LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices



Reply
 
Search this Thread
Old 01-04-2007, 02:58 PM   #1
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Rep: Reputation: 15
"dig mx" or "ping" not working because of bind9?


Hi all,

I am running a Debian 3.1 server remotely and i have
set up Bind9 successfully for my domains.

But "dig mx hotmail.com" or "ping google" on my local server does not work. e.g.
Code:
xyz:~# ping google.com
ping: unknown host google.com
I cannot edit the resolv.conf file
not even using resolvconf.. if i do it by hand
it changes itself back to original..

# vi /etc/resolv.conf (sym link to /etc/resolvconf/run/resolv.conf)
Code:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
nameserver 206.251.228.22
nameserver 209.216.206.167
nameserver 206.251.228.24
search org
saman007uk has suggested adding forwarders in my
/etc/bind/named.conf.options and so i did.. bad
with no luck (it just worked initially while my
syntax was wrong and the bind server was broken
.. so all works fine when bind9 is stopped)

my config files follow
Any help would be appreciated,
Alex




-----------------------------------------------------



/etc/bind/named.conf.options:

Code:
options {
        directory "/var/cache/bind";

        forwarders {
                206.251.228.22;
                206.251.228.24;
                209.216.206.167;
        };
        forward first;
        transfers-in 150;
        
        auth-nxdomain no;

        recursion no;
};


/etc/bind/named.conf:

Code:
include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

include "/etc/bind/named.conf.local";

Last edited by alexxxis; 01-04-2007 at 03:20 PM.
 
Old 01-05-2007, 04:24 PM   #2
saman007uk
Member
 
Registered: Dec 2003
Location: ~root
Distribution: Debian
Posts: 363

Rep: Reputation: 32
I posted this in your other thread as well, but I think the following might fix it:

If your netwrok interface is called eth0, then /etc/network/interfaces should have something like this:
Code:
auto eth0
iface eth0 inet static
        address x.x.x.x
        netmask x.x.x.x
        gateway x.x.x.x.x
        dns-nameservers [name-servers here, seprated by a space]
        dns-search [your domain name]
Then, as root:
Code:
resolvconf -u
When changing network options, make sure they are correct - if wrong, you could use access to your server from the net (unless you have soem sort of serial console ...).
 
Old 01-06-2007, 02:02 PM   #3
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
/etc/network/interfaces files appears to be fine
it has all my nameservers and does not conatain the
local address as a nameserver..

I managed to get the ping and dig mx working
by setting "recursion yes;" in the options clauses

i am not sure though if that is the right
way to go since http://www.dnsreport.com
when checking my server gives me:

FAIL: Open DNS servers
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

and suggests to have recursion set to no

... so i think i need a different solution
 
Old 01-06-2007, 03:45 PM   #4
alexxxis
Member
 
Registered: Jun 2004
Distribution: Debian 3.1
Posts: 33

Original Poster
Rep: Reputation: 15
i added:

Code:
 //recursion no;
allow-recursion { 127.0.0.1; };
and it works perfect
no need to edit resolv.conf

Thanks saman007uk,
Alex
 
Old 01-07-2007, 12:26 AM   #5
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
That solution will work, but the accepted way of doing it is to configure "views" within bind.

If your sever only gives answers for the domain(s) you are authoritative for, your method will work. If however, you have client machines using this DNS box as their DNS, they won't be able to reslove things like google.com and yahoo.com, as they aren't coming from the localhost address of 127.0.0.1.

Basically, you make an ACL list based on IP of the machines that should be allowed to ask for any address, either one of yours, or one off the internet. If the client machine is within the ACL, it can ask for and get an answer to anything. If it isn't on the ACL, then it can only get answers for the sites your box is authoritative for. Here's an example -

Code:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, *BEFORE* you customize this configuration file.
//
acl mydomain {A.B.C.D/20;
              E.F.G.H/28;
              I.J.K.L/27;
              L.M.N.O/32;
              127.0.0.1;
              };

options {
        directory "/var/cache/bind";
        fetch-glue      no;
        allow-query { any; };
        allow-recursion { mydomain;};
};
That allows any machine coming from a the list of mydomain to get an answer to any question. That is accomplished with the allow-recursion { mydomain;}; line. The allow-query { any; }; line allows my server to give the IP addresses for mycompany.com and mail.mycompany as well as clientcompany1.org and clientcompany2.edu.

This will allow your machine to pass the open DNS test on dnsreport.com. You should be warned however, that folks on the Bind mailing list blast that site often. They don't think it provides in depth accurate answers about the setup of your DNS box.

Peace,
JimBass
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Telling people to use "Google," to "RTFM," or "Use the search feature" Ausar General 77 03-21-2010 12:26 PM
"Xlib: extension "XFree86-DRI" missing on display ":0.0"." zaps Linux - Games 9 05-14-2007 04:07 PM
Any way to get "Alice"; "Call of Duty" series and "Descent 3" to work? JBailey742 Linux - Games 13 06-23-2006 02:34 PM
ping outputs TX to "loopback" instead of "eth1" Jojo1 Linux - Networking 0 04-12-2006 06:10 AM
"host" ok, but "ping" can't find ip address hardigunawan Linux - Networking 2 05-16-2002 06:41 PM


All times are GMT -5. The time now is 12:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration