LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ignoring out-of-zone data in my DNS file (http://www.linuxquestions.org/questions/linux-networking-3/ignoring-out-of-zone-data-in-my-dns-file-775866/)

zyzzogeton 12-15-2009 02:20 PM

ignoring out-of-zone data in my DNS file
 
I am running named-checkdns against the following zone file:
Quote:

$TTL 3D
; Information about "forward" domain se.dr.com
$ORIGIN se.digitalreefinc.com.
@ IN SOA ns1.se.digitalreefinc.com. webmaster.se.digitalreefinc.com. (
200912151458 ; serial
86400 ; refresh
7200 ; retry
1209600 ; expiry
1D ) ; minimum
@ IN NS ns1.se.digitalreefinc.com. ;
se20 A 172.30.4.20;
ns1.se.digitalreefinc.com. A 172.30.4.20;
localhost A 127.0.0.1;
se21 A 172.30.4.21;
se22 A 172.30.4.22;
se23 A 172.30.4.23;
se24 A 172.30.4.24;
se25 A 172.30.4.25;
and I get this as the output:

Quote:

[root@se20 named]# named-checkzone localhost se.digitalreefinc.com.zone
se.digitalreefinc.com.zone:4: ignoring out-of-zone data (se.digitalreefinc.com)
se.digitalreefinc.com.zone:10: ignoring out-of-zone data (se.digitalreefinc.com)
se.digitalreefinc.com.zone:11: ignoring out-of-zone data (se20.se.digitalreefinc.com)
se.digitalreefinc.com.zone:12: ignoring out-of-zone data (ns1.se.digitalreefinc.com)
se.digitalreefinc.com.zone:13: ignoring out-of-zone data (localhost.se.digitalreefinc.com)
se.digitalreefinc.com.zone:14: ignoring out-of-zone data (se21.se.digitalreefinc.com)
se.digitalreefinc.com.zone:15: ignoring out-of-zone data (se22.se.digitalreefinc.com)
se.digitalreefinc.com.zone:16: ignoring out-of-zone data (se23.se.digitalreefinc.com)
se.digitalreefinc.com.zone:17: ignoring out-of-zone data (se24.se.digitalreefinc.com)
se.digitalreefinc.com.zone:18: ignoring out-of-zone data (se25.se.digitalreefinc.com)
zone localhost/IN: has 0 SOA records
zone localhost/IN: has no NS records
If I do a dig, I get the QUERY status: NXDOMAIN resoponse
zone localhost/IN: has no NS records
Quote:

[root@se20 named]# dig @localhost se20

; <<>> DiG 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 <<>> @localhost se20
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;se20. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2009121500 1800 900 604800 86400

;; Query time: 583 msec
;; SERVER: ::1#53(::1)
;; WHEN: Tue Dec 15 15:18:06 2009
;; MSG SIZE rcvd: 97
my named.conf is as follows:
Quote:

//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
version "Bind";
#allow-query { localhost; };
allow-recursion {127.0.0.1; 172.30.0.0/16; };
forward first;
forwarders { 172.30.0.10; 172.30.0.11; }; #IP of upstream ISP nameserver(s)
#forward only; #rely completely on our upstream nameservers
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "se.digitalreefinc.com" IN {
type master;
file "se.digitalreefinc.com.zone";
allow-update {none;};
};
zone "4.30.172.in-addr.arpa" IN {
type master;
file "reverse.se.digitalreefinc.com.zone";
allow-update {none;};
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update {none;};
};
include "/etc/named.rfc1912.zones";

I think my SOA record might be wrong, but I cannot find the error.

Any help is apreciated

bathory 12-15-2009 03:29 PM

Hi,

Your named-checkzone command is wrong. You should use the zone name and the zone file as arguments. To see if your zone is ok, run this from inside the directory where is your zone files:
Code:

named-checkzone se.digitalreefinc.com se.digitalreefinc.com.zone
Regarding the NXDOMAIN, you need to add
Code:

domain se.digitalreefinc.com
in top of /etc/hosts, if you want to resolve hostnames without using the FQDN.

Note also that you don't need forward and forwarders. Your nameserver can use the hint zone to resolve unknown domains.

Regards

zyzzogeton 12-17-2009 08:59 AM

Thanks for redirecting me back here Bathory.

Here is the output for the checkzone:
-------------begin output-----------------
Quote:

[root@se20 named]# named-checkzone se.digitalreefinc.com se.digitalreefinc.com.zone
zone se.digitalreefinc.com/IN: loaded serial 3343656022
OK
-------------------------------------------
So nothing compelling there.

When I do a restart of named, I notice that my zone file isn't touched though:
------------begin output /var/log/messages----------------
Quote:

Dec 17 09:56:28 se20 named[17920]: received control channel command 'stop'
Dec 17 09:56:28 se20 named[17920]: shutting down: flushing changes
Dec 17 09:56:28 se20 named[17920]: stopping command channel on 127.0.0.1#953
Dec 17 09:56:28 se20 named[17920]: stopping command channel on ::1#953
Dec 17 09:56:28 se20 named[17920]: no longer listening on 127.0.0.1#53
Dec 17 09:56:28 se20 named[17920]: no longer listening on ::1#53
Dec 17 09:56:28 se20 named[17920]: exiting
Dec 17 09:56:28 se20 named[1767]: starting BIND 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 -u named
Dec 17 09:56:28 se20 named[1767]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-red
hat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc
' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '
--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--w
ith-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes'
'--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-red
hat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-prote
ctor --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Dec 17 09:56:28 se20 named[1767]: adjusted limit on open files from 1024 to 1048576
Dec 17 09:56:28 se20 named[1767]: found 4 CPUs, using 4 worker threads
Dec 17 09:56:28 se20 named[1767]: using up to 4096 sockets
Dec 17 09:56:28 se20 named[1767]: loading configuration from '/etc/named.conf'
Dec 17 09:56:28 se20 named[1767]: using default UDP/IPv4 port range: [1024, 65535]
Dec 17 09:56:28 se20 named[1767]: using default UDP/IPv6 port range: [1024, 65535]
Dec 17 09:56:28 se20 named[1767]: listening on IPv4 interface lo, 127.0.0.1#53
Dec 17 09:56:28 se20 named[1767]: listening on IPv6 interface lo, ::1#53
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 127.IN-ADDR.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 254.169.IN-ADDR.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: D.F.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 8.E.F.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: 9.E.F.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: A.E.F.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: automatic empty zone: B.E.F.IP6.ARPA
Dec 17 09:56:28 se20 named[1767]: command channel listening on 127.0.0.1#953
Dec 17 09:56:28 se20 named[1767]: command channel listening on ::1#953
Dec 17 09:56:28 se20 named[1767]: the working directory is not writable
Dec 17 09:56:28 se20 named[1767]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
Dec 17 09:56:28 se20 named[1767]: zone 0.in-addr.arpa/IN: loaded serial 0
Dec 17 09:56:28 se20 named[1767]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
Dec 17 09:56:28 se20 named[1767]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Dec 17 09:56:28 se20 named[1767]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
Dec 17 09:56:28 se20 named[1767]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Dec 17 09:56:28 se20 named[1767]: zone localhost.localdomain/IN: loaded serial 0
Dec 17 09:56:28 se20 named[1767]: zone localhost/IN: loaded serial 0
Dec 17 09:56:28 se20 named[1767]: running
-------------------------------------------------------

Shouldn't I see a

Quote:

Dec 17 09:56:28 se20 named[1767]: zone se.digitalreefinc.com/IN: loaded serial 200912151458
in there somewhere?

bathory 12-17-2009 09:25 AM

Quote:

[root@se20 named]# named-checkzone se.digitalreefinc.com se.digitalreefinc.com.zone
zone se.digitalreefinc.com/IN: loaded serial 3343656022
OK
-------------------------------------------
So nothing compelling there.
Where is that serial number came from?
Quote:

Dec 17 09:56:28 se20 named[1767]: starting BIND 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 -u named
...
Dec 17 09:56:28 se20 named[1767]: the working directory is not writable
...
Dec 17 09:56:28 se20 named[1767]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
...
Dec 17 09:56:28 se20 named[1767]: zone localhost.localdomain/IN: loaded serial 0
...
Yes, you should see the zones defined in named.conf loading.
Are you sure you're using the named.conf you've posted previously? Because there are no such zones as the above and I don't think they came from the included /etc/named.rfc1912.zones.
Also you need to fix the permissions problem of /var/named (must be rw by user named).

zyzzogeton 12-17-2009 02:14 PM

I am not sure where that serial number comes from however I think I have tracked down the issue,
Quote:

Dec 17 14:57:59 se20 named[2071]: zone localhost.localdomain/IN: loaded serial 0
Dec 17 14:57:59 se20 named[2071]: zone localhost/IN: loaded serial 0
Dec 17 14:57:59 se20 named[2071]: running
Dec 17 14:58:43 se20 named[2071]: received control channel command 'reload'
Dec 17 14:58:43 se20 named[2071]: loading configuration from '/etc/named.conf'
Dec 17 14:58:43 se20 named[2071]: using default UDP/IPv4 port range: [1024, 65535]
Dec 17 14:58:43 se20 named[2071]: using default UDP/IPv6 port range: [1024, 65535]
I have been editing named.conf in /var/named this whole time!

Now, doing a dig gives me this:
Quote:

[root@se20 etc]# dig @localhost se20

; <<>> DiG 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 <<>> @localhost se20
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 63982
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;se20. IN A

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Thu Dec 17 15:11:11 2009
;; MSG SIZE rcvd: 22
Which I consider great progress.

I just need to track down my search domain issue. It looks like se20 is not using se.digitalreefinc.com as its search domain for some reason even though it is specified in the resolv.conf. If I use an fqdn, it works fine:
Quote:

[root@se20 etc]# dig se21.se.digitalreefinc.com

; <<>> DiG 9.6.1-P2-RedHat-9.6.1-7.P2.fc11 <<>> se21.se.digitalreefinc.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18172
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;se21.se.digitalreefinc.com. IN A

;; ANSWER SECTION:
se21.se.digitalreefinc.com. 259200 IN A 172.30.4.21

;; AUTHORITY SECTION:
se.digitalreefinc.com. 259200 IN NS ns1.se.digitalreefinc.com.

;; ADDITIONAL SECTION:
ns1.se.digitalreefinc.com. 259200 IN A 172.30.4.20

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Dec 17 15:24:30 2009
;; MSG SIZE rcvd: 94

bathory 12-17-2009 04:55 PM

Hi,

Because dig uses the dns server to resolve hostnames, you have to use a FQDN. The nslookup utility looks for the search/domain line in /etc/resolv.conf, so it can resolve hostnames without a domain name. If you want dig to do the same, you have to use the +search option:
Code:

dig se20 +search
Regarding:
Quote:

dig @localhost se20
...
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 63982
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
...
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
you have to add the localhost ipv6 address ::1 in the allow-recursion arguments.

Regards

zyzzogeton 12-18-2009 12:29 PM

Ok, did not know that. Thanks for all your help. I will mark this one solved.


All times are GMT -5. The time now is 03:38 AM.