Twin DNS Servers on SuSE - Options?

Dave_Devnull · 01-06-2010, 04:49 AM

No worries Chris - I couldn't use the snow as an excuse working from home and all that :-) I'm guessing that one of the SuSE helper scripts is being *really* helpful :-) I installed it on Virtualbox this morning and then spent some time fighting the firewall. I'll have a crack at BIND on it later and see if I can make any sense of it - right now I have to make a snowman....

Dave_Devnull · 01-06-2010, 10:51 AM

OK, now I've finished my Snowman and Iglo, I've had a quick play with a Virtualbox SuSE -v- BIND.

By any chance are you editing:
/var/lib/named/etc/named.conf

rather than
/etc/named.conf

The reason I ask is this 'SuSE' 'helper' file (assume it may be the YaST thingy - not that familiar with it) called:
/etc/sysconfig/named
gives a hint:

Quote:

# Shall the DNS server 'named' or the LightWeight RESolver Daemon, lwresd run
# in the chroot jail /var/lib/named/?
#
# Each time you start one of the daemons with the init script, /etc/named.conf,
# /etc/named.conf.include, /etc/rndc.key, and all files listed in
# NAMED_CONF_INCLUDE_FILES will be copied relative to /var/lib/named/.
#
# The pid file will be in /var/lib/named/var/run/named/ and named named.pid
# or lwresd.pid.
#
NAMED_RUN_CHROOTED="yes"

So in other words, the usual /etc/named.conf will be copied to /var/lib/named/etc/named.conf overwriting it on each restart. This is to satisfy the CHROOT jail needing to access a named.conf file.

I can confirm if I edit the correct /etc/named.conf and restart:

Code:

/etc/init.d/named restart

/etc/named.conf overwrites /var/lib/named/etc/named.conf as expected.

If that's not what is going on for you Chrisgti, I'm stumped :-)
hth

ASIDE:
I'm guessing that the zonefiles either need to be placed relative to the chroot jail: /var/lib/named/

or included in the /etc/sysconfig/named NAMED_CONF_INCLUDE_FILES="" directive and judging by this:
/var/lib/named/localhost.zone
/var/lib/named/127.0.0.zone
The former seems to be in use.

Best of luck with it old chap ;-)

chrisgti · 01-07-2010, 11:28 AM

Ahh, I think this is exactly my problem. I am indeed editing /var/lib/named/etc/named.conf

I did see /etc/named.conf but the config looked different and I thought that since the live files were in /var/lib/named (as shown in the yast info) that I was probably barking up the wrong tree. Apparently not!

The snow has kept me at home again today (my snowman is loving it, he's an old man now in snowman years!)

I will try all this on Monday and report back (off tomorrow!), but I think you have got to the bottom of it.

Again, many thanks for taking the time to help me out. It's been a beneficial exercise, learned loads about DNS that I previously took for granted.

So...hopefully on Monday I will be updating saying it's working

(I'll also look up what CHROOT jail is all about!)

Cheers

Chris

Dave_Devnull · 01-07-2010, 12:07 PM

No worries Chris. I wanted the excuse to look a SuSE - good luck with it old chap ;-)

chrisgti · 01-11-2010, 03:42 AM

Well the snow is going and dispite my best efforts I couldn't get stuck in my street again so here I am in the office!

I made the following changes to /etc/named.conf -

recursion yes;
allow-query {any; };

Restarted named and I the following output:

suse:~ # rcnamed restart
Shutting down name server BIND waiting for named to shut down (28s) done
Starting name server BIND rm: cannot remove `/var/lib/named/': Is a directory
cp: missing destination file operand after `/var/lib/named/'
Try `cp --help' for more information.
startproc: exit status of parent of /usr/sbin/named: 1
failed
suse:~ # rcnamed start
Starting name server BIND rm: cannot remove `/var/lib/named/': Is a directory
cp: missing destination file operand after `/var/lib/named/'
Try `cp --help' for more information.
/etc/named.conf:17: unknown option 'recursion'
skipped

Not too sure what the issue is with "cannot remove..." but I went back and removed the 'recursion yes;' line and then I was able to start the server (still with the rm issue mentioned)

The good news is my test box is now able to query google.com!

However now on the test machine where before I had "query refused" I get:

*** Can't find server name for address 192.168.1.98: Non-existant domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

So..how can I fix this?

Also - port 53 will never be open on our external firewall - this service is for internal use only so allowing any query should not be an issue - however, as a matter of good practice, I would like to restrict lookups to 192.168.0.0. /16 (we have several VLANs) AND a single 172.16.1.0 subnet - where do I do this? I tried 'allow-query { 192.168.1.0; };' but then started getting 'query refused' again

Looks like I'm getting there, many thanks for your time Dave

Dave_Devnull · 01-11-2010, 04:13 AM

I'm not sure why it's trying to remove the directory, but I suspect the failure may be some kind of munging/bum character in the named.conf file, especially around the:

Code:

options {
directory "/var/lib/named";
dump-file "/var/log/named_dump.db";

area

Have you edited the file on a Windows box that uses the wrong line endings (CRLF-v-LF)? Cut an paste from a browser? Did you change the permissions or owner on /var/lib/named at any stage?

Putting that to one side, this problem:..

Code:

*** Can't find server name for address 192.168.1.98: Non-existent domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

Can you remind my old, snow blinded brain the query you are issuing to get this.

Rerun the query (or a few) whilst TCPDumping the server on port 53:

Code:

tcpdump -lnx port 53

If the server is actually seeing your query, say a lookup for 'biscuit.com' you'll get a hive of activity:

Code:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode                                                                     
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes                                                                          
09:59:29.510961 IP 192.168.1.102.38744 > 192.42.93.30.53: 29203 [1au] A? biscuit.com. (40)                                                     
        0x0000:  4500 0044 c039 0000 4011 db18 c0a8 0166                                                                                       
        0x0010:  c02a 5d1e 9758 0035 0030 d3da 7213 0000                                                                                       
        0x0020:  0001 0000 0000 0001 0762 6973 6375 6974                                                                                       
        0x0030:  0363 6f6d 0000 0100 0100 0029 1000 0000                                                                                       
        0x0040:  8000 0000                                                                                                                     
09:59:29.696045 IP 192.42.93.30.53 > 192.168.1.102.38744: 29203- 0/4/5 (190)                                                                   
        0x0000:  4500 00da 0000 4000 3011 6abc c02a 5d1e                                                                                       
        0x0010:  c0a8 0166 0035 9758 00c6 ab99 7213 8000                                                                                       
        0x0020:  0001 0000 0004 0005 0762 6973 6375 6974                                                                                       
        0x0030:  0363 6f6d 0000 0100 01c0 0c00 0200 0100                                                                                       
        0x0040:  02a3 0000 1403 6e73 310d 646f                                                                                                 
09:59:29.698220 IP 192.168.1.102.57042 > 208.73.211.42.53: 11631 [1au] A? biscuit.com. (40)                                                    
        0x0000:  4500 0044 b078 0000 4011 64ae c0a8 0166                                                                                       
        0x0010:  d049 d32a ded2 0035 0030 4ad9 2d6f 0000                                                                                       
        0x0020:  0001 0000 0000 0001 0762 6973 6375 6974                                                                                       
        0x0030:  0363 6f6d 0000 0100 0100 0029 1000 0000                                                                                       
        0x0040:  8000 0000                                                                                                                     
09:59:29.888292 IP 208.73.211.42.53 > 192.168.1.102.57042: 11631*- 1/4/5 A 208.38.134.211 (206)                                                
        0x0000:  4500 00ea 0000 4000 2e11 e680 d049 d32a                                                                                       
        0x0010:  c0a8 0166 0035 ded2 00d6 069a 2d6f 8400                                                                                       
        0x0020:  0001 0001 0004 0005 0762 6973 6375 6974                                                                                       
        0x0030:  0363 6f6d 0000 0100 01c0 0c00 0100 0100                                                                                       
        0x0040:  0054 6000 04d0 2686 d3c0 0c00

If not, it's fair to say the server is not seeing the query. If so, we need to look at any networking issues or issues with the SuSE firewall.

chrisgti · 01-11-2010, 05:19 AM

I am editing the files using Putty in Windows. I will take a look at that in a bit.

The query I am issuing is simply "nslookup" (no args) from a cmd box in Windows.

Running tcpdump gives no output at all for any nslookup command (port in firewall is open, also tried stopping firewall entirely) - however I can see my requests in /var/log/messages and lookups to external domains are working and I can browse quite happily using my new nameserver. So that is a bit odd.

The research I have done on this points to the lack of a reverse lookup zone...so I made one

zone "1.168.192.in-addr.arpa" {
allow-transfer { any; };
file "master/192.168.1.rev";
type master;
};

And in that file I had simply:

$TTL 1W
@ IN SOA suse.acme.com. root.suse.acme.com. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS suse.acme.com
1 IN PTR suse.acme.com

But I still get UnKnown...so I made a small change:

$TTL 1W
@ IN SOA suse.acme.com. root.suse.acme.com. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS suse.acme.com
192.168.1.98 IN PTR suse.acme.com

And now I get:

C:\Documents and Settings\Chris>nslookup
1.168.192.in-addr.arpa
primary name server = suse.acme.com
responsible mail addr = root.suse.acme.com
serial = 42
refresh = 172800 (2 days)
retry = 14400 (4 hours)
expire = 3628800 (42 days)
default TTL = 604800 (7 days)
*** Can't find server name for address 192.168.1.98: No information
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

So..I am getting somewhere..it sees the name for the primary NS but then says no information?

Almost there now I presume..just the odd tweak to make.

I'm rather pleased it's not been a smooth process...it's been a cracking learning exercise

chrisgti · 01-11-2010, 07:13 AM

Right - Looked at PTR records more and clearly my Syntax was wrong!

I changed the PTD record to:

98.69.183.195.in-addr.arpa. IN PTR suse.acme.com

Now when I do nslookup I get:

C:\Documents and Settings\Chris>nslookup
Default Server: suse.acme.com.1.168.192.in-addr.arpa
Address: 192.168.1.98

But even with that I wasn't expecting anything after the suse.acme.com...is this still a config thing or is there now nothing to worry about?

I've also now figured out how to lock down requests to specific address ranges(I missed subnet mask earlier).

So..I think the next step is to add all the records and then set up the slave!

Dave...again, many thanks for your help. Have an e-beer.

Dave_Devnull · 01-12-2010, 06:19 AM

I'm sorry I did not respond sooner, I was enjoying that virtual beer and had one two many ;-)
Glad you've got it sorted.