LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-04-2008, 08:13 PM   #1
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Rep: Reputation: 41
BIND DNS slave on internal network named.conf question:


Hey everyone,
I have a few questions for you folks about BIND. I have an external DNS master set up ( ns1.orangespike.ca : 142.25.96.90 and It works I then have proceded to put up a internal DNS server, this is behind a router with the IP of 142.25.96.40, however, the router is port forwarding port 53 to the IP of 10.0.0.10

Ok so on that internal machine we want to accomplish the following:
-Internal network DNS server has three private A record entries
-Recieves updates from the external master every three hours.


On the master I know I have to allow the slave to transfer and update. Which IP do I use? the 10.0.0.1 or 142.25.96.40 one?

And on the slaves named.conf

I have my original zone file as follows:

zone "orangespike.com." IN{
type slave;
file "slaves/orangespike.com";
masters{142.25.96.90};
};

zone "slave.orangespike.ca." IN {
type master;
notify no;
file "orangespike.zone";
};

It barks a huge error at me, but these couple questions first?
 
Old 02-04-2008, 11:52 PM   #2
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
First off, don't use B.S. names. Both orangespike.ca and orangespike.com exist, and are nowhere near the IPs you listed. BIND is not an attack vector. Use real names so we can see what is going on. At present, 142.25.96.90 doesn't even accept DNS queries -

Code:
jim@jimsworktop:~$ dig ns1.orangespike.com

; <<>> DiG 9.4.2 <<>> ns1.orangespike.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49752
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.orangespike.com.           IN      A

;; ANSWER SECTION:
ns1.orangespike.com.    300     IN      A       209.86.66.90
ns1.orangespike.com.    300     IN      A       209.86.66.91
ns1.orangespike.com.    300     IN      A       209.86.66.92
ns1.orangespike.com.    300     IN      A       209.86.66.93
ns1.orangespike.com.    300     IN      A       209.86.66.94
ns1.orangespike.com.    300     IN      A       209.86.66.95

;; Query time: 213 msec
;; SERVER: 207.69.188.186#53(207.69.188.186)
;; WHEN: Tue Feb  5 00:37:34 2008
;; MSG SIZE  rcvd: 133

jim@jimsworktop:~$ dig ns1.orangespike.ca

; <<>> DiG 9.4.2 <<>> ns1.orangespike.ca
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36700
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.orangespike.ca.            IN      A

;; ANSWER SECTION:
ns1.orangespike.ca.     300     IN      A       209.86.66.95
ns1.orangespike.ca.     300     IN      A       209.86.66.90
ns1.orangespike.ca.     300     IN      A       209.86.66.91
ns1.orangespike.ca.     300     IN      A       209.86.66.92
ns1.orangespike.ca.     300     IN      A       209.86.66.93
ns1.orangespike.ca.     300     IN      A       209.86.66.94

;; Query time: 149 msec
;; SERVER: 207.69.188.186#53(207.69.188.186)
;; WHEN: Tue Feb  5 00:37:39 2008
;; MSG SIZE  rcvd: 132

jim@jimsworktop:~$ dig -x 142.25.96.90

; <<>> DiG 9.4.2 <<>> -x 142.25.96.90
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49096
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;90.96.25.142.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
90.96.25.142.in-addr.arpa. 3600 IN      PTR     p9690.nanpool.mala.bc.ca.

;; AUTHORITY SECTION:
96.25.142.in-addr.arpa. 86400   IN      NS      triangle.mala.bc.ca.

;; ADDITIONAL SECTION:
triangle.mala.bc.ca.    12957   IN      A       142.25.115.1

;; Query time: 210 msec
;; SERVER: 207.69.188.186#53(207.69.188.186)
;; WHEN: Tue Feb  5 00:38:26 2008
;; MSG SIZE  rcvd: 120

jim@jimsworktop:~$ dig ns1.orangespike.ca @142.25.96.90

; <<>> DiG 9.4.2 <<>> ns1.orangespike.ca @142.25.96.90
;; global options:  printcmd
;; connection timed out; no servers could be reached
jim@jimsworktop:~$ dig ns1.orangespike.com @142.25.96.90

; <<>> DiG 9.4.2 <<>> ns1.orangespike.com @142.25.96.90
;; global options:  printcmd
;; connection timed out; no servers could be reached
I'll proceed using the names you claim to have (though you can't even lie well, first you call it orangespike.ca, then have a zonefile for orangespike.com), but do not do something stupid like steal someone else's domain name for your zone. You'll quickly discover that nobody outside your LAN can see your websites or send you email.

The way to accomplish what you want requires that you set up views. A view allows you to give one answer to the internal LAN (those on the 10.0.0.0 subnet) and another answer to the world at large.

First things first though. On the master, you put the public IP of the slave, not the 10.0.0.10 one. 10.X.Y.Z can't be routed. That would only work if both DNS servers could see each other by LAN IP addresses, which they shouldn't, your 2 name servers should not be at the same location. The update/notify address should be 142.25.96.40.

There is no reason to time the update from the master to the slave. The second the master is updated, it will push the update to the slave literally within 10 seconds. If nothing changes on the master, what is it you're trying to accomplish? BIND is already very well written and maintained. You don't have to time anything.

As to the code, these are taken and modified from one of my servers that is doing exactly what you want done. Since you seem to be using redhat derivative stuff some of the file locations might be different, but the idea is the same. Both the internal and external views need to be fully functional, so some things (the root hint, the localhost and 255 files) are included in both views.

Code:
view "internal" {

        match-clients { 10.0.0.0/24; 127.0.0.1/30; };

        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };

        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };

        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };

        zone "sub1.orangespike.ca" {
                type master;
                file "inside/sub1.orangespike.ca";
        };

        zone "sub2.orangespike.ca" {
                type master;
                file "inside/sub2.orangespike.ca";
        };

        zone "sub3.orangespike.ca" {
                type master;
                file "inside/sub3.orangespike.ca";
        };

};

view "outside" {

        match-clients { any; };

        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };

        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };

        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };

        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };

        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };



zone "orangespike.com" in {
        type slave;
        file "slaves/orangespike.com";
        masters {142.25.96.90;};
};
zone "orangespike.ca" in {
        type slave;
        file "slaves/orangespike.ca";
        masters {142.25.96.90;};
};
};
You'll obviously need to create a directory called 'inside' that is contained in the same directory that has the slaves subdirectory. Make sure the permissions on that directory are identical to the slaves sub as well. Here is how one of the internal zones should look. The only IPs in the internal view should most likely all be on 10.0.0.0 or other LAN addresses.

Code:
$ORIGIN .
$TTL 3600       ; 1 hour
ns2.orangespike.ca             IN SOA  ns2.orangespike.ca. root.orangespike.ca. (
                                2008020500 ; serial
                                7200       ; refresh (2 hours)
                                3600       ; retry (1 hour)
                                1209600    ; expire (2 weeks)
                                3600       ; minimum (1 hour)
                                )
$TTL 7200       ; 2 hours
                        NS      ns2.orangespike.ca.
$TTL 3600       ; 1 hour
                        A       10.0.0.10
                        MX      10 mail.orangespike.ca.
Peace,
JimBass

Last edited by JimBass; 02-04-2008 at 11:55 PM.
 
Old 02-05-2008, 10:53 AM   #3
Lantzvillian
Member
 
Registered: Oct 2007
Location: BC, Canada
Distribution: Fedora, Debian
Posts: 210

Original Poster
Rep: Reputation: 41
heh I know the IPs don't match, but I do own both domain names. Look at the portfolio on orangespike.ca You will find the about me and related info corresponds to me. I am sure Malaspina would love having people hammer my server through their firewall and yes DNS can be DOS'd with xfer requests last time I checked, but I may be wrong

But I thank you very much for your help and time. This is working charms for me. I will let you know how it goes in a little bit.
 
Old 02-05-2008, 09:45 PM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
To DOS DNS, you need a massive number of requests. A really massive number of requests. Beyond that, a DNS DOS doesn't do much good except to deny access to the site and email. It doesn't allow someone to change data or anything of that nature. Basically if someone has access to enough machines to DOS DNS, they can do much worse things than just block access. Plus the minute they stop, you're 100% back. In short, it takes such a huge amount of resources to do it, and it doesn't do much beyond block access. It more or less is a waste of computer power on the attackers part. There are much worse things they can do to you.

I'm glad the configs worked. I didn't bother to look at any of the domains, as I was working from a DNS perspective.

Peace,
JimBass
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
transfer named.conf file from master to slave nameserver sowell Linux - Server 8 01-23-2008 08:42 PM
reg named.conf configuration file of BIND DNS bzlaskar Linux - Server 1 12-27-2007 01:40 PM
BIND -named.conf ryanc75 Linux - General 3 09-19-2005 02:57 AM
DNS named.conf master/slave question pao Linux - Networking 5 11-12-2004 04:50 AM
know what bind, dns, a domain, and an internal network have in common? me neither majortool Linux - Networking 10 07-27-2004 12:42 PM


All times are GMT -5. The time now is 09:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration