Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a CentOS 4.4 server running bind. I will have windows and nix clients running in a closed environment. DNS is necesary for security and the applications we are using. I got everything setup using http://www.tldp.org/HOWTO/DNS-HOWTO-5.html .
I can do a NSLookup from the DNS Server and query itself (localhost and hostname). I am unalbe to query the windows box we have as a test. I can't ping the hostname either. From the windows box i can ping the nameserver and it resolves the address. From the windows box when i do an NSLOOKUP of the dns serveri get this:
Code:
c:\>nslookup
*** Can't find server name for address 192.168.0.13: non-existent domain
*** Default servers are not available
Default Server: Unknown
Address: 192.168.0.13
> ten-pres-file
Server: Unknown
Address: 192.168.0.13
Name: ten-pres-file.presidio.rms
Address: 192.168.0.13
So my problem is am not sure if DNS is fully functional and how do i make it so the clients Nix/windows can update DNS automatically? And does my named.conf look ok for what i am doing? Also how does the zone file get incremented automatically? I have been changing it myself everytime I would edit it
Here is my named.conf
Code:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query { 192.168.0.0/24; localhost;};
allow-recursion { 192.168.0.0/24; localhost;};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// This line disables any queries for domains you don't own
// except from your internal or local machines.
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
key "rndckey" {
algorithm hmac-md5;
secret "SECRET";
};
//
//ZONE Entries
//
//zone "." IN {
// type hint;
// file "named.ca";
//};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0";
};
zone "presidio.rms" IN {
type master;
notify no;
file "presidio.rms";
allow-update { 192.168.0.0/24; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
notify no;
file "192.168.0";
allow-update { 192.168.0.0/24; };
};
Here is a zone file:
Code:
;
; Zone file for presidio.rms
;
; The full zone file
;
$TTL 3D
@ IN SOA ten-pres-file.presidio.rms. hostmaster.presidio.rms. (
2007051001 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
NS ten-pres-file.presidio.rms ; Inet Address of name server
localhost A 127.0.0.1
ten-pres-file A 192.168.0.13
ten-wxpdev-1 A 192.168.0.30
192.168.0 Zone file:
Code:
$TTL 3D
@ IN SOA ten-pres-file.presidio.rms. hostmaster.presidio.rms. (
2007051001 ; Serial, todays date + todays serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ten-pres-file.presidio.rms.
1 PTR ten-pres-file.presidio.rms.
2 PTR ten-wxpdev-1.presidio.rms.
127.0.0 Zone FIle:
Code:
$TTL 3D
@ IN SOA ten-pres-file.presidio.rms. hostmaster.presidio.rms. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ten-pres-file.presidio.rms.
1 PTR localhost.
First off, you'll have problems with your serial numbers. You should have an additional digit in there. The "correct" form is date (yyyymmdd) + 00 for daily revisions. Your way, only 10 updates can be done per day, and that simply isn't enough. By adding another digit, you can have up to 100 updates per day, which is much more realistic.
Secondly, you should never have allow-update set to any. It should be restricted to your LAN addresses, 192.168.0.0/24. It's a security thing. Sure, nobody should have your rndc key, but if that key gets out, anyone in the world can bork your zone up. Very poor choice for "TEN, your DNS consultants". You'd be consulting the sidewalk if you did something like that in most of the corporate world.
The simplest way to get what you want happening (dynamic updates to the zone file) is to only have the DHCP server update the zone, not the individual clients. If you're behind a router that does your DHCP, and you can't configure it, then this choice is not open to you. If you can control your DHCP machine, or even build it into your DNS machine, then give the rndckey to the DHCP server, it can easily update the zone when it hands out an address. The update script (either a homebrew, or a shell script, or the nsupdate program on *nix) can dynamically update the zone, and increment the serial number, assuming you have the permissions clear on the zone file itself. And again, you'll need to update your serial number, because a single digit for incrementals just isn't enough.
Furthermore, nobody should be updating the 0.0.127.in-addr.arpa file, so having another world access to changing it is a mistake. Fortunately linux security probably would have kept you safe on that one, as it is likely that file is owned by root, and can't be written to by the BIND user.
Setting up a windows box to pass the rndckey was a nightmare the last time I did it, maybe 3 years ago. Since then I've insisted on only having the DHCP server do it, just to save headaches. It can be done, you'd have to google on how though. I don't know.
Thanks for the input. This will be a closed network. No outside world at all. IP addresses are all static. No DHCP. I made a few changes and will update my first post.
But so now it looks as though my reverse lookups aren't working. I think that is the original problem as to why i can't resolve the dns server on a nslookup from a win box. Is there any way i can test this on the DNS server? I used dig but not sure what to look for.
Also the zone files are not incrementing on their own, are they supposed to in BIND?
And this is the output of nslookup from the DNS server. It used to say 127.0.0.1 as the server and address until i adjusted the local dns pointer on that box to use the IP instead of the loopback.
I think you're wrong. Nslookup is crap for troubleshooting to begin with,and even when a valid PTR exists, using nslookup still reports an IP address, not a PTR name.
The way to check if named is answering with good PTR info is to use dig with the -x modifier for an IP. For example in your case:
Code:
dig -x 192.168.0.13
Should have an output of something like this if BIND is answering correctly:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
