Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi im attempting to setup a caching nameserver with the hope it will negate at least a little the current slowdown i have experienced since the DNS exploit problem was patched.
I have followed the guide at howtoforge on doing so, and all is fine except for a few questions i have regarding an error ive got.
When i do an nslookup on the nameserver i get back this:
Which is sort of correct, but i gather the last part is because i need to open port 53. Is this required at both the router and iptables level (i know i need to open up at iptables level on that machine so i can send requests from other machines). Can it not ask my ISP's nameserver passively like normal?
My config files.
mydomain zone file
Code:
$TTL 86400
@ IN SOA @ nospam.mydomain.co.uk. (
42 ; serial (j. smith)
3H ; refresh
15M ; retry
1W ; expiry
1D ; minimum
@ IN NS nameserver.mydomain.co.uk.
nameserver IN A 192.168.1.10
www IN A 192.168.1.10
machine1 IN A 192.168.1.20
machine2 IN A 192.168.1.10
machine3 IN A 192.168.1.30
named.conf
Code:
zone "mydomain.co.uk" IN {
type master;
file "mydomain.co.uk.zone";
allow-update { none; };
};
I'm making no claims to bind knowledge, but this works on mine, and I note the format is a little different (this is on CentOS, so I guess we are both using bind9)
Thanks, id guess that bind is the same on both Centos and Fedora. In all honesty i wish i had that machine running Centos, but it isnt.
Thanks for the config, i'll try it.
Ive discovered the error message is related to reverse dns, and the fact it doesnt work (on that box anyway). But the other machines seem to be able to send dns queries to the dns box without issue, although it doesnt seem to be caching them.
I'll post back if i find a solution, or if your zone file works.
The dump file will be in your named directory named named_dump.db.
If all your clients are on the LAN with the server, your firewall won't be involved (...usually, not unless you have very restrictive settings). Of course the server's iptables must be allow clients to query.
Use dig to query. nslookup is essentially deprecated, and uses its own internal resolver instead of the standard system resolver used by all other networking clients.
It sounds like you are asking about running a forwarding name server, forwarding requests to your ISPs name server when answers are not in the cache.. All bind name servers cache, btw.
Run named-checkconf to check your named.conf file after changes, and be sure to check syslog output in /var/log/messages (usually there).
That was the entire named.conf, which i think was the problem. It now contains the following:
Code:
options {
directory "/var/named";
forwarders {
194.168.4.100;
193.38.113.3;
};
query-source-address * 53;
};
zone "mydomain.co.uk" IN {
type master;
file "mydomain.co.uk.zone";
allow-update { none; };
};
zone "named.ca" {
type hint;
file "";
};
//zone "1.168.192.IN.ADDR.ARPA" {
// type master;
// file "192_168_1.rev";
// allow transfer {127.0.0.1; };
//};
I started following a dns server guide on tldp.org and i managed to get it all working for about 30 mins, then it died and hasnt worked since.
The domain im specifiying is a domain i own but currently is not pointed at my nameserver. Would pointing it at my DNS be sufficient to get rid of the lookup error?
I added some new A records for various computers on my LAN and only then did the ability for me to send requests work on those machines?
My next course of action will probably be to buy a book on bind, probably the O'Reilly one, and delve in a bit deeper, as this project is an exploration into whether i could resolve some of my domain names from my own DNS servers. Also an attempt to speed up my internet which has been very slow for the last couple of weeks.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
PHP Code:
query-source-address * 53;
NO NO NO NO NO!!! That will make it trivial to hijack your DNS. I really wish people who wrote FAQs knew WTF they were doing. People should need to get licenses to write guides on the Internet. Comment that out immediately, and for anyone else reading this post go check your named.conf to make sure it's not mis-configured in the same way. Even if you have the latest version of BIND, you will be severely vulnerable to cache-poisoning attacks.
If your firewall is set to only allow queries to port 53 come from port 53, then change your firewall--it's wrong. Doing that adds no security to the firewall, but it removes all the security from your nameserver.
PHP Code:
zone "named.ca" { type hint; file ""; };
The root hint file is supposedly optional now, but for completeness you can get the proper file instead of leaving your hint file blank. I looked at two sets nameservers that I run (one set on OpenBSD, the other on Linux) and they have the hints specified differently. I'll go with the Linux configuration since that's what you're using (remove the section above and replace with this):
PHP Code:
include "/path/to/root.hints";
If you don't know where the root.hint file is, you can download it:
Quote:
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
PHP Code:
zone "mydomain.co.uk" IN { type master; file "mydomain.co.uk.zone"; allow-update { none; }; };
That's fine as long as only your internal servers query off of it, but you should update it to be explicit about who may query:
PHP Code:
zone "mydomain.co.uk" IN { type master; file "mydomain.co.uk.zone"; allow-update { none; }; allow-transfer { localhost; }; allow-query { localhost; localnets; }; };
Make sure you have $ORIGIN set:
PHP Code:
$TTL 86400 @ IN SOA @ nospam.mydomain.co.uk. (
Should be:
PHP Code:
$ORIGIN mydomain.co.uk. $TTL 86400 @ IN SOA @ nospam.mydomain.co.uk. (
Firstly the named.ca file exists (its out of date in that several rootservers have changed ip since it was generated), i was going to create a script to download the root.hints file once a month from Internic.
Im using chroot'd bind, so do i need to store the hints file within the chroot'd dir and symlink it to /var/named, or can i just place it in /var/named?
Since last night i closed off port 53 on the router, so no incoming active connection can be made to the server, will it be ok for now to run it that way, as i dont think im quite at the point where i wish to go live, for now its more just for internal testing.
The file contents.
named.conf
Code:
options {
directory "/var/named";
forwarders {
194.168.4.100;
193.38.113.3;
};
};
zone "mydomain.co.uk" IN {
type master;
file "mydomain.co.uk.zone";
allow-update { none; };
allow-transfer { localhost; };
allow-query { localhost; localnets; };
};
include "/var/named/named.ca";
mydomain.co.uk.zone
Code:
$ORIGIN mydomain.co.uk
$TTL 604800 ; 1 week
@ IN SOA @ ns1.mydomain.co.uk. (
2008012788 ; serial
86400 ; refresh (1 day)
7200 ; retry (2 hours)
1209600 ; expire (2 weeks)
604800 ; minimum (1 week)
)
IN NS 192.168.1.10.mydomain.co.uk.
IN MX mail.mydomain.co.uk.
s1.mydomain.co.uk. IN A 192.168.1.20 ;
s3.mydomain.co.uk. IN A 192.168.1.30 ;
Error messages wise (from /var/log/messages), some problems with resolving ipv6 addresses which is likely due to the fact i dont use ipv6, and its disabled on that network adapter. All the rootservers run by theplanet are timing out.
/var/log/messages
Code:
Aug 13 20:48:49 myserver named-sdb[26150]: starting BIND 9.5.0-P1 -u named -t /var/named/chroot
Aug 13 20:48:49 myserver named-sdb[26150]: found 4 CPUs, using 4 worker threads
Aug 13 20:48:49 myserver named-sdb[26150]: SDB ldap zone database module loaded.
Aug 13 20:48:49 myserver named-sdb[26150]: SDB postgreSQL DB zone database module loaded.
Aug 13 20:48:49 myserver named-sdb[26150]: SDB sqlite3 DB zone database module loaded.
Aug 13 20:48:49 myserver named-sdb[26150]: SDB directory DB zone database module loaded.
Aug 13 20:48:49 myserver named-sdb[26150]: loading configuration from '/etc/named.conf'
Aug 13 20:48:49 myserver named-sdb[26150]: the working directory is not writable
Aug 13 20:48:49 myserver named-sdb[26150]: listening on IPv6 interface lo, ::1#53
Aug 13 20:48:49 myserver named-sdb[26150]: listening on IPv4 interface lo, 127.0.0.1#53
Aug 13 20:48:49 myserver named-sdb[26150]: default max-cache-size (33554432) applies
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 127.IN-ADDR.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 254.169.IN-ADDR.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: D.F.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 8.E.F.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: 9.E.F.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: A.E.F.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: automatic empty zone: B.E.F.IP6.ARPA
Aug 13 20:48:49 myserver named-sdb[26150]: default max-cache-size (33554432) applies: view _bind
Aug 13 20:48:49 myserver named-sdb[26150]: command channel listening on 127.0.0.1#953
Aug 13 20:48:49 myserver named-sdb[26150]: command channel listening on ::1#953
Aug 13 20:48:49 myserver named-sdb[26150]: zone 0.in-addr.arpa/IN: NS '0.in-addr.arpa' has no address records (A or AAAA)
Aug 13 20:48:49 myserver named-sdb[26150]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 13 20:48:49 myserver named-sdb[26150]: zone 1.0.0.127.in-addr.arpa/IN: NS '1.0.0.127.in-addr.arpa' has no address records (A or AAAA)
Aug 13 20:48:49 myserver named-sdb[26150]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 13 20:48:49 myserver named-sdb[26150]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: NS '1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa' has no address records (A or AAAA)
Aug 13 20:48:49 myserver named-sdb[26150]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 13 20:48:49 myserver named-sdb[26150]: zone localhost.localdomain/IN: loaded serial 0
Aug 13 20:48:49 myserver named-sdb[26150]: zone localhost/IN: loaded serial 0
Aug 13 20:48:49 myserver named-sdb[26150]: running
Requests from other machines on the LAN seem to work ok, but email doesnt, because the smtp server for my isp is unknown (until i re-enabled the ISP dns servers in resolv.conf on that machine, not the dns server machine), normal web browsing is fine.
All files have been place in /var/named/chroot/var/named (and symlinked to /var/named), but according to the log the directory isnt writable, what would the permissions need to be? 0777 or 0770? They are currently set at 0750.
For clarification, ORIGIN is implicitly set to the name of the zone when the zone file is read. Still, good practice and clearer to manually specify it.
Quote:
Originally Posted by v00d00101
Firstly the named.ca file exists (its out of date in that several rootservers have changed ip since it was generated), i was going to create a script to download the root.hints file once a month from Internic.
This will generate an up-to-date root hints data:
$ dig @b.root-servers.net . ns
Quote:
Originally Posted by v00d00101
Since last night i closed off port 53 on the router, so no incoming active connection can be made to the server, will it be ok for now to run it that way, as i dont think im quite at the point where i wish to go live, for now its more just for internal testing.
If this was a response to the query-source vulnerability that chort mentioned, there is no relation. The query-source address and port are the SOURCE (eg. your system), and not the DESTINATION, address/port pair, . The default source port of * allows the usage of random UDP ports, and this is the key to diffusing the cache poisoning vulnerability.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Don't every chmod anything 0777, that's like painting a gigantic bullseye on your machine and broadcasting that you would like to be hacked.
Make sure that the directories are owned by the same user that named runs as. On the CentOS systems I run, the data/ directory is chown'd named:named, same for the slave/ directory.
For pesky ISP zones, you can do something like this:
PHP Code:
zone "my.isp.tld" IN { type forward; forward only; forwarders { isp_ns_1; isp_ns2; }; allow-query { localhost; localnets; }; };
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
