Solved

Recursive DNS

Posted on 2009-05-12
28
470 Views
Last Modified: 2013-11-30
Hello guys,

I'm trying to set up a non recusive dns with Bind(Directadmin). I've got the following in my /var/named/chroot/etc/named.conf:
// generated by named-bootconf.pl

options {
directory "/var/named";
allow-transfer {
"range"; };
allow-recursion {
"range"; };
version "named";

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

acl "range" {
192.168.0.0/24;
172.16.2.0/24;
x.x.x.x/24;
};

};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

The x.x.x.x/24 range is the public IP range of my customers that are allowed to transfer and to recursion. I restarted named but it had no effect.

Can you tell me what i do wrong?

Hope you can help me out.

Kind Regards
0
Comment
Question by:Netaffairs
  • 17
  • 10
28 Comments
 
LVL 1

Expert Comment

by:qdog69
Comment Utility
I use a simalar setup and the only differences I see are:

You have quotes around "range" and my options statement is below the acl statement. I would give those a try and see what happens..
0
 

Author Comment

by:Netaffairs
Comment Utility
That didn't help. Maybe i use the worng named.conf. I see 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
What do you expect to happen and what happens?

Does this respond to recursive queries over the local console?

Does it respond to other hosts?

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
In fact your named conf is very detailed. you don't need that much of details. I'm sending you a sample file use it instead:


options {

	directory       "/conf";

	pid-file        "/var/run/named.pid";

	statistics-file "/var/run/named.stats";

	dump-file       "/var/run/named.db";
 

	# hide our "real" version number

	version         "[secured]";

};
 

# The root nameservers

zone "." {

	type   hint;

	file   "db.rootcache";

};
 

# localhost - forward zone

zone	"localhost" {

	type    master;

	file   "db.localhost";

	notify  no;

};
 

# localhost - inverse zone

zone    "0.0.127.in-addr.arpa" {

	type   master;

	file   "db.127.0.0";

	notify no;

};

Open in new window

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Contents of the files are as follows:

The contents of db.localhost:
;
; db.localhost
;
$TTL    86400

@       IN SOA   @ root (
                        42              ; serial (d. adams)
                        3H              ; refresh
                        15M             ; retry
                        1W              ; expiry
                        1D )            ; minimum

        IN NS        @
        IN A         127.0.0.1


The contents of: db.127.0.0.1

;
; db.127.0.0
;
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                            1 ; Serial
                            28800      ; Refresh
                            14400      ; Retry
                            3600000    ; Expire
                            86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.
0
 

Author Comment

by:Netaffairs
Comment Utility
Hello KeremE,

Thanks for the reply. I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.

Hope you can help me out.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
You can use your named.ca instead of db.rootcache file. Or you'd better get a fresh copy from :

ftp://ftp.internicnet/domain/named.root

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Ok. Please find the named.conf with ACL added.



acl "goodfellas" {

        192.168.0.0/24;

        172.16.2.0/24;

        x.x.x.x/24;

};
 
 

options {

        directory       "/conf";

        pid-file        "/var/run/named.pid";

        statistics-file "/var/run/named.stats";

        dump-file       "/var/run/named.db";

 

        # hide our "real" version number

        version         "[secured]";

        allow-transfer { null; };
 

        allow-recursion { goodfellas; };

};

 

# The root nameservers

zone "." {

        type   hint;

        file   "db.rootcache";

};

 

# localhost - forward zone

zone    "localhost" {

        type    master;

        file   "db.localhost";

        notify  no;

};

 

# localhost - inverse zone

zone    "0.0.127.in-addr.arpa" {

        type   master;

        file   "db.127.0.0";

        notify no;

};

Open in new window

0
 

Author Comment

by:Netaffairs
Comment Utility
OK now i've got:
acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};


options {
        directory "/var/named";
        allow-transfer {
                null; };
        allow-recursion {
                goodfellas; };
        version "named";

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;



};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

But still no luck
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
I'm asking again. What do you want to accomplish?
How do you check it?
0
 

Author Comment

by:Netaffairs
Comment Utility
I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
If you're checking from outside are you sure that firewall allows for DNS traffic UDP53 and TCP:53 ?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Yeah I got it but what is the problem? Is it INTODNS says you've recursion allowed?  Is your DNS not reachable from INTODNS at all ??

Wnat can INDODNS query from your site? Since it is caching only name server It is natural that it is not pointed as an authoritative domain server for any domain. In this case What could intodns check your caching only nameserver?  

0
 

Author Comment

by:Netaffairs
Comment Utility
Yes otherwise i can't use the dns server from the outside.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
How can people discover that your caching only DNS even there while it is not an authoritative and no domain is pointing to it? The only way any person to discover that you're runinng a DNS is to scan ports and discover that you have DNS.
0
 

Author Comment

by:Netaffairs
Comment Utility
Yes intodns says i allowe recursion from everywhere. This is what i get:
I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but the chances of that are low. You should not have nameservers that allow recursive queries as this will allow almost anyone to use your nameservers and can cause problems.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
I guess we have some problem here:
- intodns is to check authoritative domain servers. The problem with authoritative domain servers is they serve a domain (not caching only). Since they serve at least one domain people would know about them as soon as they check the whois record. It lists the authroritative DNS server. Then people san use this DNS for their recursive queries.
- In your case the DNS is only a caching only DNS not serving any domain so no domaind should be pointing at it. so nobody can discover that this server serves doina too if they are not doing a port scan.
- Since it it not an authoritative DNS there's no way to get it checked by intodns and even if you did you'll get an error for every item that intoDNS checks.
- Under this circumstances. I believe whte configuration I've sent should be  sufficient to allow only te required people use it. Whereas I don't quite get it since it is only a caching only DNS it must be placed over intranet and what is the use to use an ACL in this sense ? Do you use it to allow access to some IP range and keep others from resolving and hence browsing from the internet?
- In this case are you sure that the Firewall running on this srever does not block the DNS traffic?
- What is not running as you expected?
- How do you know that it des not work ?

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
> Yes intodns says i allowe recursion from everywhere. This is what i get:
> I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but
> the chances of that are low. You should not have nameservers that allow recursive queries as this will > allow almost anyone to use your nameservers and can cause problems.

Yeah one's nameservers shoud not be allowed to do recursion if they are not corporate employees. But What I tell you: Since the DNS that you're trying to set-up is not authoritative of any domain.
Since it is not an authoritative server I doubt that the server intodns queries is the server you've just setup.
0
 

Author Comment

by:Netaffairs
Comment Utility
I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at intodns with a domain that my dns is authoritavie for.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
@Netaffaris:

> I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at > intodns with a domain that my dns is authoritavie for.

Ok where are the zone files for your DNS server then? The DNS server we're working on here is a "caching only" = not serving any DNS. Then How can you possibly be testing this server with intodns?

AS you know wen you register a domain you also register the authoritative domain servers for it. If your're registering the example.com domain you point at leat two dns servers such as dns.something.net aond dns.something.net. Form that moment on if anyone wants to find  www.example.com they need to come and ask the address to one of dns.something.com or dns2.something.com. So when you want to test a domain with intodns com. You jsut will the form loacated on  www.intodns.com and specify what domain you want to check. Only after then intodns queries and finds the nameservers for your domain (dns.something.com and dns2.something.com). Then it performs tests on them and publishes the results.

So if you want any dns server be tested by intodns the first thing to do is to list this dns server in authoritative domain servers list of the domain. But since the DNS server you're asking is not an authoritative DNS how can you possibly test it with intodns?  
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
If we were to list dns server above for a domainname called example.com and then we had applied for a test of example.com to intodns then recursion would not be the only error there. Becasue the DNS did not contain any authoritative data (=zone file ) for the domain in question. So it seems that you have other DNS servers serving these 3000 domains. They are separate form the DNS server that you run the example above. Then are you applying the same settings to your live DNS as well?? How do you know that It does not work ?  
0
 

Author Comment

by:Netaffairs
Comment Utility
In the directory /var/named/ i see all the db files containting the dns data for our domains. I said in a post before i've got 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)

Which one do i need?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Normally /etc/named.conf must be a symbolic link to /var/named/chroot/etc/named.conf. it should look like this:

# ls -al named.conf
lrwxrwxrwx  1 root root 32 Apr 30 04:19 named.conf -> /var/named/chroot/etc/named.conf

But I understand that it is not a link anymore and thanks god it is not! Because the files you've provided here and I'd suggested you to use would cause your namesever to turn into a caching-only nameserver with no authoritative domains!!!.

So please don't use  your production system for such experiments.
will you please ls -al to both files and post here ?
0
 

Author Comment

by:Netaffairs
Comment Utility
I think i see where it is going wrong:
-rw-r--r--  1 root root  221498 May 11 12:05 named.conf
lrwxrwxrwx  1 root named     33 Dec 14  2007 named.conf.bak -> /var/named/chroot//etc/named.conf
-rw-r--r-- 1 root named 1464 May 12 15:08 /var/named/chroot/etc/named.conf
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
oh yeah
:)

Plaese backup the named.conf file as named.conf.current before proceeding. Since you've told you have nearly 3000 zones in the file be extremely cautious!!!!
- First of all check if any of these 3000 zones have secondaries.
- Then cerate an ACL for Secondaries too;
- Now add  it should read like this:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
       .
       .    
        allow-transfer {
                secondaries;; };
        allow-recursion {
                goodfellas; };

       .
       .
        version "DNS-VER";
}
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
Comment Utility
Don't forget to find out and populate your secondaries acl or yu might cause some problems if you have secondaries located outside. You might like to check what secondary tansfers took place from logs too. To check this use:

grep AXFR /var/log/messages

If you have secondaries you must get some records similar to this:
May 12 05:19:45 host named[3259]: client x.x.x.x#45990: transfer of 'example.com/IN': AXFR-style IXFR started
..
.
.
0
 

Author Comment

by:Netaffairs
Comment Utility
To which file i have to make these changes? To /etc/named.conf or to /var/named/chroot/etc/named.conf?

In the file /etc/named.conf i only see a long list of zone/db files locations.
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
Comment Utility
You need to change /etc/named.conf. If you don't have an options section on your named.conf, well this is the reason why intodns complains about your site :)

Plaese back-up the file before modification. Then add these to the top:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
        version "SbNamed";
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";

        allow-transfer { secondaries;; };

        allow-recursion { goodfellas; };
};

logging {
        category lame-servers { null; };
        category client { null; };

        channel default_syslog {
                syslog daemon;
                severity info; };
};

include "/etc/rndc.key"


Please note that when you add these lines. There will be no secondaries allowed. So if you have a secondary DNS don't forget to add thee address of it into secondaries ACL otherwise it will not allow seconray name transfers i.e., AXFR transfers.

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now