kamoteman2013
asked on
BIND CHROOT DNS errors
I am having errors on my BIND chrooted DNS environment, I have not yet deployed or implemented any form of DNS from Linux/UNIX except for Windows, but this is necessary in order for me to test TLS/certificate in our LDAP server . The only requirement I need is to be able to setup correctly a Master Name Server that would resolve my hosts inside the network(hostname to IP & IP to hostname). I am getting confused setting up the zones correctly, (including the named.conf) I just need help from all the expert DNS guys out there who could possibly help check and look into my configs as I am working in a very time constraint project that is killing me, since this takes a long time for me to nail down. any help would be appreciated. Thanks
initially I am having this error below:
=================
But then after scaling down little by little, errors thrown left 1 line
[root@localhost /]# service named configtest
/etc/named.conf:60: open: /var/named/chroot/etc/name d.root.hin ts: file not found
restarting named yielded the same result:
/etc/named.conf:60: open: /var/named/chroot/etc/name d.root.hin ts: file not found
[FAILED]
The funny thing is, this /var/named/chroot/etc/name d.root.hin ts path is existing and contains this named.root.hints file 100%, I just don't know where I missed..
And when I check /var/logs this is what I get:
My named.conf configuration:
Note: location of my named.conf
My named.conf file is obtained from /var/named/chroot/etc , everytime I modify it, I notice the main /etc/named.conf gets prompted as well, it seems that both this files share only the same configuration
initially I am having this error below:
zone localdomain/IN: loading master file localdomain.zone: file not found
localhost_resolver/localdomain/IN: file not found
zone localhost/IN: loading master file localhost.zone: file not found
localhost_resolver/localhost/IN: file not found
zone 0.0.127.in-addr.arpa/IN: loading master file named.local: file not found
localhost_resolver/0.0.127.in-addr.arpa/IN: file not found
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loading master file
named.ip6.local: file not found
localhost_resolver/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: file
not found
zone 255.in-addr.arpa/IN: loading master file named.broadcast: file not found
localhost_resolver/255.in-addr.arpa/IN: file not found
zone 0.in-addr.arpa/IN: loading master file named.zero: file not found
localhost_resolver/0.in-addr.arpa/IN: file not found
zone my.internal.zone/IN: loading master file my.internal.zone.db: file not found
internal/my.internal.zone/IN: file not found
zone dns-srv/IN: loading master file dns-srv.db: file not found
internal/dns-srv/IN: file not found
zone my.external.zone/IN: loading master file my.external.zone.db: file not found
external/my.external.zone/IN: file not found
=================
But then after scaling down little by little, errors thrown left 1 line
[root@localhost /]# service named configtest
/etc/named.conf:60: open: /var/named/chroot/etc/name
restarting named yielded the same result:
/etc/named.conf:60: open: /var/named/chroot/etc/name
[FAILED]
The funny thing is, this /var/named/chroot/etc/name
And when I check /var/logs this is what I get:
Jan 9 01:58:00 dns-srv named[30094]: loading configuration: file not found
Jan 9 01:58:00 dns-srv named[30094]: exiting (due to fatal error)
Jan 9 01:58:09 dns-srv named: /etc/named.conf:60: open: /var/named/chroot/etc/named.root.hints: file not found
Jan 9 02:11:55 localhost named: /etc/named.conf:60: open: /var/named/chroot/etc/named.root.hints: file not found
My named.conf configuration:
Note: location of my named.conf
find . -name named.conf -print
./usr/share/doc/bind-9.3.6/sample/etc/named.conf
./usr/share/system-config-bind/profiles/default/named.conf
./usr/share/logwatch/default.conf/services/named.conf
./var/named/chroot/etc/named.conf
./etc/dbus-1/system.d/named.conf
./etc/named.conf
My named.conf file is obtained from /var/named/chroot/etc , everytime I modify it, I notice the main /etc/named.conf gets prompted as well, it seems that both this files share only the same configuration
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
listen-on port 53 { 127.0.0.1; 192.168.40.129; };
#listen-on-v6 port 53 { ::1; };
// Those options should be used carefully because they disable port
// randomization
query-source port 53;
// query-source-v6 port 53;
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "/var/named/da/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.0.0; };
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; 192.168.0.0/24; };
match-destinations { localhost; 192.168.0.0/24; };
recursion yes;
# all views must contain the root hints zone:
include "/var/named/chroot/etc/named.root.hints";
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/var/named/chroot/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/var/named/chroot/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
# zone "my.slave.internal.zone" {
# type slave;
# file "slaves/my.slave.internal.zone.db";
# masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
# };
zone "dns-srv.zone" {
type master;
#allow-update { key ddns_key; };
#file "slaves/my.ddns.internal.zone.db";
file "dns-srv.zone";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
#key ddns_key
#{
# algorithm hmac-md5;
# secret "use /usr/sbin/dns-keygen to generate TSIG keys";
#};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { any; };
match-destinations { any; };
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
allow-query-cache { none; };
// Disable lookups for any cached data and root hints
// all views must contain the root hints zone:
include "/var/named/chroot/etc/named.root.hints";
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
# zone "my.external.zone" {
# type master;
# file "my.external.zone.db";
# };
};
Get it working without chroot first
ASKER
how do I do that exactly? I started without chroot originally but I never found any sample files and the named.conf was empty without chroot(where I copied sample files)
I could give you my DNS configs if you like. Do you need the ones that do dynamic DNS updating (including dhcpd.conf) or do you have only static IPs? Either way, my setup queries other DNS servers for anything other than local hosts.
ASKER
Thanks Duncan, I'm ok with that, but I don't know exactly what and whether I need DynDNS. I told my boss I am doing it inside a VM first before I make changes to the live server. But if anything helps to build a Master DNS and have all our servers resolved internally(hostname to IP & IP to hostname) I would appreciate it, since there is nothing hosted off the internet. I am not using static IP for my DNS VM since VM has its own built in DHCP where it obtains a range of Class C IP.
ASKER
Do you need my email address? or would you post it here Duncan? Thanks. I have sleepless nightmares because of this hehe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks, I will do this right now and let you know the progress. I appreciate it
to be very clear with you... install one more pkg and run it
#system-config-bind
will rollout all the issues in case your system has connectivity to internet.
TY/SA
#system-config-bind
will rollout all the issues in case your system has connectivity to internet.
TY/SA
ASKER
I managed to get it up and running, Thanks for your Help Duncan & Sandeep, I appreciate it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks all