LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 06-16-2009, 02:57 PM   #1
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Rep: Reputation: 0
simple caching nameserver on CentOS 5 - no luck so far


Greetings. I'm trying to set up a dns server - all I want (for now) is a caching nameserver on CentOS 5:

install CentOS 5 from CentOS-5.0-i386-bin-DVD.iso

choose "Server" option only

set IP address and hostname, set root pw, create basic user for login & testing

yum install (or update if already installed) bind, bind-utils, bind-libs, bind-chroot, caching-nameserver

that's it, right?

change /etc/resolv.conf to point to localhost:
search mydomain.bogus
nameserver 127.0.0.1


maybe tweak /var/named/chroot/etc/named.caching-nameserver.conf to listen on eth0 in addition to loopback, and change "allow-query" to "any", change "match-clients" and "match-destinations" to "any" to open things up.

But unless I use a forwarder, or change my /etc/resolv.conf to point to a working nameserver, I get:

[root@ns1 ~]# nslookup linuxquestions.org
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find linuxquestions.org: SERVFAIL


tcpdump shows an outbound request, but no response, try a different domain and get

[root@ns1 ~]# nslookup mit.edu
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find mit.edu: SERVFAIL

this time, tcpdump shows queries and responses from d.root-servers.net:

12:00:58.109081 192.168.1.2.43644 > 128.8.10.90.domain: udp 36 (DF)
12:00:58.109084 192.168.1.2.43644 > 128.8.10.90.domain: udp 36 (DF)
12:00:58.142935 128.8.10.90.domain > 192.168.1.2.43644: udp 304
12:00:58.142965 128.8.10.90.domain > 192.168.1.2.43644: udp 304
12:00:58.143525 192.168.1.2.58971 > 192.5.6.30.domain: udp 36 (DF)
12:00:58.143533 192.168.1.2.58971 > 192.5.6.30.domain: udp 36 (DF)
12:00:58.218621 192.5.6.30.domain > 192.168.1.2.58971: udp 145 (DF)
12:00:58.218638 192.5.6.30.domain > 192.168.1.2.58971: udp 145 (DF)


This should be so easy, according to all the posts, howtos, RH docs, and other texts I can find on basic BIND/DNS...
 
Old 06-16-2009, 03:19 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
Could you please post named.conf. You have to define there the "." hint zone as noted in this example.
 
Old 06-16-2009, 09:46 PM   #3
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Well, with caching-nameserver, you get /etc/named.caching-nameserver.conf instead of /etc/named.conf - in it is the include statement seen below:

view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};

and within /etc/named.rfc1912.zones, you get:

zone "." IN {
type hint;
file "named.ca";
};

...as you point out in the example. The RHEL docs say to override the default settings, use /etc/named.conf instead, so I tried that with a simplified /etc/named.conf as described in my 'RH6 unleashed' text, Nikolai Langfeldt's howto, and many other documents, using the various hints found there and elsewhere. Your post with "keysorsoze" back on 10-14-07 sounds very similar, but I'm getting SERVFAIL right on the name server, otherwise I'd say the solution was in that post...

but anyway here's /etc/named.caching-nameserver.conf for your perusal:


//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1;172.16.1.69; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";

// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;

allow-query { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};

Thanks!
 
Old 06-17-2009, 12:02 AM   #4
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
I guess you have to copy /etc/named.caching-nameserver.conf to /etc/named.conf.
 
Old 06-17-2009, 12:20 AM   #5
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Or more likely to /var/named/chroot/etc since I think the default is bind-chrooted in CentOS (at least it was for me).

ps aux | grep named

will tell you.

As I recall, there is no default symlink from /etc to the chrooted directory (or vice versa)

Last edited by billymayday; 06-17-2009 at 12:23 AM.
 
Old 06-17-2009, 05:30 AM   #6
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Thanks, gents. I think I tried this before, but did again for good measure - copied the .conf to /var/named/chroot/etc/named.conf and then ln -s the file to /etc/named.conf. Also had to chown it from root:root to root:named, as the install runs named as user 'named'. syslog for named shows it's now starting using named.conf. Same results, SERVFAIL. I may just give up and put forwarders in until I stumble across the solution. Or maybe try another distro...
 
Old 06-17-2009, 05:45 AM   #7
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Make sure you

chcon root:object_r:named_conf_t /var/named/chroot/etc/named.conf

If that doesn't fix it, try with SELinux off (setenforce 0) and see if that works.
 
Old 06-17-2009, 05:50 AM   #8
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Also try http://www.redhat.com/docs/en-US/Red...e/ch-bind.html
 
Old 06-17-2009, 07:15 AM   #9
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post
I have a well-worn copy on my desk. It's definitely helpful in understanding and configuring BIND.
 
Old 06-17-2009, 07:22 AM   #10
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by billymayday View Post
Make sure you

chcon rootbject_r:named_conf_t /var/named/chroot/etc/named.conf
Nope.

Quote:
Originally Posted by billymayday View Post
If that doesn't fix it, try with SELinux off (setenforce 0) and see if that works.
Well. What do you know. <stream of profanity> Guess I have to bone up on SELinux. A million thank-yous. I assume the "chcon" command was to set the proper security context for named.conf. Assuming that caching-nameserver is supposed to run "out of the box" as installed by yum, I'd guess the problem is with one or more of the files created by the install, as named.conf isn't required for the most basic caching nameserver. I'm going to try again from scratch (the whole process takes 20 minutes) and make sure it runs as expected, minus the security permission.

Again, thanks for your help! At least I know I was doing most of it correctly.
 
Old 06-17-2009, 10:37 AM   #11
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Apparently I'm not alone: http://www.tgharold.com/techblog/200..._archive.shtml

"The gist seems to be that RedHat (and CentOS) are using a chroot bind installation in conjunction with an SELinux policy that expects the bind configuration files to be in a non-chroot setup. But there aren't very clear instructions there on fixing it."

so I re-enabled SELinux 'setenforce 1' and disabled enforcement explicitly for named 'setsebool named_disable_trans=1', and it works. Now I can either find out what exactly in the SELinux policy is interfering with named or perhaps reinstall bind and hand-configure caching.
 
Old 06-17-2009, 12:22 PM   #12
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
http://www.bind9.net/BIND-FAQ

"Red Hat have adopted the National Security Agency's SELinux security policy
( see http://www.nsa.gov/selinux ) and recommendations for BIND security ,
which are more secure than running named in a chroot and make use of the
bind-chroot environment unnecessary."

...and breaks bind-chroot anyway

Well, I guess I'll opt to start over again without bind-chroot!
 
Old 06-19-2009, 09:08 AM   #13
ksorensen
LQ Newbie
 
Registered: Jun 2009
Posts: 8

Original Poster
Rep: Reputation: 0
Hmm. Doesn't seem to matter - install bind, bind-libs, bind-utils, caching-nameserver with the same result on a fresh server. Am I the only one doing this? Disabling SELinux security for the bind context 'fixes' it.
 
Old 06-19-2009, 03:29 PM   #14
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Looks like I'd disables SELinuc for bind too. Must have been some time ago.

You can always look at the logs (/var/log/audit/audit.log), and use audit2allow to create a new policy. There's a good guide in the RH deployment docs (and elsewhere).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
two caching nameserver praveity Linux - Newbie 1 08-31-2008 06:28 AM
Caching nameserver in Fedora 8 Questions v00d00101 Linux - Server 11 08-13-2008 03:25 PM
how do i setup a caching nameserver in centos 5 yawe_frek Linux - Server 4 02-22-2008 12:37 PM
need help on caching nameserver yawe_frek Linux - Networking 1 12-08-2006 09:35 AM
checklist for caching nameserver masand Linux - Software 1 07-30-2005 07:14 AM


All times are GMT -5. The time now is 07:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration