LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-04-2010, 06:05 AM   #1
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Rep: Reputation: 15
Twin DNS Servers on SuSE - Options?


I am wanting to implement a stable DNS solution at work to get away from nasty hosts files. I have tested with Open SuSE DNS and while it's easy to get up and running, I have concerns about high availability and failover.

Does the built in SuSE DNS solution allow you to have two servers that communicate with eachother and where updates to one will update the other?

Any other advice you can give would be most appreciated.

Not sure if it matters but the servers are:

Open SuSE 11.1 PowerPC
Open SuSE 11.2 x86

Many thanks in advance
 
Old 01-04-2010, 09:33 AM   #2
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
OK I have answered my own question regarding twin servers.

I have installed BIND and in YaST I have an option of DNS Server under network services.

I have been through the wizard, configured forwarders etc, but whenever I do nslookup in Windows I get:

*** Can't find server name for address 192.168.1.98: Query refused
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

How can I change this? Why is the default server "UnKnown"?

I can look up A records that I specify but if I try to look up say Google I get:

> google.com
Server: UnKnown
Address: 192.168.1.98

*** UnKnown can't find google.com: Query refused

Any help appreciated
 
Old 01-04-2010, 01:42 PM   #3
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
Take a look through your logs (not sure where BIND logs on SuSE but /var/log/daemon or /var/log/syslog may be in the right area. You are looking for 'denied' entries against the process 'named'. I suspect his will be acl/view/permission based and would concentrate my search around the allow-query { } options in named.conf

hth
 
1 members found this post helpful.
Old 01-04-2010, 05:10 PM   #4
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
Thanks Dave, that gives me something to look for!

I will take a poke around and post back with my findings.
 
Old 01-05-2010, 04:27 AM   #5
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
Well..not having a lot of luck

I have noticed that if i manually change named.conf, it changes back when i restart named.

I have added the following via YaST and can be seen in named.conf:

acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };

But I still can't get it working...

One thing to mention is that this is running on a hosted partition on an IBM server and within its own subnet with mask 255.255.255.248. The clients are in the same address range but with a 255.255.255.0 mask. They server is set to allow any requests...but could this be making a difference?

Also I couldn't find the logs so I told it to go to /home/myaccount/dns.log and log everything...but I can't see anything.

Also in YaST it says bind stats will write to /var/log/named.stats...but there is nothing in /var/log with that name

Rather confused here!!

Last edited by chrisgti; 01-05-2010 at 04:31 AM.
 
Old 01-05-2010, 07:06 AM   #6
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
As a further update, I see the following in the syslog (now that I found the right place!) for each external DNS query:

Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1066: query: google.com.acme.com IN A +
Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1067: query: google.com IN A +
Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1067: query (cache) 'google.com/A/IN' denied


Doesn't really say much to me (other than the obvious fact it's denied)...but perhaps it does to someone else?

I have changed my company name to "acme" - I note on the first line - query: google.com.acme.com

is that correct?? why is it appending my domain suffix?

Also, when I enter "nslookup" into windows and I see this in the command prompt:

*** Can't find server name for address 192.168.1.98: Query refused
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

I see the following in the log for named:

Jan 5 13:11:52 suse named[18617]: client 192.168.1.224#1082: query: 98.1.168.192.in-addr.arpa IN PTR +
Jan 5 13:11:52 suse named[18617]: client 192.168.1.224#1082: query (cache) '98.1.168.192.in-addr.arpa/PTR/IN' denied

Last edited by chrisgti; 01-05-2010 at 07:14 AM.
 
Old 01-05-2010, 07:07 AM   #7
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
OK, there are some 'if's' and 'buts' there with the networking and hosting and your original question about running dual name servers may be clouding things here. I'm sure you know that a single IP can only host one BIND listening on port 53. but let's go back to basics.

If your run NSLOOKUP {or 'dig' if it's installed} from the command line of the SuSE where you are trying to run this instance of Bind, will it resolve? Let's not try and query it from another machine or OS, query it from itself just to troubleshoot this. Say the IP address of SuSE is 1.2.3.4, from it's own command line do:

nslookup bbc.co.uk 1.2.3.4

and see if it gives you anything back. If not check the logs to see what went wrong.

It's also worth a quick check to rule out any basic failures by running a test against the google public DNS servers at 8.8.8.8 and compare the results:
nslookup bbc.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

I'm not that familiar with SuSE and I'm not sure what you have running that is overwriting your named.conf. The gist of what you have should be good as long as you have something like this within your options {} section:

recursion yes;
allow-query {any; };

In reality 'any' may be bad in production, depending on your application, but I'd be inclined to get it working first.
HTH
 
Old 01-05-2010, 07:09 AM   #8
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
It means that the server refused access to client 192.168.1.224 looking up google. What's the IP of the server?
 
Old 01-05-2010, 07:21 AM   #9
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
Thanks for your reply Dave. I agree that the thread title isn't really relevant anymore. I am just trying to get this single nameserver working for now (and then all I do is set up the second one as a slave).

The ip address of the DNS server is 192.168.1.98

I performed the first test, and it was fine:

suse:/ # nslookup bbc.co.uk 192.168.1.98
Server: 192.168.1.98
Address: 192.168.1.98#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

And using google:

suse:/ # nslookup bbc.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

I agree any isn't going to be good practice - at the minute it's just a case of learning the ropes and then locking it down. Thanks for pointing that out though. I think that when using BIND via YaST, there is something you need to do in order to manually edit named.conf and have it save the changes. However, the idea is that you shouldn't really need to in the first place.

Certainly appreciate the help

PS - If a mod happens to read this, can you please change the thread title to "Problem with BIND - Query Refused"
 
Old 01-05-2010, 07:33 AM   #10
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
So, we it's safe to say the server works.....>

suse:/ # nslookup bbc.co.uk 192.168.1.98
Server: 192.168.1.98
Address: 192.168.1.98#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

But other clients are not able to query it. We know that BIND is getting those queries from your Syslog, it's just refusing them:
client 192.168.1.224#1067: query (cache) 'google.com/A/IN' denied

So something in the config of your BIND is refusing those lookups. It may be helpful to post the entire output of your named.conf here {munging any sensitive bits} as I suspect there is some kind of Access Control in place.

At a wild outside guess I wonder if it is something to do with the 'localnets' directive? If that server has a netmask of .248 I make that:
Network: 192.168.1.96
HostMin: 192.168.1.97
HostMax: 192.168.1.102
Broadcast: 192.168.1.103

And this client: client 192.168.1.224 would not fall within that. It should *not* matter with 'any', but I suspect there is something else at work going on. Perhaps you could try a query from a client in the range of 192.168.1.97-102 just to rule that out?
 
1 members found this post helpful.
Old 01-05-2010, 07:46 AM   #11
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
Thanks again!

Getting a client up in that range is possible but not easy...it's a transparent subnet on an IBM Power System for use with virtual interfaces with proxy arp, so I will have to set up another partition on the Power system and then give it an IP in the range. I will try if I get no further though.

Here is named.conf (changed company name to "acme"):

The ACL statements were added via yast as a test. Not fully sure if the syntax is correct. Lots of stuff seems to be commented out...

suse:/var/lib/named/etc # cat named.conf
# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9. It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.

options {

# The directory statement defines the name server's working directory

directory "/var/lib/named";

# Write dump and statistics file to the log subdirectory. The
# pathenames are relative to the chroot jail.

dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";

# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.

#forwarders { 192.0.2.1; 192.0.2.2; };

# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.

#forward first;

# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.

#listen-on port 53 { 127.0.0.1; };

# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.

listen-on-v6 { any; };

# The next three statements may be needed if a firewall stands between
# the local server and the internet.

#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;

# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.

#allow-query { 127.0.0.1; };

# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.

notify yes;
include "/etc/named.d/forwarders.conf";
};

# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
# # Log queries to a file limited to a size of 100 MB.
# channel query_logging {
# file "/var/log/named_querylog"
# versions 3 size 100M;
# print-time yes; // timestamp log entries
# };
# category queries {
# query_logging;
# };
#
# # Or log this kind alternatively to syslog.
# channel syslog_queries {
# syslog user;
# severity info;
# };
# category queries { syslog_queries; };
#
# # Log general name server errors to syslog.
# channel syslog_errors {
# syslog user;
# severity error;
# };
# category default { syslog_errors; };
#
# # Don't log lame server messages.
# category lame-servers { null; };
#};

# The following zone definitions don't need any modification. The first one
# is the definition of the root name servers. The second one defines
# localhost while the third defines the reverse lookup for localhost.

zone "." in {
type hint;
file "root.hint";
};

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

# Include the meta include file generated by createNamedConfInclude. This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named

include "/etc/named.conf.include";
logging {
category queries { log_file; };
channel log_file { file "/home/suse/dns.log" size 200M; };
category xfer-in { log_file; };
category xfer-out { log_file; };
category default { log_file; };
};
zone "acme.com" in {
allow-transfer { any; };
file "master/acme.com";
type master;
};
acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };

# You can insert further zone records for your own domains below or create
# single files in /etc/named.d/ and add the file names to
# NAMED_CONF_INCLUDE_FILES.
# See /usr/share/doc/packages/bind/README.SUSE for more details.
 
Old 01-05-2010, 08:42 AM   #12
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
If we cut all the waffle out of that file we are left with:

Code:
suse:/var/lib/named/etc # cat named.conf
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on-v6 { any; };
notify yes;
include "/etc/named.d/forwarders.conf";
};

zone "." in {
type hint;
file "root.hint";
};

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

include "/etc/named.conf.include";
logging {
category queries { log_file; };
channel log_file { file "/home/suse/dns.log" size 200M; };
category xfer-in { log_file; };
category xfer-out { log_file; };
category default { log_file; };
};
zone "acme.com" in {
allow-transfer { any; };
file "master/acme.com";
type master;
};
acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };
A couple of things. I'm not sure if what is in this file: "/etc/named.conf.include" is relevant, but it's been included into your named.conf.

The big one, unless I'm mistaken, is within your options {} directive, you have not given permission to anything for queries, recursion or transfer. I guess that the default is to allow localhost or localnets {just a guess} which is why local queries work.

I note you have created three acl's at the foot of your config {Personally I would have had them at the top} but at no point are they being referenced. For now, comment out or remove:

acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };
*not sure the syntax is right re 'all', as far as I recall the options are: "none"
"any"
"localhost"
"localnets"

Just above the line reading "options {" insert "recursion yes;" and pop this in below it's matching closing brace: "allow-query {any; };" as per below. I've removed the IP6, forwarders, ACL's and include - see if this works for lookups.

Code:
suse:/var/lib/named/etc # cat named.conf
recursion yes;
options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
notify yes;
allow-query {any; };
};

zone "." in {
type hint;
file "root.hint";
};

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
Give that a spin and see if it makes a blind bit of difference :-)
 
Old 01-05-2010, 09:51 AM   #13
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
Cheers Dave! It does seem entirely logical that what you have pointed out may be the problem. The issue I have is that I just can't seem to make any changes to named.conf

named.conf.includes is empty - i tried changing this, and then restarted named, and it had reset again.

There is a file - /etc/sysconfig/named that has the following (garbage removed):


suse:/etc/sysconfig # cat named

NAMED_RUN_CHROOTED="yes"
NAMED_ARGS=""
NAMED_CONF_INCLUDE_FILES=""
NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"

Can I perhaps add the additional options/parameters to say 'custom.conf' and make it an include?

Would I be better off removing bind and the yast dns tool..then reinstalling bind and doing it by hand?
 
Old 01-05-2010, 11:06 AM   #14
Dave_Devnull
Member
 
Registered: May 2009
Posts: 142

Rep: Reputation: 24
Let's narrow this down too. If you make the changes to your named.conf and *don't* restart bind, if you less or cat it, have the changes really been made? What I'm getting at is do the changes really get saved at all, or is it they are definitely being wiped out when you restart it?
 
Old 01-06-2010, 04:33 AM   #15
chrisgti
Member
 
Registered: Mar 2009
Posts: 58

Original Poster
Rep: Reputation: 15
The changes show up if I save it and then cat it. But if i restart named they revert back to how they were before.

I am not in the office today due to the snow so I will pick this up tomorrow.

Really appreciate the help you have given
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set DNS servers? How to stop auto change of DNS servers? newtovanilla Linux - Newbie 1 10-29-2008 09:19 PM
TEMP_FAILURE: DNS Error: Timeout while contacting DNS servers when receiving emails tonysutherland Linux - Networking 2 02-10-2006 09:04 AM
Twin View and SuSE 9.3 ninjaz Linux - Hardware 3 11-20-2005 06:17 PM
Twin View in Suse 9.3 Gonto Suse/Novell 5 06-10-2005 04:33 AM


All times are GMT -5. The time now is 08:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration