LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-02-2011, 10:45 AM   #1
raevin
Member
 
Registered: Jul 2004
Distribution: Arch Linux, Ubuntu
Posts: 80

Rep: Reputation: 16
BIND9 as caching-only issue


Anyone know how to make BIND9 act as a public caching-only name server? I can have it run no problems on a local machine, but when I try to make it my name server on a remote machine, it just says NO! to everything.

My set up is a remote VPS that uses the BIND9 DNS service set up as a caching-only server. I've been using my local computer for seeing if I can use it remotely, which is where the issue arises. I was thinking it could be my home router causing an issue, but I can use Google's public DNS (as well as OpenDNS) just fine. Here's my named.conf.options file:

Code:
options {
        directory "/var/cache/bind";

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        query-source address ###.###.###.### port 53;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
This is on an Ubuntu 11.04 32-bit VPS, by the way. Web services and such work fine, its only this.

Last edited by raevin; 09-02-2011 at 12:42 PM.
 
Old 09-02-2011, 11:20 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,925

Rep: Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327
Hi,

Add:
Code:
allow-recursion {x.x.x.x;};
where x.x.x.x is the IP address of the remote box.
Restart named and check.

Regards
 
Old 09-02-2011, 11:31 AM   #3
raevin
Member
 
Registered: Jul 2004
Distribution: Arch Linux, Ubuntu
Posts: 80

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by bathory View Post
Hi,

Add:
Code:
allow-recursion {x.x.x.x;};
where x.x.x.x is the IP address of the remote box.
Restart named and check.

Regards
I tried that, and it still didn't work. I don't have BIND9 running on my local machine, is that necessary for this? I'm hoping not.

In /var/log/messages, I just get a bunch of entries like:
Code:
Sep  2 20:09:01 dns -- MARK --
In /var/log/syslog, I get this:
Code:
Sep  2 20:25:02 dns named[3855]: client my.own.public.ip#40918: query (cache) 'www.youtube.com.dns.securityfor.us/A/IN' denied
Sep  2 20:25:02 dns named[3855]: client my.own.public.ip#52685: query (cache) 'www.youtube.com.dns.securityfor.us/A/IN' denied
When I run ping on a domain from my PC (not the VPS), it doesn't resolve them. However, I can ping and run dig on the IP of the site, but I get this output:
Code:
okami@okami-jigoku:~$ dig 74.125.91.105

; <<>> DiG 9.7.3 <<>> 74.125.91.105
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55702
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;74.125.91.105.			IN	A

;; Query time: 98 msec
;; SERVER: 205.185.126.186#53(205.185.126.186)
;; WHEN: Fri Sep  2 12:24:45 2011
;; MSG SIZE  rcvd: 31
Another thing is that the caching isn't working either, as I keep getting in the upper 90-msec for "Query time". While I know there's latency for this as the DNS caching server is in a different data center, I think it should still be lower than what it is, or am I just doing wishful thinking?
 
Old 09-02-2011, 12:05 PM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,925

Rep: Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327
Quote:
I tried that, and it still didn't work. I don't have BIND9 running on my local machine, is that necessary for this? I'm hoping not.
No, but you need to use in /etc/resolv.conf the IP of the name server 're trying to setup
The logs clearly say you are denied the query. You may add a:
Code:
allow-query {x.x.x.x;};
to explicitly allow your box to issue queries to your dns, even though the "allow-recursion" should have taken care of this. Note that x.x.x.x is the "client my.own.public.ip".

You can remove the forwarders option and use the hint zone instead. Actually a real caching name server uses the hint zone and not forwarders to answer queries. So add the zone definition:
Code:
zone "." {
        type hint;
        file "root.hints";
};
and run:
Code:
dig @a.root-servers.net . ns > /var/cache/bind/root.hints
to create the zone file.
Always restart the service before testing.

Quote:
dig 74.125.91.105
This is not correct. If you want to resolve IPs you need the -x option, like this:
Code:
dig -x 74.125.91.105
 
Old 09-02-2011, 12:25 PM   #5
raevin
Member
 
Registered: Jul 2004
Distribution: Arch Linux, Ubuntu
Posts: 80

Original Poster
Rep: Reputation: 16
Thank you, VERY much, bathory.

I was able to get it to work via the hint zone. My install of BIND9 (from the Ubuntu repository) already came with the hint zone (or it came from the VPS hoster, not sure which). But, I set up BIND to only use that zone file, and it works like a charm now...no errors or anything!

For anyone in the future who might be looking to do this, here's my named.conf.options file:

Code:
options {
        directory "/var/cache/bind";

        allow-recursion { any; };
};
Not sure if the allow-recursion is necessary, but it works.

Edit I did the allow-query thing while waiting for a response earlier, by doing allow-query { any; }; and it still didn't help any.

Last edited by raevin; 09-02-2011 at 12:26 PM.
 
Old 09-02-2011, 12:41 PM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,925

Rep: Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327Reputation: 1327
Glad to see it worked.
Regarding recursion, you should allow it only for your clients, or else anyone can use your dns as a resolver.
BTW you can mark the thread solved, from the "Thread Tools" on top of the page.

Regards
 
Old 09-02-2011, 12:42 PM   #7
raevin
Member
 
Registered: Jul 2004
Distribution: Arch Linux, Ubuntu
Posts: 80

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by bathory View Post
Glad to see it worked.
Regarding recursion, you should allow it only for your clients, or else anyone can use your dns as a resolver.
BTW you can mark the thread solved, from the "Thread Tools" on top of the page.

Regards
Thanks. Will do about the solve one, I keep forgetting on this forums, lol. Also, in regards to the recursion thing...me and a friend are making a public DNS system (similar to Google's open DNS), so I'd need it available to everyone.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
bind9 config issue koszta5 Linux - Software 1 01-26-2011 05:32 PM
Problems w/ caching-only nameserver (BIND9.3.3-10) KaniGT5 Linux - Server 1 03-10-2008 02:07 PM
LXer: Resolving Domains Internally And Externally With Bind9 And Caching Nameserver LXer Syndicated Linux News 0 02-11-2007 08:33 AM
Bind9 DNS Issue b00gz Linux - Networking 10 07-15-2006 11:32 AM
DNS issue or caching issue? AZDAVE Linux - Networking 7 10-02-2004 12:28 AM


All times are GMT -5. The time now is 05:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration