dns - named.conf

agriz · 10-09-2013, 11:24 AM

Code:

named.conf

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { 127.0.0.1;ip.address/29; };
        allow-transfer{ none; };
        forwarders { 8.8.8.8;8.8.4.4; };
        forward only;
        recursion no;
        allow-recursion { any ; };
        allow-query-on {any;};
        allow-query-cache { any; };

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
        cleaning-interval 40320;
        version "Not available";
        fetch-glue no;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";

zone "xxx.xxx.xxx.in-addr.arpa" IN {
type master;
file "/var/named/server.sitename.com.db";
allow-update { none; };
};

zone "sitename.com" IN {
type master;
file "/var/named/sitename.com.db";
allow-update { none; };
};

include "/etc/named.root.key";

The above is not working.
If i change this two lines, it is working.

Code:

listen-on port 53 { 127.0.0.1; };
allow-query     { 127.0.0.1;ip.address/29; };

Code:

#listen-on port 53 { 127.0.0.1; };
allow-query     { any; };

Why is that so?
Why should i use allow-query any?

Habitual · 10-09-2013, 12:03 PM

Os.build.platform, bind version?

agriz · 10-09-2013, 12:19 PM

Quote:

Originally Posted by Habitual

Os.build.platform, bind version?

BIND 9.8.2
Centos 6.4

bathory · 10-09-2013, 01:31 PM

Quote:

The above is not working.
If i change this two lines, it is working.

listen-on port 53 { 127.0.0.1; };
allow-query { 127.0.0.1;ip.address/29; };

#listen-on port 53 { 127.0.0.1; };
allow-query { any; };

Why is that so?
Why should i use allow-query any?

What you mean by "it's not working"? You can't use the dns to resolve hostnames or what?

agriz · 10-09-2013, 11:30 PM

Yes,

nslookup failed for the domain.

Code:

;; Got SERVFAIL reply from 8.8.8.8, trying next server
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find site.com: SERVERFAIL

Code:

/etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
xxx.xxx.xxx.218   server.site.com server
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Code:

/etc/resolv.conf

search site.com.
nameserver 8.8.8.8
nameserver 8.8.4.4

Code:

/etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE="ethx"
BOOTPROTO=none
BROADCAST="xxx.xxx.xxx.223"
#DNS1="xxx.xxx.xxx.xxx"
GATEWAY="xxx.xxx.xxx.217"
IPADDR="xxx.xxx.xxx.218"
NETMASK="xxx.xxx.xxx.xxx"
NM_CONTROLLED="no"
ONBOOT="yes"
TYPE="Ethernet"
UUID="xxx-x-xx-x64"
HWADDR=some hardware id
PREFIX=29
#DNS2=xxx.xxx.xxx.xx
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System ethx"
LAST_CONNECT=1381101290
IPV6INIT=no
IPV6_AUTOCONF=no

Code:

forward zone file


$TTL    86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN site.com.
@  1D  IN        SOA ns1.site.com.      info.site.com. (
                              2002022401 ; serial
                              3H ; refresh
                              15 ; retry
                              1w ; expire
                              3h ; minimum
                             )
       IN  NS     ns1.site.com.
       IN  NS     ns2.site.com.
       IN  MX  10 mail.site.com.
; server host definitions
ns1    IN  A      server_ip_address
ns2    IN  A      server_ip_address  
mail   IN  A      server_ip_address  
www    IN  A      server_ip_address
ftp    IN  CNAME  www.site.com.

bathory · 10-10-2013, 02:14 AM

Hi,

In /etc/resolv.conf of the dns server you should use the ip of your dns (and/or use localhost), e.g.:

Code:

search site.com.
nameserver 127.0.0.1
nameserver server_ip_address
nameserver 8.8.8.8

And you need to use

Code:

#listen-on port 53 { 127.0.0.1; };
allow-query     { any; };

if you want your domain to be resolvable by anyone.

Regards

agriz · 10-10-2013, 03:38 AM

Is there any security issue with

Code:

allow-query     { any; };

Or is it okay to use?

bathory · 10-10-2013, 05:15 AM

Quote:

Originally Posted by agriz

Is there any security issue with

Code:

allow-query     { any; };

Or is it okay to use?

If you are running an authoritative dns for a domain, you need to allow queries to it from everyone
As for security, try to keep the server up-to-date with updates and bug fixes.

Also note that you need to limit recursion to your LAN, so use:

Code:

allow-recursion { localnets ; };

and remove any other "recursion" occurrence in named.conf
Remove also the forwarding related directives, since you're running an authoritative dns

chantiem48@gmail.com · 07-12-2014, 03:41 PM

hey should give the entry of resolve.conf file