LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-20-2011, 09:18 PM   #1
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Rep: Reputation: Disabled
CentOS 6 + BIND


Hi,

I'm trying to create a new DNS Server with CentOS 6 and Bind 9.7.

The problem is that when I start the service 'named', I get this error. Can you tell me please why? I'm stucked.

Quote:
Error in named configuration:
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
prueba.ec.zone:2: SOA record not at top of zone (prueba.ec.prueba.ec)
zone prueba.ec/IN: loading from master file prueba.ec.zone failed: not at top of zone
zone prueba.ec/IN: not loaded due to errors.
internal/prueba.ec/IN: not at top of zone
my.external.zone.db:1: no TTL specified; using SOA MINTTL instead
zone my.external.zone/IN: loaded serial 1
This is my named.conf

Quote:
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.

See the BIND Administrator's Reference Manual (ARM) for details, in:
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
its manual.
*/

options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";


/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
//listen-on port 53 { any; };
listen-on port 53 { 127.0.0.1; };

//listen-on-v6 port 53 { any; };
listen-on-v6 port 53 { ::1; };

/*
Access restrictions

There are two important options:
allow-query { argument; };
- allow queries for authoritative data

allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)

You can use address, network address or keywords "any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/

allow-query { localhost; };
allow-query-cache { localhost; };

// Enable/disable recursion - recursion yes/no;
recursion yes;

/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;

/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;

/* Enable DLV by default, use built-in ISC DLV key. */
dnssec-lookaside auto;
};

logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

/*
Views let a name server answer a DNS query differently depending on who is asking.

By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.

Views are processed sequentially. The first match is used so the last view should
match "any" - it's fallback and the most restricted view.

If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
recursion yes;

# all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;

zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

/*
NOTE for dynamic DNS zones and secondary zones:

DO NOT USE SAME FILES IN MULTIPLE VIEWS!

If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/

zone "prueba.ec" {
type master;
file "prueba.ec.zone";
};
# zone "my.internal.zone" {
# type master;
# file "my.internal.zone.db";
# };
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};

key ddns_key
{
algorithm hmac-md5;
secret "----XXX-----";
};

view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };

zone "." IN {
type hint;
file "/var/named/named.ca";
};

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};

/* Trusted keys

This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.

Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";

// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";

// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/
And this is my prueba.ec.zone

Quote:
$TTL 1D
prueba.ec IN SOA prueba.ec root@prueba.ec (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS prueba.ec
A 127.0.0.1
AAAA ::1
Thanks in advance!
 
Old 08-21-2011, 03:30 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
prueba.ec.zone:2: SOA record not at top of zone (prueba.ec.prueba.ec)
zone prueba.ec/IN: loading from master file prueba.ec.zone failed: not at top of zone
You missed the trailing dot of the ORIIGIN (prueba.ec) in the SOA record and all other occurences of prueba.ec
Code:
$TTL 1D
prueba.ec. IN SOA prueba.ec. root@prueba.ec. (
1 ; serial always increase it
<snip>
 NS prueba.ec.
 A 127.0.0.1
Regards

Last edited by bathory; 08-21-2011 at 04:41 AM.
 
1 members found this post helpful.
Old 08-21-2011, 01:22 PM   #3
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
Thanks. But I got this error:

Quote:
Error in named configuration:
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone 0.in-addr.arpa/IN: loaded serial 0
zone prueba.ec/IN: loaded serial 1
my.internal.zone.db:1: no TTL specified; using SOA MINTTL instead
zone my.internal.zone/IN: loaded serial 1
zone my.ddns.internal.zone/IN: loading from master file dynamic/my.ddns.internal.zone.db failed: file not found
zone my.ddns.internal.zone/IN: not loaded due to errors.
internal/my.ddns.internal.zone/IN: file not found
my.external.zone.db:1: no TTL specified; using SOA MINTTL instead
zone my.external.zone/IN: loaded serial 1
So I deleted this from named.conf (I read that I should delete it on the internet).

Quote:
zone "my.internal.zone" {

type master;

file "my.internal.zone.db";

};

zone "my.slave.internal.zone" {

type slave;

file "slaves/my.slave.internal.zone.db";

masters { /* put master nameserver IPs here */ 127.0.0.1; } ;

// put slave zones in the slaves/ directory so named can update them

};

zone "my.ddns.internal.zone" {

type master;

allow-update { key ddns_key; };

file "dynamic/my.ddns.internal.zone.db";

// put dynamically updateable zones in the slaves/ directory so named can update them

};
And now It's working. But when I change my config in my Windows XP computer, it doesn't work.
I mean, from Windows I can ping it but doesn't work as DNS on my LAN.

Last edited by Nocta; 08-21-2011 at 01:30 PM.
 
Old 08-21-2011, 02:21 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
It's working because you've deleted the zones whose zone files could not be found.

Quote:
But when I change my config in my Windows XP computer, it doesn't work.
I mean, from Windows I can ping it but doesn't work as DNS on my LAN.
Can you specify what you mean by "it doesn't work"?
As I see the zone file of prueba.ec, you don't have any A records apart from the NS, so you there is no other host you can resolve. Also you deleted zones form the internal view that is for clients from your lan, so your clients now fall to the external view for these zones, with whatever it means.
 
Old 08-21-2011, 02:26 PM   #5
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
What I meant is that when I use this machine (CentOS one) as a DNS Server in the computers of my house, It doesn't work as a DNS. If I try to open Google on my browser, I can't.
If I config as primary DNS server my CentOS machine on my Windows XP, I can't access any website.

Sorry my bad english, I'm from Argentina and we speak spanish.

Last edited by Nocta; 08-21-2011 at 02:32 PM.
 
Old 08-21-2011, 02:52 PM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
If you want other computers to use your dns server as a resolver, you should delete the listen options, or use
Code:
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
Also you can comment out or delete
Quote:
allow-query { localhost; };
allow-query-cache { localhost; };
And last but not least, remove the view "localhost_resolver" and make sure you allow recursion for your LAN
After restarting bind, if it still doesn't work, post your modified named.conf

BTW I'm not also a native english speaker and your english are not worse than mine

Regards
 
2 members found this post helpful.
Old 08-21-2011, 03:49 PM   #7
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
It's working now but what do you mean by "allow recursion for my LAN"? I

Quote:
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.

See the BIND Administrator's Reference Manual (ARM) for details, in:
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
its manual.
*/

options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";


/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
//listen-on port 53 { any; };
listen-on port 53 { any; };

//listen-on-v6 port 53 { any; };
listen-on-v6 port 53 { any; };

/*
Access restrictions

There are two important options:
allow-query { argument; };
- allow queries for authoritative data

allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)

You can use address, network address or keywords "any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/

# allow-query { localhost; };
# allow-query-cache { localhost; };

// Enable/disable recursion - recursion yes/no;
recursion yes;

/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;

/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;

/* Enable DLV by default, use built-in ISC DLV key. */
dnssec-lookaside auto;
};

logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

/*
Views let a name server answer a DNS query differently depending on who is asking.

By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.

Views are processed sequentially. The first match is used so the last view should
match "any" - it's fallback and the most restricted view.

If named.conf contains any "view" clause, then all zones MUST be in a view.
*/

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
recursion yes;

# all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;

zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

/*
NOTE for dynamic DNS zones and secondary zones:

DO NOT USE SAME FILES IN MULTIPLE VIEWS!

If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/

zone "prueba.ec" {
type master;
file "prueba.ec.zone";
};

};

key ddns_key
{
algorithm hmac-md5;
secret "u3Cx2HOM++hGl1ruFItJCg==";
};

view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };

zone "." IN {
type hint;
file "/var/named/named.ca";
};

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};

/* Trusted keys

This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.

Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";

// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";

// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/
controls {
inet 192.168.0.6 port 3333 allow { 192.168.0.11; };
};
Now I'll need to find out how to view logs.

Thanks mate!
 
Old 08-21-2011, 04:19 PM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
It's working now but what do you mean by "allow recursion for my LAN"?
If you're using the named.conf above, then you're ok. It's always good to deny recursion to external hosts, because they can abuse your dns server and only allow it for host in your lan (or other selected hosts)
Regarding logging you can use something like the following:
Code:
logging {

channel bindlog {
file "/var/named/named.log" versions 5 size 5m;
print-time yes;
severity info;
};
category default { bindlog;};
category xfer-out { bindlog;};
category xfer-in { bindlog;};
category security { bindlog;};
#category queries { bindlog;};

};
If you want to log queries you may uncomment the line above, but it's generally not recommended as it produces many lines of logs.

If you think your question is answered, you can mark the thread as SOLVED using the thread tools on top of the page

Regards
 
1 members found this post helpful.
Old 08-21-2011, 04:24 PM   #9
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
I should add those lines to named.conf, right?

I'm going to mark it as solved but It'd great if you could answer me that.

Thanks again!!!
 
Old 08-21-2011, 04:33 PM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Quote:
I should add those lines to named.conf, right?
Sure, just replace the logging clause you use now with the one above. Just change the path to log file to somewhere that fits your installation.
You may also take a look here for more details.

Regards
 
1 members found this post helpful.
Old 08-21-2011, 06:01 PM   #11
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
I modified my named.conf and restarted the service.

It started OK but the problem now is that it's not writing the log. I checked /var/log/messages

Quote:
Aug 21 18:56:38 localhost named[2989]: /etc/named.conf:233: couldn't add command channel 192.168.0.6#3333: permission denied
Aug 21 18:56:38 localhost named[2989]: the working directory is not writable
Aug 21 18:56:38 localhost named[2989]: logging channel 'bindlog' file '/home/Mariano/Documentos/dnsserver.log': permission denied
Aug 21 18:56:38 localhost named[2989]: isc_log_open '/home/Mariano/Documentos/dnsserver.log' failed: permission denied
The problem is that I don't know what user does BIND use to write the logs. I have already created the dnsserver.log.

EDIT: I tried with other directories and I got the same error.

Thanks in advance.

Last edited by Nocta; 08-21-2011 at 06:28 PM.
 
Old 08-22-2011, 01:24 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
Hi,
Quote:
Aug 21 18:56:38 localhost named[2989]: /etc/named.conf:233: couldn't add command channel 192.168.0.6#3333: permission denied
Aug 21 18:56:38 localhost named[2989]: the working directory is not writable
Aug 21 18:56:38 localhost named[2989]: logging channel 'bindlog' file '/home/Mariano/Documentos/dnsserver.log': permission denied
Aug 21 18:56:38 localhost named[2989]: isc_log_open '/home/Mariano/Documentos/dnsserver.log' failed: permission denied
You should use a directory that user named has write privileges (line /var/named).
And you don't need t o create any log file. It will be created automatically.

Regards
 
Old 08-22-2011, 05:08 PM   #13
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
I tried with differents directories and I got the same error:

Quote:
Aug 22 17:59:01 localhost named[1966]: /etc/named.conf:233: couldn't add command channel 192.168.0.6#3333: permission denied
Aug 22 17:59:01 localhost named[1966]: the working directory is not writable
Aug 22 17:59:01 localhost named[1966]: logging channel 'bindlog' file '/var/named/dnsserver.log': permission denied
Aug 22 17:59:01 localhost named[1966]: isc_log_open '/var/named/dnsserver.log' failed: permission denied
This is my named.conf (The logging lines)

Quote:
channel bindlog {
file "/var/named/dnsserver.log" versions 5 size 5m;
print-time yes;
severity info;
};
category default { bindlog;};
category xfer-out { bindlog;};
category xfer-in { bindlog;};
category security { bindlog;};
category queries { bindlog;};
};
 
Old 08-22-2011, 05:45 PM   #14
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,517

Rep: Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501Reputation: 1501
No need to try different directories. You use one that fits your needs and just make it writable by the user named.
If the working directory is /var/named, it could be SELinux that denies writing on that directory. Better use a subdirectory like
Code:
channel bindlog {
file "/var/named/logs/dnsserver.log" versions 5 size 5m;
<-snip->
Or you running named chrooted. What is the output of:
Code:
ps -ef|grep named
If you see a -t /some/path, then bind is running chrooted under that /some/path, so the absolute path to the log file is /some/path/var/named/dnsserver.log, so you have to check the permissions on that directory

Regards
 
Old 08-22-2011, 06:03 PM   #15
Nocta
LQ Newbie
 
Registered: Aug 2011
Location: Buenos Aires, Argentina
Distribution: CentOS
Posts: 14

Original Poster
Rep: Reputation: Disabled
Quote:
[root@prueba ~]# ps -ef|grep named

root 3171 3056 0 19:02 pts/0 00:00:00 grep named
I changed the named.conf with the lines that you said. It's working now but not writting the log.

Last edited by Nocta; 08-22-2011 at 07:22 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem in bind. (centos 5.6) takayama Linux - Networking 1 08-13-2011 12:17 PM
bind not working in centos baronobeefdip Linux - Server 4 07-30-2011 04:35 AM
Install bind 9.7 in centos anishkumarv Linux - Newbie 3 07-15-2011 07:49 AM
Bind 9.3.4 and Centos GGlinux Linux - Newbie 2 01-18-2009 08:57 PM
CentOS 5.1 Bind config ratcateme Linux - Software 1 02-01-2008 11:06 PM


All times are GMT -5. The time now is 03:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration