Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Recursive DNS

Posted on 2009-05-12
28
484 Views
Last Modified: 2013-11-30
Hello guys,

I'm trying to set up a non recusive dns with Bind(Directadmin). I've got the following in my /var/named/chroot/etc/named.conf:
// generated by named-bootconf.pl

options {
directory "/var/named";
allow-transfer {
"range"; };
allow-recursion {
"range"; };
version "named";

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

acl "range" {
192.168.0.0/24;
172.16.2.0/24;
x.x.x.x/24;
};

};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

The x.x.x.x/24 range is the public IP range of my customers that are allowed to transfer and to recursion. I restarted named but it had no effect.

Can you tell me what i do wrong?

Hope you can help me out.

Kind Regards
0
Comment
Question by:Netaffairs
  • 17
  • 10
28 Comments
 
LVL 1

Expert Comment

by:qdog69
ID: 24363609
I use a simalar setup and the only differences I see are:

You have quotes around "range" and my options statement is below the acl statement. I would give those a try and see what happens..
0
 

Author Comment

by:Netaffairs
ID: 24363779
That didn't help. Maybe i use the worng named.conf. I see 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24363856
What do you expect to happen and what happens?

Does this respond to recursive queries over the local console?

Does it respond to other hosts?

0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24363879
In fact your named conf is very detailed. you don't need that much of details. I'm sending you a sample file use it instead:


options {
	directory       "/conf";
	pid-file        "/var/run/named.pid";
	statistics-file "/var/run/named.stats";
	dump-file       "/var/run/named.db";
 
	# hide our "real" version number
	version         "[secured]";
};
 
# The root nameservers
zone "." {
	type   hint;
	file   "db.rootcache";
};
 
# localhost - forward zone
zone	"localhost" {
	type    master;
	file   "db.localhost";
	notify  no;
};
 
# localhost - inverse zone
zone    "0.0.127.in-addr.arpa" {
	type   master;
	file   "db.127.0.0";
	notify no;
};

Open in new window

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24363900
Contents of the files are as follows:

The contents of db.localhost:
;
; db.localhost
;
$TTL    86400

@       IN SOA   @ root (
                        42              ; serial (d. adams)
                        3H              ; refresh
                        15M             ; retry
                        1W              ; expiry
                        1D )            ; minimum

        IN NS        @
        IN A         127.0.0.1


The contents of: db.127.0.0.1

;
; db.127.0.0
;
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                            1 ; Serial
                            28800      ; Refresh
                            14400      ; Retry
                            3600000    ; Expire
                            86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.
0
 

Author Comment

by:Netaffairs
ID: 24363954
Hello KeremE,

Thanks for the reply. I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.

Hope you can help me out.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24363999
You can use your named.ca instead of db.rootcache file. Or you'd better get a fresh copy from :

ftp://ftp.internicnet/domain/named.root

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364055
Ok. Please find the named.conf with ACL added.



acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};
 
 
options {
        directory       "/conf";
        pid-file        "/var/run/named.pid";
        statistics-file "/var/run/named.stats";
        dump-file       "/var/run/named.db";
 
        # hide our "real" version number
        version         "[secured]";
        allow-transfer { null; };
 
        allow-recursion { goodfellas; };
};
 
# The root nameservers
zone "." {
        type   hint;
        file   "db.rootcache";
};
 
# localhost - forward zone
zone    "localhost" {
        type    master;
        file   "db.localhost";
        notify  no;
};
 
# localhost - inverse zone
zone    "0.0.127.in-addr.arpa" {
        type   master;
        file   "db.127.0.0";
        notify no;
};

Open in new window

0
 

Author Comment

by:Netaffairs
ID: 24364163
OK now i've got:
acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};


options {
        directory "/var/named";
        allow-transfer {
                null; };
        allow-recursion {
                goodfellas; };
        version "named";

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;



};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

But still no luck
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364233
I'm asking again. What do you want to accomplish?
How do you check it?
0
 

Author Comment

by:Netaffairs
ID: 24364262
I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364270
If you're checking from outside are you sure that firewall allows for DNS traffic UDP53 and TCP:53 ?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364305
Yeah I got it but what is the problem? Is it INTODNS says you've recursion allowed?  Is your DNS not reachable from INTODNS at all ??

Wnat can INDODNS query from your site? Since it is caching only name server It is natural that it is not pointed as an authoritative domain server for any domain. In this case What could intodns check your caching only nameserver?  

0
 

Author Comment

by:Netaffairs
ID: 24364317
Yes otherwise i can't use the dns server from the outside.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364324
How can people discover that your caching only DNS even there while it is not an authoritative and no domain is pointing to it? The only way any person to discover that you're runinng a DNS is to scan ports and discover that you have DNS.
0
 

Author Comment

by:Netaffairs
ID: 24364332
Yes intodns says i allowe recursion from everywhere. This is what i get:
I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but the chances of that are low. You should not have nameservers that allow recursive queries as this will allow almost anyone to use your nameservers and can cause problems.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364391
I guess we have some problem here:
- intodns is to check authoritative domain servers. The problem with authoritative domain servers is they serve a domain (not caching only). Since they serve at least one domain people would know about them as soon as they check the whois record. It lists the authroritative DNS server. Then people san use this DNS for their recursive queries.
- In your case the DNS is only a caching only DNS not serving any domain so no domaind should be pointing at it. so nobody can discover that this server serves doina too if they are not doing a port scan.
- Since it it not an authoritative DNS there's no way to get it checked by intodns and even if you did you'll get an error for every item that intoDNS checks.
- Under this circumstances. I believe whte configuration I've sent should be  sufficient to allow only te required people use it. Whereas I don't quite get it since it is only a caching only DNS it must be placed over intranet and what is the use to use an ACL in this sense ? Do you use it to allow access to some IP range and keep others from resolving and hence browsing from the internet?
- In this case are you sure that the Firewall running on this srever does not block the DNS traffic?
- What is not running as you expected?
- How do you know that it des not work ?

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364438
> Yes intodns says i allowe recursion from everywhere. This is what i get:
> I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but
> the chances of that are low. You should not have nameservers that allow recursive queries as this will > allow almost anyone to use your nameservers and can cause problems.

Yeah one's nameservers shoud not be allowed to do recursion if they are not corporate employees. But What I tell you: Since the DNS that you're trying to set-up is not authoritative of any domain.
Since it is not an authoritative server I doubt that the server intodns queries is the server you've just setup.
0
 

Author Comment

by:Netaffairs
ID: 24364603
I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at intodns with a domain that my dns is authoritavie for.
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364715
@Netaffaris:

> I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at > intodns with a domain that my dns is authoritavie for.

Ok where are the zone files for your DNS server then? The DNS server we're working on here is a "caching only" = not serving any DNS. Then How can you possibly be testing this server with intodns?

AS you know wen you register a domain you also register the authoritative domain servers for it. If your're registering the example.com domain you point at leat two dns servers such as dns.something.net aond dns.something.net. Form that moment on if anyone wants to find  www.example.com they need to come and ask the address to one of dns.something.com or dns2.something.com. So when you want to test a domain with intodns com. You jsut will the form loacated on  www.intodns.com and specify what domain you want to check. Only after then intodns queries and finds the nameservers for your domain (dns.something.com and dns2.something.com). Then it performs tests on them and publishes the results.

So if you want any dns server be tested by intodns the first thing to do is to list this dns server in authoritative domain servers list of the domain. But since the DNS server you're asking is not an authoritative DNS how can you possibly test it with intodns?  
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24364768
If we were to list dns server above for a domainname called example.com and then we had applied for a test of example.com to intodns then recursion would not be the only error there. Becasue the DNS did not contain any authoritative data (=zone file ) for the domain in question. So it seems that you have other DNS servers serving these 3000 domains. They are separate form the DNS server that you run the example above. Then are you applying the same settings to your live DNS as well?? How do you know that It does not work ?  
0
 

Author Comment

by:Netaffairs
ID: 24365111
In the directory /var/named/ i see all the db files containting the dns data for our domains. I said in a post before i've got 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)

Which one do i need?
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24365236
Normally /etc/named.conf must be a symbolic link to /var/named/chroot/etc/named.conf. it should look like this:

# ls -al named.conf
lrwxrwxrwx  1 root root 32 Apr 30 04:19 named.conf -> /var/named/chroot/etc/named.conf

But I understand that it is not a link anymore and thanks god it is not! Because the files you've provided here and I'd suggested you to use would cause your namesever to turn into a caching-only nameserver with no authoritative domains!!!.

So please don't use  your production system for such experiments.
will you please ls -al to both files and post here ?
0
 

Author Comment

by:Netaffairs
ID: 24365317
I think i see where it is going wrong:
-rw-r--r--  1 root root  221498 May 11 12:05 named.conf
lrwxrwxrwx  1 root named     33 Dec 14  2007 named.conf.bak -> /var/named/chroot//etc/named.conf
-rw-r--r-- 1 root named 1464 May 12 15:08 /var/named/chroot/etc/named.conf
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24365431
oh yeah
:)

Plaese backup the named.conf file as named.conf.current before proceeding. Since you've told you have nearly 3000 zones in the file be extremely cautious!!!!
- First of all check if any of these 3000 zones have secondaries.
- Then cerate an ACL for Secondaries too;
- Now add  it should read like this:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
       .
       .    
        allow-transfer {
                secondaries;; };
        allow-recursion {
                goodfellas; };

       .
       .
        version "DNS-VER";
}
0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24369304
Don't forget to find out and populate your secondaries acl or yu might cause some problems if you have secondaries located outside. You might like to check what secondary tansfers took place from logs too. To check this use:

grep AXFR /var/log/messages

If you have secondaries you must get some records similar to this:
May 12 05:19:45 host named[3259]: client x.x.x.x#45990: transfer of 'example.com/IN': AXFR-style IXFR started
..
.
.
0
 

Author Comment

by:Netaffairs
ID: 24371916
To which file i have to make these changes? To /etc/named.conf or to /var/named/chroot/etc/named.conf?

In the file /etc/named.conf i only see a long list of zone/db files locations.
0
 
LVL 30

Accepted Solution

by:
Kerem ERSOY earned 500 total points
ID: 24372626
You need to change /etc/named.conf. If you don't have an options section on your named.conf, well this is the reason why intodns complains about your site :)

Plaese back-up the file before modification. Then add these to the top:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
        version "SbNamed";
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";

        allow-transfer { secondaries;; };

        allow-recursion { goodfellas; };
};

logging {
        category lame-servers { null; };
        category client { null; };

        channel default_syslog {
                syslog daemon;
                severity info; };
};

include "/etc/rndc.key"


Please note that when you add these lines. There will be no secondaries allowed. So if you have a secondary DNS don't forget to add thee address of it into secondaries ACL otherwise it will not allow seconray name transfers i.e., AXFR transfers.

0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connecting Servers to L2 OR L3 Switch 6 46
decoding the error message TEI_ASSIGNED 8 36
NSLOOKUP Question 7 19
VPN Server config in Modem 5 22
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question