linux dns server

Dear Experts:

I have enterted the below in the  named.conf.local

controls {
        inet 127.0.0.1 port 953
                allow {127.0.0.1; 192.168.1.0/24; 192.168.11.0/24; } keys { "rndc-key"; };
};



my network is 192.168.1.0 and dns server is of 192.168.1.244 now we are into the MPLS hence one spoke location workstation has been assigned 192.168.11.5 and dns of 192.168.1.244  also able to reoslve the internal but when the 11.5 tries for intenet dns is not getting resolved for 192.168.11.5 , connection refused form the 192.168.1.244

Please help to resolve this
D_wathiAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TobiasCommented:
Dear,

What's the value in your config of : listen-on  

Could you attach the whole config ?

Thanks

Regards
0
D_wathiAuthor Commented:
Thanks for the reply, attached the config
namedconfiguration.txt
0
D_wathiAuthor Commented:
pleae also find the attached  named.conf.options
namedconfoptions.txt
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

TobiasCommented:
Ok. There's a lot of things missing.

Could you please use this tutorial for help you configure the DNS?

Tutorial Bind9

EDIT : Ok !

Why the named.conf.options is not include in the config ?

Add this :

// Load options
include "/etc/bind/named.conf.options";
0
D_wathiAuthor Commented:
Thank you very much for the reply, when rndc trace for the ip 192.168.11.5 i could find the below log ,

ar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#50027: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#50027: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#49863: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#49863: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#55663: query: rss.accuweather.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#55663: query (cache) 'rss.accuweather.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#51154: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#51154: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#51899: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#51899: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64004: query: rss.accuweather.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64004: query (cache) 'rss.accuweather.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64117: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64117: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#56631: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#56631: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64006: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64006: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#53092: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#53092: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#59725: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#59725: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#58578: query: rss.accuweather.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#58578: query (cache) 'rss.accuweather.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57398: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57398: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64007: query: rss.accuweather.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64007: query (cache) 'rss.accuweather.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#65323: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#65323: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57228: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57228: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#60017: query: rss.accuweather.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#60017: query (cache) 'rss.accuweather.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57704: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#57704: query (cache) 'search.mywebsearch.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#54680: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#54680: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64012: query: www.searchqu.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#64012: query (cache) 'www.searchqu.com/A/IN' denied
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#54625: query: search.mywebsearch.com IN A + (192.168.1.244)
Mar 27 18:12:09 lampsrv named[13214]: client 192.168.11.5#54625: query (cache) 'search.mywebsearch.com/A/IN' denied
0
TobiasCommented:
Dear,

You should add something like this in named.conf :

allow-query {192.168.1.0/24; 192.168.11.0/24; };
allow-query-cache {192.168.1.0/24; 192.168.11.0/24;};
0
D_wathiAuthor Commented:
Sir thank you very much

Have changed the named.conf.options like the below

acl "myaddresses" { 192.168.1.0/24; };
acl "spokes" { 192.168.11.0/24; 192.168.12.0/24; 192.168.13.0/24; 192.168.14.0/24; 192.168.15.0/24; 192.168.16.0/24; 192.168.17.0/24; 192.168.18.0/24; 192.168.19.0/24; 192.168.20.0/24; 192.168.21.0/24; 192.168.22.0/24; 192.168.23.0/24; 192.168.24.0/24; 192.168.25.0/24; };
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

//      query-source address * port 53;
        listen-on {localhost; myaddresses; spokes; };
allow-query { localhost; myaddresses; spokes;};
allow-query-cache {localhost; myaddresses; spokes;};

         forwarders {
                202.56.230.6;
                8.8.8.8;
         };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
------------------------------------------------------ end---------------------------


Also please let me know the below mentioned controls statement in the named.conf.local is  correct .  Is it required to add all the spoke location network which is going to use this DNS 11.0/24, 12.0/24  ---------------25/24.  Like the below

controls {
        inet 127.0.0.1 port 953
                allow {127.0.0.1; 192.168.1.0/24; 192.168.11.0/24; 192.168.12.0/24;  } keys { "rndc-key"; };
};


--------------------------
Please help by checking the above two files
1. named.conf.options  # acl declaration
2. named.conf.local  # control statment

Thanks in advance.
0
D_wathiAuthor Commented:
this is in continuation of the previous post,

can i use the controls statment like the below:

controls {
                inet 127.0.0.1 port 953
 allow { 127.0.0.1; myaddresses; spokes;}keys { "rndc-key"; };
};

doubt is already defined 127.0.0.1 is it still required to define myaddress ( this is acl declared in named.conf.options as below posted.
--------------------------named.conf.options--------------------------
acl "myaddresses" { 192.168.1.0/24; };
acl "spokes" { 192.168.11.0/24; 192.168.12.0/24; 192.168.13.0/24; 192.168.14.0/24; 192.168.15.0/24; 192.168.16.0/24; 192.168.17.0/24; 192.168.18.0/24; 192.168.19.0/24; 192.168.20.0/24; 192.168.21.0/24; 192.168.22.0/24; 192.168.23.0/24; 192.168.24.0/24; 192.168.25.0/24; };

please suggest
0
D_wathiAuthor Commented:
I think  defining only the local host like the below would suffice as key upates happens with localhost, please correct me if iam wrong.

controls {
        inet 127.0.0.1 port 953
                allow {127.0.0.1; } keys { "rndc-key"; };
};
0
PapertripCommented:
I think  defining only the local host like the below would suffice as key upates happens with localhost, please correct me if iam wrong.

controls {
        inet 127.0.0.1 port 953
                allow {127.0.0.1; } keys { "rndc-key"; };
};

The controls clause is not associated with any sort of zone updates if that is what you are thinking, your question is a bit unclear.  The controls clause allow statement should include any servers/acls/etc that you want to give remote access of the server to, mainly the rndc command.

Check out http://www.zytrax.com/books/dns/ch7/controls.html for more info on that option.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
D_wathiAuthor Commented:
Sir, thank you very much got it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.