LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   BIND9 as caching-only issue (http://www.linuxquestions.org/questions/linux-server-73/bind9-as-caching-only-issue-900738/)

raevin 09-02-2011 10:45 AM

BIND9 as caching-only issue
 
Anyone know how to make BIND9 act as a public caching-only name server? I can have it run no problems on a local machine, but when I try to make it my name server on a remote machine, it just says NO! to everything.

My set up is a remote VPS that uses the BIND9 DNS service set up as a caching-only server. I've been using my local computer for seeing if I can use it remotely, which is where the issue arises. I was thinking it could be my home router causing an issue, but I can use Google's public DNS (as well as OpenDNS) just fine. Here's my named.conf.options file:

Code:

options {
        directory "/var/cache/bind";

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        query-source address ###.###.###.### port 53;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

This is on an Ubuntu 11.04 32-bit VPS, by the way. Web services and such work fine, its only this.

bathory 09-02-2011 11:20 AM

Hi,

Add:
Code:

allow-recursion {x.x.x.x;};
where x.x.x.x is the IP address of the remote box.
Restart named and check.

Regards

raevin 09-02-2011 11:31 AM

Quote:

Originally Posted by bathory (Post 4459753)
Hi,

Add:
Code:

allow-recursion {x.x.x.x;};
where x.x.x.x is the IP address of the remote box.
Restart named and check.

Regards

I tried that, and it still didn't work. I don't have BIND9 running on my local machine, is that necessary for this? I'm hoping not.

In /var/log/messages, I just get a bunch of entries like:
Code:

Sep  2 20:09:01 dns -- MARK --
In /var/log/syslog, I get this:
Code:

Sep  2 20:25:02 dns named[3855]: client my.own.public.ip#40918: query (cache) 'www.youtube.com.dns.securityfor.us/A/IN' denied
Sep  2 20:25:02 dns named[3855]: client my.own.public.ip#52685: query (cache) 'www.youtube.com.dns.securityfor.us/A/IN' denied

When I run ping on a domain from my PC (not the VPS), it doesn't resolve them. However, I can ping and run dig on the IP of the site, but I get this output:
Code:


okami@okami-jigoku:~$ dig 74.125.91.105

; <<>> DiG 9.7.3 <<>> 74.125.91.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55702
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;74.125.91.105.                        IN        A

;; Query time: 98 msec
;; SERVER: 205.185.126.186#53(205.185.126.186)
;; WHEN: Fri Sep  2 12:24:45 2011
;; MSG SIZE  rcvd: 31

Another thing is that the caching isn't working either, as I keep getting in the upper 90-msec for "Query time". While I know there's latency for this as the DNS caching server is in a different data center, I think it should still be lower than what it is, or am I just doing wishful thinking?

bathory 09-02-2011 12:05 PM

Quote:

I tried that, and it still didn't work. I don't have BIND9 running on my local machine, is that necessary for this? I'm hoping not.
No, but you need to use in /etc/resolv.conf the IP of the name server 're trying to setup
The logs clearly say you are denied the query. You may add a:
Code:

allow-query {x.x.x.x;};
to explicitly allow your box to issue queries to your dns, even though the "allow-recursion" should have taken care of this. Note that x.x.x.x is the "client my.own.public.ip".

You can remove the forwarders option and use the hint zone instead. Actually a real caching name server uses the hint zone and not forwarders to answer queries. So add the zone definition:
Code:

zone "." {
        type hint;
        file "root.hints";
};

and run:
Code:

dig @a.root-servers.net . ns > /var/cache/bind/root.hints
to create the zone file.
Always restart the service before testing.

Quote:

dig 74.125.91.105
This is not correct. If you want to resolve IPs you need the -x option, like this:
Code:

dig -x 74.125.91.105

raevin 09-02-2011 12:25 PM

Thank you, VERY much, bathory.

I was able to get it to work via the hint zone. My install of BIND9 (from the Ubuntu repository) already came with the hint zone (or it came from the VPS hoster, not sure which). But, I set up BIND to only use that zone file, and it works like a charm now...no errors or anything!

For anyone in the future who might be looking to do this, here's my named.conf.options file:

Code:

options {
        directory "/var/cache/bind";

        allow-recursion { any; };
};

Not sure if the allow-recursion is necessary, but it works. :)

Edit I did the allow-query thing while waiting for a response earlier, by doing allow-query { any; }; and it still didn't help any.

bathory 09-02-2011 12:41 PM

Glad to see it worked.
Regarding recursion, you should allow it only for your clients, or else anyone can use your dns as a resolver.
BTW you can mark the thread solved, from the "Thread Tools" on top of the page.

Regards

raevin 09-02-2011 12:42 PM

Quote:

Originally Posted by bathory (Post 4459800)
Glad to see it worked.
Regarding recursion, you should allow it only for your clients, or else anyone can use your dns as a resolver.
BTW you can mark the thread solved, from the "Thread Tools" on top of the page.

Regards

Thanks. :) Will do about the solve one, I keep forgetting on this forums, lol. Also, in regards to the recursion thing...me and a friend are making a public DNS system (similar to Google's open DNS), so I'd need it available to everyone.


All times are GMT -5. The time now is 07:41 AM.