LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Red Hat
User Name
Password
Red Hat This forum is for the discussion of Red Hat Linux.

Notices

Reply
 
Search this Thread
Old 10-14-2007, 08:45 PM   #1
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Rep: Reputation: 30
RHEL5 named.caching-nameserver.conf does not work!


Hello guys after an entire of day of busting my brains trying to get a caching-nameserver to work on RHEL5 I finally threw in the towel and used the system-config-bind utility to generate a config that works. However my question is what am I missing from the current named-caching-nameserver.conf that will not allow hosts to query the server. Here is an example of a query to google.com using the same config below.


Here is a proxy test machine that I am working and querying this nameserver with no sucess:

[root@proxy01 ~]# nslookup google.com
Server: 192.168.2.222
Address: 192.168.2.222#53

** server can't find google.com: REFUSED

I got this configuration file by installing just caching-nameserver-9.3.3 with bind 9.3.3 and bind-utils as well as the bind-libs. Doing some reading I was told that you could simply copy the named-caching-server-conf file into named.conf and edit the "Listen-on port" directive to include your local interface as well as edit the "allow-query" directive and place the network which in my case is 192.168.2.0/24 however to be safe I included 192.168.0.0/24. After that I restarted bind and everything went well however I could not perform a query from a host on the network pointing to this name server. I am reading a book that states clearly these are the only directives you need to change to get a working caching-server to work but this is not the case as I can see. Please let me know what I am missing. The /var/log/messages file does not say a single thing except for showing the zones that were loaded.


I know this is very long but I want a clue on why I had to resort to using system-config-bind to generate a working copy of named.conf that allows caching.

Here is the named.caching-nameserver.com

[root@dns01 ~]# cat /etc/named.conf
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.2.222; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
// query-source-v6 port 53;
// allow-query { localhost; 192.168.0.0/24; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
};


Thanks

Last edited by keysorsoze; 10-14-2007 at 09:00 PM.
 
Old 10-15-2007, 02:18 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Having this "view" paragraph in your bind configuration will make bind work only for localhost. I.e. it resolves names for requests coming from localhost and refuses those coming for other clients.
To create a caching name server, all you need is to define the "." zone (hint zone) and get yourself a copy of the root.hints file. Have a look at this howto for more details.

Regards
 
Old 10-15-2007, 02:27 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
...and next to that, how about switching to a caching nameserver (Pdnsd) that doesn't come with all the dependencies BIND has, can load records from source and saves the cache to disk?
 
Old 10-15-2007, 06:48 AM   #4
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
bathory,

I did not paste in the named.rfc1912.zones section which includes the hints: There is an includes directive in the /etc/named.conf file that points to this named.rfc1912.zones file


// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};




I also have the named.ca in /var/named here are the contents:



[root@dns01 ~]# cat /var/named/named.ca
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File


Thanks for the replies though I'll give your link a good read. Could be possible that I am missing the "controls directive" and the key "rndc_key" directive?


controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

Last edited by keysorsoze; 10-15-2007 at 06:58 AM.
 
Old 10-15-2007, 06:55 AM   #5
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
unSpawn,

I'll have to give pdnsd a try, thanks for the tip. I did some reading about it and there was a line that stated:

"This program is also has a limited capability of acting as an authoritative nameserver for a local DNS zone within a private network."


Would this indicate that it would not work as a public facing DNS server and be best suited for a LAN dns setup?



Thanks
 
Old 10-15-2007, 09:09 AM   #6
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Remove or comment out the view clause (leave only the include line that's needed) and restart named to see if it works for clients other than localhost.
 
Old 10-15-2007, 02:23 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,310
Blog Entries: 54

Rep: Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858Reputation: 2858
Quote:
Originally Posted by keysorsoze View Post
Would this indicate that it would not work as a public facing DNS server and be best suited for a LAN dns setup?
No, AFAIK the emphasis is on "limited" even though it's fully RFC compliant.
 
Old 10-15-2007, 10:43 PM   #8
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
bathory, I have uncommented the views directory with no luck. However I'll just go over the link you sent to create a working caching DNS server. I wanted to go over this file because in a book that is preparing me for my RHCE simply states to make changes to the two directives and you'll have a perfectly working caching DNS server (NOT TRUE!) I don't understand how they could include a file such as named.caching.nameserver and have it not do what it is set out to do.

Thanks for all the help

[root@dns01 ~]# cat /etc/named.caching-nameserver.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.2.222; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; 192.168.0.0/24; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//view localhost_resolver {
// match-clients { localhost; };
// match-destinations { localhost; };
// recursion yes;
include "/etc/named.rfc1912.zones";
//};

Last edited by keysorsoze; 10-15-2007 at 10:47 PM.
 
Old 10-16-2007, 09:03 AM   #9
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
I've tested your named.conf and as I told you, it's the view clause that doesn't allow client requests. As soon as I've commented it out it worked as expected. I dunno what you're doing wrong and it's not working for you. You can also change the match-clients statement as follows:
Code:
match-clients { localhost; 192.168.2.0/24 };
 
Old 10-18-2007, 11:22 PM   #10
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
Bathory,

Is your named.conf commented out exactly as I have in the above post? Please let me know or please post your named.conf. I still get this refused error and its driving me nuts.
 
Old 10-19-2007, 02:06 AM   #11
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
The named.conf I used to test your configuration is pretty much the same as yours:
Code:
options {
listen-on port 53 { 127.0.0.1; 192.168.0.77; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
pid-file "named.pid";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; 192.168.0.0/24; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//view localhost_resolver {
// match-clients { localhost; };
// match-destinations { localhost; };
// recursion yes;
include "/etc/named.rfc1912.zones";
//};
The only differences is the IP address of my dns and the line adding the location of the pid file, since without it named did not startup. I've also copied named.rfc1912.zones in /var/named and edit it to contain just:
Code:
zone "." IN {
type hint;
file "root.cache";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
 
Old 10-19-2007, 10:50 AM   #12
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
bathory,

Your caching config works! I believe the problem was with the /etc/named.rfc.1912 zones file. There were simply a ton of default zone entries that could have been removed. I slimed it down to the 0.0.127.in.addr.arpa and the root.cache just as you have it and sure enough I was able to send out requests. I am going to go home tonight and remove slowly each zone to determine which one was causing the hickups, I'll post back shortly my findings.

Thanks for all the help.
 
Old 05-02-2008, 12:42 AM   #13
lectricjunky
LQ Newbie
 
Registered: May 2008
Distribution: Fedora/RHEL clones
Posts: 4

Rep: Reputation: 0
Lightbulb bathory

thanks for you insight bathory. I also commented out the view section and it worked for me. Out of curiosity, I tried uncommenting it and adding "localnets" to the match-clients/destinations clauses:

match-clients {localnets; };
match-destinations {localnets; };

and it still worked! So ultimately the only thing the RHCE book is leaving out is that if you want the caching nameserver to work for any host other than the one dns services is configured on, you have to add "localnets" as I did above or remove the view section altogether from the named.conf file. There is a warning about the view clauses in the /usr/share/doc/bind-*/sample/named.conf file but it is recommended that you use views.
 
Old 05-02-2008, 02:03 AM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Quote:
Originally Posted by lectricjunky View Post
thanks for you insight bathory. I also commented out the view section and it worked for me. Out of curiosity, I tried uncommenting it and adding "localnets" to the match-clients/destinations clauses:

match-clients {localnets; };
match-destinations {localnets; };

and it still worked! So ultimately the only thing the RHCE book is leaving out is that if you want the caching nameserver to work for any host other than the one dns services is configured on, you have to add "localnets" as I did above or remove the view section altogether from the named.conf file. There is a warning about the view clauses in the /usr/share/doc/bind-*/sample/named.conf file but it is recommended that you use views.
Using views is a good thing, but you need to define the correct acls to match the "match-clients" or "match destinations" directives. I guess that you or the book you're reading have missed to include the correct acls in named.conf.

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
named.conf and named.caching-server.conf ? Ronin_tekorei Linux - Server 4 05-03-2007 07:34 AM
a problem with a caching-nameserver -9.3.2 in my ppc faytoday Linux - Networking 1 12-18-2006 03:40 AM
need help on caching nameserver yawe_frek Linux - Networking 1 12-08-2006 09:35 AM
checklist for caching nameserver masand Linux - Software 1 07-30-2005 07:14 AM
Problems with caching nameserver on slackware 9.1 dave_blob Linux - Networking 11 04-20-2004 02:46 AM


All times are GMT -5. The time now is 07:37 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration