel_notice; };
category lame-servers { channel_notice; };
category network { channel_notice; };
category notify { channel_info; };
category queries { channel_notice; };
category resolver { channel_notice; };
category security { channel_info; };
category update { channel_info; };
category update-security { channel_info; };
category xfer-in { channel_info; };
category xfer-out { channel_info; };
category unmatched { channel_notice; };
category dispatch { channel_notice; };
category delegation-only { channel_notice; };
category edns-disabled { channel_notice; };
channel default_debug {
file "named.run";
severity dynamic;
};
channel default_stderr {
stderr;
severity info;
};
channel null {
null;
};
};
zone "." {
type hint;
file "/etc/root.hints";
};
zone "localhost" {
type master;
file "/etc/localhost";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/127.0.0";
};
zone "apevl.ch" IN {
type master;
file "sites/apevl.ch/forward.zo
allow-transfer { 127.0.0.1; };
allow-update { none; };
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
zone "49.98.191.88.in-addr.arpa
type master;
file "sites/apevl.ch/reverse.zo
allow-transfer { 127.0.0.1; };
allow-update { none; };
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
--------------------------
and my zone file
--------------------------
$TTL 3D;
apevl.ch. IN SOA ns.apevl.ch. hostmaster.apevl.ch. (
2009022401 ; serial
8H ; refresh 8h
2H ; retry 2h
1W ; expires 1w
1D ; minimum
)
IN NS ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. IN A 88.191.98.49
IN NS ns.apevl.ch.
IN NS ns1.apevl.ch.
IN NS ns2.mydyndns.org.
IN NS ns3.mydyndns.org.
IN NS ns4.mydyndns.org.
IN NS ns5.mydyndns.org.
IN MX 10 aspmx.l.google.com.
IN MX 20 alt1.aspmx.l.google.com.
IN MX 30 alt2.aspmx.l.google.com.
mail.apevl.ch. IN CNAME ghs.google.com.
www.apevl.ch. IN CNAME ghs.google.com.
google34160a471ab995a5.ape
--------------------------
BIND itself seems to load correctly
--------------------------
Mar 8 10:57:28 xxx named[22061]: starting BIND 9.5.0-P2 -u bind -t /var/named -c /etc/named.conf
Mar 8 10:57:28 xxx named[22061]: found 1 CPU, using 1 worker thread
Mar 8 10:57:28 xxx named[22061]: loading configuration from '/etc/named.conf'
Mar 8 10:57:28 xxx named[22061]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 8 10:57:28 xxx named[22061]: listening on IPv4 interface eth0, 88.191.98.49#53
Mar 8 10:57:28 xxx named[22061]: default max-cache-size (33554432) applies
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 0.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 255.255.255.255.IN-ADDR.AR
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: D.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: A.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: B.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: default max-cache-size (33554432) applies: view _bind
Mar 8 10:57:28 xxx named[22061]: command channel listening on 127.0.0.1#953
--------------------------
although I get these errors in my custom bind.log
--------------------------
23-Feb-2009 20:45:33.095 security: error: client 204.13.249.138#62938: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:05:02.684 security: error: client 91.198.22.76#54700: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:05:02.752 security: error: client 91.198.22.138#57655: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:53:31.761 security: error: client 203.62.195.76#55412: zone transfer 'apevl.ch/AXFR/IN' denied
----
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.76#53: query (cache) 'apevl.ch/SOA/IN' denied
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.76#62917: bad zone transfer request: 'apevl.ch/IN': non-authoritative zone (NOTAUTH)
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.138#56213: query (cache) 'apevl.ch/SOA/IN' denied
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.138#53211: bad zone transfer request: 'apevl.ch/IN': non-authoritative zone (NOTAUTH)
---
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53207: query (cache) 'www.apevl.ch/A/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53208: query (cache) 'apevl.ch/A/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53209: query (cache) 'apevl.ch/TXT/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53210: query (cache) 'apevl.ch/CNAME/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53943: query (cache) 'ns1.apevl.ch/CNAME/IN' denied
--------------------------
and bindnotice.log files
--------------------------
23-Feb-2009 11:40:56.326 general: warning: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints
23-Feb-2009 11:40:56.327 general: warning: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints
--------------------------
Any help would be most appreciated...
Regards
alex
I am trying to setup a BIND server running on an Ubuntu 8.1 server to act a my primary DNS for a single domain. Secondary DNS should be provided by DynDns. I don't have any fancy need, I just want a few CNAME and MX to point to google - using Google apps.
Unfortunately despite lots of efforts I can't seem to have my setup working...
Let's start with my named.conf
--------------------------
options {
directory "/etc";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version "Surely you must be joking";
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "PUSNeyNcuyQep6BbzLYYGAeOL
};
logging {
channel channel_info {
file "/etc/bind.log" versions 3 size 5m;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
channel channel_notice {
file "/etc/bindnotice.log" versions 3 size 5m;
severity notice;
print-time yes;
print-severity yes;
print-category yes;
};
# default -> Match toutes les categories qui n ont pas un chanel d assigne
category default { channel_notice; };
category general { channel_notice; };
category client { channel_notice; };
category config { channel_notice; };
category database { channel_notice; };
category dnssec { channel_notice; };
category lame-servers { channel_notice; };
category network { channel_notice; };
category notify { channel_info; };
category queries { channel_notice; };
category resolver { channel_notice; };
category security { channel_info; };
category update { channel_info; };
category update-security { channel_info; };
category xfer-in { channel_info; };
category xfer-out { channel_info; };
category unmatched { channel_notice; };
category dispatch { channel_notice; };
category delegation-only { channel_notice; };
category edns-disabled { channel_notice; };
channel default_debug {
file "named.run";
severity dynamic;
};
channel default_stderr {
stderr;
severity info;
};
channel null {
null;
};
};
zone "." {
type hint;
file "/etc/root.hints";
};
zone "localhost" {
type master;
file "/etc/localhost";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/127.0.0";
};
zone "apevl.ch" IN {
type master;
file "sites/apevl.ch/forward.zo
allow-transfer { 127.0.0.1; };
allow-update { none; };
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
zone "49.98.191.88.in-addr.arpa
type master;
file "sites/apevl.ch/reverse.zo
allow-transfer { 127.0.0.1; };
allow-update { none; };
allow-query { any; };
zone-statistics yes;
notify no;
also-notify { };
};
--------------------------
and my zone file
--------------------------
$TTL 3D;
apevl.ch. IN SOA ns.apevl.ch. hostmaster.apevl.ch. (
2009022401 ; serial
8H ; refresh 8h
2H ; retry 2h
1W ; expires 1w
1D ; minimum
)
IN NS ns
ns.apevl.ch. A 88.191.98.49
ns1.apevl.ch. A 88.191.98.49
apevl.ch. IN A 88.191.98.49
IN NS ns.apevl.ch.
IN NS ns1.apevl.ch.
IN NS ns2.mydyndns.org.
IN NS ns3.mydyndns.org.
IN NS ns4.mydyndns.org.
IN NS ns5.mydyndns.org.
IN MX 10 aspmx.l.google.com.
IN MX 20 alt1.aspmx.l.google.com.
IN MX 30 alt2.aspmx.l.google.com.
mail.apevl.ch. IN CNAME ghs.google.com.
www.apevl.ch. IN CNAME ghs.google.com.
google34160a471ab995a5.ape
--------------------------
BIND itself seems to load correctly
--------------------------
Mar 8 10:57:28 xxx named[22061]: starting BIND 9.5.0-P2 -u bind -t /var/named -c /etc/named.conf
Mar 8 10:57:28 xxx named[22061]: found 1 CPU, using 1 worker thread
Mar 8 10:57:28 xxx named[22061]: loading configuration from '/etc/named.conf'
Mar 8 10:57:28 xxx named[22061]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 8 10:57:28 xxx named[22061]: listening on IPv4 interface eth0, 88.191.98.49#53
Mar 8 10:57:28 xxx named[22061]: default max-cache-size (33554432) applies
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 0.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 127.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 254.169.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 255.255.255.255.IN-ADDR.AR
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: D.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 8.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: 9.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: A.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: automatic empty zone: B.E.F.IP6.ARPA
Mar 8 10:57:28 xxx named[22061]: default max-cache-size (33554432) applies: view _bind
Mar 8 10:57:28 xxx named[22061]: command channel listening on 127.0.0.1#953
--------------------------
although I get these errors in my custom bind.log
--------------------------
23-Feb-2009 20:45:33.095 security: error: client 204.13.249.138#62938: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:05:02.684 security: error: client 91.198.22.76#54700: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:05:02.752 security: error: client 91.198.22.138#57655: zone transfer 'apevl.ch/AXFR/IN' denied
23-Feb-2009 22:53:31.761 security: error: client 203.62.195.76#55412: zone transfer 'apevl.ch/AXFR/IN' denied
----
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.76#53: query (cache) 'apevl.ch/SOA/IN' denied
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.76#62917: bad zone transfer request: 'apevl.ch/IN': non-authoritative zone (NOTAUTH)
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.138#56213: query (cache) 'apevl.ch/SOA/IN' denied
Mar 8 10:34:23 xxx named[2944]: client 91.198.22.138#53211: bad zone transfer request: 'apevl.ch/IN': non-authoritative zone (NOTAUTH)
---
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53207: query (cache) 'www.apevl.ch/A/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53208: query (cache) 'apevl.ch/A/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53209: query (cache) 'apevl.ch/TXT/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53210: query (cache) 'apevl.ch/CNAME/IN' denied
Mar 8 10:39:58 xxx named[2944]: client 74.53.59.137#53943: query (cache) 'ns1.apevl.ch/CNAME/IN' denied
--------------------------
and bindnotice.log files
--------------------------
23-Feb-2009 11:40:56.326 general: warning: checkhints: L.ROOT-SERVERS.NET/A (199.7.83.42) missing from hints
23-Feb-2009 11:40:56.327 general: warning: checkhints: L.ROOT-SERVERS.NET/A (198.32.64.12) extra record in hints
--------------------------
Any help would be most appreciated...
Regards
alex
ASKER
Hello
Thanks for your quick reply !
Options section amended as follows
--------------------------
options {
directory "/etc";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version "Surely you must be joking";
listen-on port 53 { 88.191.98.49; 127.0.0.1; };
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
--------------------------
Still getting
--------------------------
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2022: query (cache) 'apevl.ch/MX/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2023: query (cache) 'www.apevl.ch/A/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2024: query (cache) 'apevl.ch/A/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2025: query (cache) 'apevl.ch/TXT/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2026: query (cache) 'apevl.ch/CNAME/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#49617: query (cache) 'ns1.apevl.ch/CNAME/IN' denied
--------------------------
(yes BIND was restarted :) ).
Any other suggestion ?!
Thanks for your quick reply !
Options section amended as follows
--------------------------
options {
directory "/etc";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
version "Surely you must be joking";
listen-on port 53 { 88.191.98.49; 127.0.0.1; };
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
--------------------------
Still getting
--------------------------
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2022: query (cache) 'apevl.ch/MX/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2023: query (cache) 'www.apevl.ch/A/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2024: query (cache) 'apevl.ch/A/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2025: query (cache) 'apevl.ch/TXT/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#2026: query (cache) 'apevl.ch/CNAME/IN' denied
Mar 11 16:50:15 xxx named[2928]: client 70.86.70.34#49617: query (cache) 'ns1.apevl.ch/CNAME/IN' denied
--------------------------
(yes BIND was restarted :) ).
Any other suggestion ?!
Ok hold one, I think i misunderstood you
can you do a dns query on your server ?? supose if i do a dns query for your domain,
it can resolv your domina form your dns server right ??
can you do a dns query on your server ?? supose if i do a dns query for your domain,
it can resolv your domina form your dns server right ??
ASKER
nslookup ns1.apelv.ch 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find ns1.apelv.ch: NXDOMAIN
Whoops... clearly something not working here...
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find ns1.apelv.ch: NXDOMAIN
Whoops... clearly something not working here...
is there any way to get the domain name ?? it would be easy to understand the problem ..
ASKER
Not sure to understand your question... As per conf file above the domain is apelv.ch
Is that what you where looking for ?
regards
alex
Is that what you where looking for ?
regards
alex
Ok if i do a dns test onf your domain apelv.ch
its unable to resolv anything
and alsok, if i do ping apelv.ch
it say unknown host
its unable to resolv anything
and alsok, if i do ping apelv.ch
it say unknown host
ASKER
> Ok if i do a dns test onf your domain apelv.ch
> its unable to resolv anything
Well I guess you pretty much hit the nail...
Any suggestion as of why ?! :=)
Regards
> its unable to resolv anything
Well I guess you pretty much hit the nail...
Any suggestion as of why ?! :=)
Regards
to many reason
your bind is not running
your port 53 is not opened from firewall
whats the ip of your bind server ?? 88.191.98.49??
if its true then i just tested
telnet 88.191.98.49 53
its does work
in that case it other problem
let me know if 88.191.98.49 is your bind server ip
your bind is not running
your port 53 is not opened from firewall
whats the ip of your bind server ?? 88.191.98.49??
if its true then i just tested
telnet 88.191.98.49 53
its does work
in that case it other problem
let me know if 88.191.98.49 is your bind server ip
ASKER
indeed 88.191.98.49
see logs above, bind running as far as I can tell...
see logs above, bind running as far as I can tell...
sorry i was tryign with a wrong name its
apevl.ch
from dnsstuff, it can do dns query
but it failes at Soa record
please allow me 2 hours, i will be with you shortly as my office hour is finish, need to go home
apevl.ch
from dnsstuff, it can do dns query
but it failes at Soa record
please allow me 2 hours, i will be with you shortly as my office hour is finish, need to go home
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
go to this site
http://www.checkdns.net/
type your domain name
it would of tell you where is the problem
currently it cant read soa record,
i will be online shortly
http://www.checkdns.net/
type your domain name
it would of tell you where is the problem
currently it cant read soa record,
i will be online shortly
Are your servers the primary for the apevl.ch? You need to allow the dyndns server the ability to transfer the zone from your server (allow-transfer {dyndns servers}.
I believe there is a named-checkzone that you can check whether the zone file is valid. If there are issues, errors will be displayed.
The notation you used for the SOA header might be the problem as fosiul01 pointed out.
The retry, expiry, minimum TTL, etc. need to be in seconds. The notation you use is the represented in responses but might not be valid for Named.
I believe there is a named-checkzone that you can check whether the zone file is valid. If there are issues, errors will be displayed.
The notation you used for the SOA header might be the problem as fosiul01 pointed out.
The retry, expiry, minimum TTL, etc. need to be in seconds. The notation you use is the represented in responses but might not be valid for Named.
ASKER
Thanks your named.conf syntax worked great. I also had to explicitely allow zone transfers to dyndns and all seems well !
options {
listen-on port 53 { yourserverip; 127.0.0.1; };
other wise it will not allow to dns query from your server