Recursive DNS

Hello guys,

I'm trying to set up a non recusive dns with Bind(Directadmin). I've got the following in my /var/named/chroot/etc/named.conf:
// generated by named-bootconf.pl

options {
directory "/var/named";
allow-transfer {
"range"; };
allow-recursion {
"range"; };
version "named";

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

acl "range" {
192.168.0.0/24;
172.16.2.0/24;
x.x.x.x/24;
};

};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

include "/etc/rndc.key";

The x.x.x.x/24 range is the public IP range of my customers that are allowed to transfer and to recursion. I restarted named but it had no effect.

Can you tell me what i do wrong?

Hope you can help me out.

Kind Regards
NetaffairsAsked:
Who is Participating?
 
Kerem ERSOYConnect With a Mentor PresidentCommented:
You need to change /etc/named.conf. If you don't have an options section on your named.conf, well this is the reason why intodns complains about your site :)

Plaese back-up the file before modification. Then add these to the top:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
        version "SbNamed";
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";

        allow-transfer { secondaries;; };

        allow-recursion { goodfellas; };
};

logging {
        category lame-servers { null; };
        category client { null; };

        channel default_syslog {
                syslog daemon;
                severity info; };
};

include "/etc/rndc.key"


Please note that when you add these lines. There will be no secondaries allowed. So if you have a secondary DNS don't forget to add thee address of it into secondaries ACL otherwise it will not allow seconray name transfers i.e., AXFR transfers.

0
 
qdog69Commented:
I use a simalar setup and the only differences I see are:

You have quotes around "range" and my options statement is below the acl statement. I would give those a try and see what happens..
0
 
NetaffairsAuthor Commented:
That didn't help. Maybe i use the worng named.conf. I see 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Kerem ERSOYPresidentCommented:
What do you expect to happen and what happens?

Does this respond to recursive queries over the local console?

Does it respond to other hosts?

0
 
Kerem ERSOYPresidentCommented:
In fact your named conf is very detailed. you don't need that much of details. I'm sending you a sample file use it instead:


options {
	directory       "/conf";
	pid-file        "/var/run/named.pid";
	statistics-file "/var/run/named.stats";
	dump-file       "/var/run/named.db";
 
	# hide our "real" version number
	version         "[secured]";
};
 
# The root nameservers
zone "." {
	type   hint;
	file   "db.rootcache";
};
 
# localhost - forward zone
zone	"localhost" {
	type    master;
	file   "db.localhost";
	notify  no;
};
 
# localhost - inverse zone
zone    "0.0.127.in-addr.arpa" {
	type   master;
	file   "db.127.0.0";
	notify no;
};

Open in new window

0
 
Kerem ERSOYPresidentCommented:
Contents of the files are as follows:

The contents of db.localhost:
;
; db.localhost
;
$TTL    86400

@       IN SOA   @ root (
                        42              ; serial (d. adams)
                        3H              ; refresh
                        15M             ; retry
                        1W              ; expiry
                        1D )            ; minimum

        IN NS        @
        IN A         127.0.0.1


The contents of: db.127.0.0.1

;
; db.127.0.0
;
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                            1 ; Serial
                            28800      ; Refresh
                            14400      ; Retry
                            3600000    ; Expire
                            86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.
0
 
NetaffairsAuthor Commented:
Hello KeremE,

Thanks for the reply. I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.

Hope you can help me out.
0
 
Kerem ERSOYPresidentCommented:
You can use your named.ca instead of db.rootcache file. Or you'd better get a fresh copy from :

ftp://ftp.internicnet/domain/named.root

0
 
Kerem ERSOYPresidentCommented:
Ok. Please find the named.conf with ACL added.



acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};
 
 
options {
        directory       "/conf";
        pid-file        "/var/run/named.pid";
        statistics-file "/var/run/named.stats";
        dump-file       "/var/run/named.db";
 
        # hide our "real" version number
        version         "[secured]";
        allow-transfer { null; };
 
        allow-recursion { goodfellas; };
};
 
# The root nameservers
zone "." {
        type   hint;
        file   "db.rootcache";
};
 
# localhost - forward zone
zone    "localhost" {
        type    master;
        file   "db.localhost";
        notify  no;
};
 
# localhost - inverse zone
zone    "0.0.127.in-addr.arpa" {
        type   master;
        file   "db.127.0.0";
        notify no;
};

Open in new window

0
 
NetaffairsAuthor Commented:
OK now i've got:
acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};


options {
        directory "/var/named";
        allow-transfer {
                null; };
        allow-recursion {
                goodfellas; };
        version "named";

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;



};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

But still no luck
0
 
Kerem ERSOYPresidentCommented:
I'm asking again. What do you want to accomplish?
How do you check it?
0
 
NetaffairsAuthor Commented:
I want to allow recursion and tranfer to local ip's and some public ip's(customers) thats why i use an acl. When i do a DNS check from for example http://www.intodns.com/ i don't want them to do recursive queries.
0
 
Kerem ERSOYPresidentCommented:
If you're checking from outside are you sure that firewall allows for DNS traffic UDP53 and TCP:53 ?
0
 
Kerem ERSOYPresidentCommented:
Yeah I got it but what is the problem? Is it INTODNS says you've recursion allowed?  Is your DNS not reachable from INTODNS at all ??

Wnat can INDODNS query from your site? Since it is caching only name server It is natural that it is not pointed as an authoritative domain server for any domain. In this case What could intodns check your caching only nameserver?  

0
 
NetaffairsAuthor Commented:
Yes otherwise i can't use the dns server from the outside.
0
 
Kerem ERSOYPresidentCommented:
How can people discover that your caching only DNS even there while it is not an authoritative and no domain is pointing to it? The only way any person to discover that you're runinng a DNS is to scan ports and discover that you have DNS.
0
 
NetaffairsAuthor Commented:
Yes intodns says i allowe recursion from everywhere. This is what i get:
I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but the chances of that are low. You should not have nameservers that allow recursive queries as this will allow almost anyone to use your nameservers and can cause problems.
0
 
Kerem ERSOYPresidentCommented:
I guess we have some problem here:
- intodns is to check authoritative domain servers. The problem with authoritative domain servers is they serve a domain (not caching only). Since they serve at least one domain people would know about them as soon as they check the whois record. It lists the authroritative DNS server. Then people san use this DNS for their recursive queries.
- In your case the DNS is only a caching only DNS not serving any domain so no domaind should be pointing at it. so nobody can discover that this server serves doina too if they are not doing a port scan.
- Since it it not an authoritative DNS there's no way to get it checked by intodns and even if you did you'll get an error for every item that intoDNS checks.
- Under this circumstances. I believe whte configuration I've sent should be  sufficient to allow only te required people use it. Whereas I don't quite get it since it is only a caching only DNS it must be placed over intranet and what is the use to use an ACL in this sense ? Do you use it to allow access to some IP range and keep others from resolving and hence browsing from the internet?
- In this case are you sure that the Firewall running on this srever does not block the DNS traffic?
- What is not running as you expected?
- How do you know that it des not work ?

0
 
Kerem ERSOYPresidentCommented:
> Yes intodns says i allowe recursion from everywhere. This is what i get:
> I could use the nameservers listed below to performe recursive queries. It may be that I am wrong but
> the chances of that are low. You should not have nameservers that allow recursive queries as this will > allow almost anyone to use your nameservers and can cause problems.

Yeah one's nameservers shoud not be allowed to do recursion if they are not corporate employees. But What I tell you: Since the DNS that you're trying to set-up is not authoritative of any domain.
Since it is not an authoritative server I doubt that the server intodns queries is the server you've just setup.
0
 
NetaffairsAuthor Commented:
I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at intodns with a domain that my dns is authoritavie for.
0
 
Kerem ERSOYPresidentCommented:
@Netaffaris:

> I don't know what you mean. My dns servers are authoritative for 3000 domains. I test my dns servers at > intodns with a domain that my dns is authoritavie for.

Ok where are the zone files for your DNS server then? The DNS server we're working on here is a "caching only" = not serving any DNS. Then How can you possibly be testing this server with intodns?

AS you know wen you register a domain you also register the authoritative domain servers for it. If your're registering the example.com domain you point at leat two dns servers such as dns.something.net aond dns.something.net. Form that moment on if anyone wants to find  www.example.com they need to come and ask the address to one of dns.something.com or dns2.something.com. So when you want to test a domain with intodns com. You jsut will the form loacated on  www.intodns.com and specify what domain you want to check. Only after then intodns queries and finds the nameservers for your domain (dns.something.com and dns2.something.com). Then it performs tests on them and publishes the results.

So if you want any dns server be tested by intodns the first thing to do is to list this dns server in authoritative domain servers list of the domain. But since the DNS server you're asking is not an authoritative DNS how can you possibly test it with intodns?  
0
 
Kerem ERSOYPresidentCommented:
If we were to list dns server above for a domainname called example.com and then we had applied for a test of example.com to intodns then recursion would not be the only error there. Becasue the DNS did not contain any authoritative data (=zone file ) for the domain in question. So it seems that you have other DNS servers serving these 3000 domains. They are separate form the DNS server that you run the example above. Then are you applying the same settings to your live DNS as well?? How do you know that It does not work ?  
0
 
NetaffairsAuthor Commented:
In the directory /var/named/ i see all the db files containting the dns data for our domains. I said in a post before i've got 2 named.conf files:
/etc/named.conf ( all domains and db files location)
 /var/named/chroot/etc/named.conf (the file above)

Which one do i need?
0
 
Kerem ERSOYPresidentCommented:
Normally /etc/named.conf must be a symbolic link to /var/named/chroot/etc/named.conf. it should look like this:

# ls -al named.conf
lrwxrwxrwx  1 root root 32 Apr 30 04:19 named.conf -> /var/named/chroot/etc/named.conf

But I understand that it is not a link anymore and thanks god it is not! Because the files you've provided here and I'd suggested you to use would cause your namesever to turn into a caching-only nameserver with no authoritative domains!!!.

So please don't use  your production system for such experiments.
will you please ls -al to both files and post here ?
0
 
NetaffairsAuthor Commented:
I think i see where it is going wrong:
-rw-r--r--  1 root root  221498 May 11 12:05 named.conf
lrwxrwxrwx  1 root named     33 Dec 14  2007 named.conf.bak -> /var/named/chroot//etc/named.conf
-rw-r--r-- 1 root named 1464 May 12 15:08 /var/named/chroot/etc/named.conf
0
 
Kerem ERSOYPresidentCommented:
oh yeah
:)

Plaese backup the named.conf file as named.conf.current before proceeding. Since you've told you have nearly 3000 zones in the file be extremely cautious!!!!
- First of all check if any of these 3000 zones have secondaries.
- Then cerate an ACL for Secondaries too;
- Now add  it should read like this:

acl "goodfellas" {
        192.168.0.0/24;
        172.16.2.0/24;
        x.x.x.x/24;
};

acl "secondaries" { null; };

options {
       .
       .    
        allow-transfer {
                secondaries;; };
        allow-recursion {
                goodfellas; };

       .
       .
        version "DNS-VER";
}
0
 
Kerem ERSOYPresidentCommented:
Don't forget to find out and populate your secondaries acl or yu might cause some problems if you have secondaries located outside. You might like to check what secondary tansfers took place from logs too. To check this use:

grep AXFR /var/log/messages

If you have secondaries you must get some records similar to this:
May 12 05:19:45 host named[3259]: client x.x.x.x#45990: transfer of 'example.com/IN': AXFR-style IXFR started
..
.
.
0
 
NetaffairsAuthor Commented:
To which file i have to make these changes? To /etc/named.conf or to /var/named/chroot/etc/named.conf?

In the file /etc/named.conf i only see a long list of zone/db files locations.
0
All Courses

From novice to tech pro — start learning today.