Bind 9 help, I did read tutorials and docs on this.
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Bind 9 help, I did read tutorials and docs on this.
I did look at all of the tutorials, and documentation that I could find on the internet, including the one on the gentoo wiki, and the bind's homepage and so forth. Haven't had much luck with getting my bind 9 config to work properly. It works great as a dns cache, I got that going pretty easily, but I'm struggling with making bind to be authoritative over my domain only and not forwarding it.
Basically if i execute a dig query, with "127.0.0.1" I will get the localhost name, then if i execute a dig query with "localhost" i will get the 127.0.0.1 ip address, but if i execute it with "localhost.localdomain" i will get the list of the root servers.... which confuses me. If I also removes the root.hint file from the bind config, and only use it in forward only mode it will still end up at the root servers.
Also I'm also hosting the authoritative dns for my own localdomain which is "elder" which i know don't exist out there on the internet, anyway if I execute a dig query with "amrutlar.elder." it will kinda of work, but if its "amrutlar" it will end up at a ip address that is not mine.
So anyway any suggestion/idea on how to implement this:
-Caching queries for queries not in my domain
-Being authoritative for queries in my domain
-If its a wrong query say "badaddress.elder" i want it to return address not found instead of going to the root servers
-Wants to be able to query "amrutlar" and "amrutlar.elder" and have them return the same ip address.
Anyway without additional ados here's my bind config below:
named.conf
Code:
// Including the rndc key
include "etc/conf/rndc-key.conf";
// Including the ACLs
include "etc/conf/acls.conf";
options {
// Statistics are a good idea to have generally
statistics-file "/var/log/named/named.stats";
dump-file "/var/log/named/named.dump";
zone-statistics yes;
// Who to allow queries and so forth from
allow-query { elder; };
listen-on { elder; };
listen-on-v6 { none; };
// Disable zone transfer requests
allow-transfer { "none"; };
pid-file "/var/run/named/named.pid";
};
// Include the logging config file
include "etc/conf/logging.conf";
// Including the default zone
include "etc/conf/zones/default.conf";
// Including the elder zone
include "etc/conf/zones/elder.conf";
view "recursive" {
match-clients { elder; };
match-recursive-only yes;
// forward only;
// forwarders {
// 208.67.222.222; // openDNS
// 208.67.220.220; // openDNS
// };
// Required for recurssive queries
zone "." {
type hint;
file "etc/zones/default/root.servers";
};
// Required local host domain
zone "localhost" in {
type master;
file "etc/zones/default/localhost";
allow-update { none; };
allow-transfer { localhost; };
};
// Required local host reverse map
zone "127.in-addr.arpa" in {
type master;
file "etc/zones/default/localhost.rev";
allow-update { none; };
allow-transfer { localhost; };
};
// Unknown
zone "com" {
type delegation-only;
};
// Unknown
zone "net" {
type delegation-only;
};
};
elder.conf
Code:
view "authoritative" {
recursion no;
additional-from-auth no;
additional-from-cache no;
forwarders {};
// The dns zone for the elder domain
zone "elder" in {
type master;
file "etc/zones/elder/elder";
};
// The reverse map for the elder domain
zone "10.10.10.in-addr.arpa" in {
type master;
file "etc/zones/elder/elder.rev";
};
};
localhost
Code:
$ORIGIN localhost.
$TTL 6h
@ IN SOA amrutlar.elder. root.elder. (
2 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
NS amrular.elder.
A 127.0.0.1
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
elder
Code:
$TTL 1D ; One day
$ORIGIN elder.
amrutlar.elder IN SOA amrutlar.elder. root.elder. (
2007022502 ; Serial (change everytime the zone is changed)
6H ; Refresh
1H ; Retry
1W ; Expire
1D ; Minimum
)
; DNS Server
IN NS amrutlar.elder.
; Router/DNS/Gateway machine
amrutlar IN A 10.10.10.1
; Laptop - thinkpad
netheril IN A 10.10.10.30 ; update this
; Desktop - conroe
imaskar IN A 10.10.10.20
; Desktop - pentium 4
thay IN A 10.10.10.10
; Wireless router
mulhorand IN A 10.10.10.2
; Vmware - Window xp
;halruaa IN A 192.168.12.50 ; update this
; Vmware - Solaris
;unther IN A 192.168.12.51 ; update this
; Vmware - Mac osX
;narfell IN A 192.168.12.52 ; update this
; New machines - name: aglarond ?
elder.rev
Code:
$TTL 1D ; One day
$ORIGIN 10.10.10.in-addr.arpa.
10.10.10.in-addr.arpa IN SOA amrutlar.elder. root.elder. (
2007022502 ; Serial (change everytime this zone is edited
6H ; Refresh
1H ; Retry
1W ; Expire
1D ; Minimum
)
; DNS Server
IN NS amrutlar.elder.
; Router/DNS/Gateway machine
1 IN PTR amrutlar.elder.
; Laptop - thinkpad
30 IN PTR netheril.elder. ; update this
; Desktop - conroe
20 IN PTR imaskar.elder.
; Desktop - pentium 4
10 IN PTR thay.elder.
; Wireless router
2 IN PTR mulhorand.elder.
; Vmware - Window xp
;50 IN PTR halruaa.elder. ; update this
; Vmware - Solaris
;51 IN PTR unther.elder. ; update this
; Vmware - Mac osX
;52 IN PTR narfell.elder. ; update this
; New machines - name: aglarond ?
There are a few simple things you can do to solve your problems, although from your writings you have 99% of it done.
First off, you need to have the zone elder listed in your named.conf. If your server is forwarding requests for elder to the root, it is because it doesn't see itself as authoritative. Simply adding elder to named.conf and pointing it at elder zone file should take care of this.
As to getting different results based on doing a dig on localhost.elder or just localhost, that is solved by adding the line
Code:
search elder
to the top of your /etc/resolv.conf. That way, when you ask for localhost or clienthost at the command line, your resolv.conf will add elder on the end of that, and since it is part of the elder domain, it will ask itself, and return the correct answer.
First off, you need to have the zone elder listed in your named.conf. If your server is forwarding requests for elder to the root, it is because it doesn't see itself as authoritative. Simply adding elder to named.conf and pointing it at elder zone file should take care of this.
I already did this?
That was included in the named.conf
Code:
// Including the elder zone
include "etc/conf/zones/elder.conf";
Quote:
Originally Posted by JimBass
As to getting different results based on doing a dig on localhost.elder or just localhost, that is solved by adding the line
Code:
search elder
to the top of your /etc/resolv.conf. That way, when you ask for localhost or clienthost at the command line, your resolv.conf will add elder on the end of that, and since it is part of the elder domain, it will ask itself, and return the correct answer.
Yeah, you have a ton of junk in your configs, and that is probably where the problems are coming in from.
Normally the domains are not in /etc, but somewhere in /var. Obviously you can put the zone file anywhere you please, but the bind/named user needs to be able to read that zone file. Do the permissions allow bind to see all the way from /etc down to /etc/conf/zones/elder?
Your log looks like you're trying to log everything under the sun, much of which is never going to be of use to a single zone server. Where ever the error is should be somewhere in your logs. I've run bind on dozens of machines for everything from small offices to mid-size ISPs, and I've never needed most of the things you are logging. I run one or 2 logs, a general and a zone update. A query log if you're more or less spying on the other machines in your home/office, but that's it. If you want to log 12 things to 12 different places more power to you, but now when you're looking for errors, you have more places to check.
All your resolv.conf should have are two lines, the search elder and nameserver 127.0.0.1. The default lookup order is /etc/hosts then /etc/resolv.conf, so your additional 2 lines don't add up to much but problems from my perspective.
It would be good if you compiled from source, because it usually gives you 2 excellent tools to troubleshoot - named.checkconf and named-checkzone. Those can help you troubleshoot the problems with the named.conf and with your elder zone file. You didn't list what distro you are using in your profile, but they may include those tools in it. If they don't I'd use the simplest config possible, and add to it piece by piece. Or check your logs to find the problem. I'm more than willing to help out here on the forums.
JimBass: I guess I was trying to be too smart for my own good and do things too fast, at first I was all confused by the bind stuff, then I did a lots of Google searching and found quite a bit of good information out there, but every site had their own way of doing it, so I then attempted to merge all of these divergent methods into one super method of doing it, which you could say was my downfall here.
Okay here's some information that you've requested.
Quote:
Originally Posted by JimBass
Normally the domains are not in /etc, but somewhere in /var. Obviously you can put the zone file anywhere you please, but the bind/named user needs to be able to read that zone file. Do the permissions allow bind to see all the way from /etc down to /etc/conf/zones/elder?
My named daemon is already running under chroot for extra security, right now I have it working fine on a router machine used by myself and my roommate, I'm just trying to add in additional functionality. Basically the "base directory is" /var/named, then you will notice there's no leading slash in all of the path because its coming from the base directory. The general file system hierarchy is below
Code:
/var/named/
dev/
var/
log/
named/
various named log goes here
etc/
named.conf
conf/
rndc-key.conf
acls.conf
logging.conf
zone/
default.conf
elder.conf
zone/
elder/
elder
elder.rev
default/
localhost
localhost.rev
root.servers
Currently I've set everything in /var/named/ onward recursively with chown root:named -R /var/named/*, and
also changed the write/read permission to chmod rw+g -R /var/named/* so that the named group can read the
files, I still haven't completely finished chrooting it, in the end I intend to run it as named:named, but that's later. Its working as it is at the moment, but I know there's something in the named.conf or in the zones file that is fouling it up.
Quote:
Originally Posted by JimBass
Your log looks like you're trying to log everything under the sun, much of which is never going to be of use to a single zone server. Where ever the error is should be somewhere in your logs. I've run bind on dozens of machines for everything from small offices to mid-size ISPs, and I've never needed most of the things you are logging. I run one or 2 logs, a general and a zone update. A query log if you're more or less spying on the other machines in your home/office, but that's it. If you want to log 12 things to 12 different places more power to you, but now when you're looking for errors, you have more places to check.
Honestly I don't need to keep the query log, I got all of those logging statement from Gentoo Wiki on BIND. He said it would be easier to fix and catch any
issue if I log everything, but i honestly haven't looked at them much, I've been mainly checking the /var/log/daemon to catch any error messages from bind, and it hasn't told me much, so i went ahead and checked all of those sub logs didn't find a whole much, just mainly status information. But I'm planning on removing those logs and dropping it to the bare minimum, you say that I would only need a general log and zone update log right.
Quote:
Originally Posted by JimBass
It would be good if you compiled from source, because it usually gives you 2 excellent tools to troubleshoot - named.checkconf and named-checkzone. Those can help you troubleshoot the problems with the named.conf and with your elder zone file. You didn't list what distro you are using in your profile, but they may include those tools in it. If they don't I'd use the simplest config possible, and add to it piece by piece. Or check your logs to find the problem. I'm more than willing to help out here on the forums.
Allrighty awesome thanks! I found the named-checkzone and named-checkconf, my checkconf checks out just fine, but i found one error in the checkzone and fixed it, and it seems to be working okayish now, still not satifyed with it. But I'm going to blow away this whole mess and redo it from the base up and start very simple, I'll drop any notes here if I'm stuck on any part that I'm not sure about.
I do have two question right now, it's regarding my dig, verus host. I ran some test on a semi working bind config and when i typed in
host amrutlar.elder, i got the correct ip address, then i type in host amrutlar, and i again got the correct ip address, now if I use dig amrutlar.elder, i get the correct information, but if i use dig amrutlar i get the information about the root zone even tho i don't even have that in the bind config at all, any idea what's up there? Am I invoking dig the wrong way?
Like you said, I redid my resolv.conf to only have a few lines in it
Code:
domain elder
nameserver 127.0.0.1
And the second question, is how do I add in the localdomain setting into my localhost zone file? Something like this?
Code:
$ORIGIN localhost.
$TTL 6h
@ IN SOA amrutlar.elder. root.elder. (
2 ; serial
1h ; refresh
30m ; retry
7d ; expiration
1h ) ; minimum
NS amrular.elder.
A 127.0.0.1
$ORIGIN localhost.localdomain.
A 127.0.0.1
Thanks so much for your help.
Last edited by Antimatter; 02-27-2007 at 05:54 PM.
As you've seen, there are probably 10,000 ways of doing BIND, each of which makes some things easy, and others difficult. In regards to running inside a chroot, that goes back to when everyone ran BIND as root. In that case, it made sense to chroot the process, because otherwise an exploit that got inside had the whole system. Now that every install I have seen in the past 6 years runs BIND as a limited rights user, I feel chrooting isn't necessary, but many others are used to it. It can introduce problems, but you seem to be getting around them. On the other hand, if this is just a caching server that only is authoritative for a non-existant real domain on your LAN (elder), who are you chrooting it against? Your roommate? I would never run a LAN named server on a chroot, but just like the logging, the choice is yours.
In regards to blowing away your whole config that might be overdoing it a bit. You could just comment out the things you don't want. I'm just thinking work time here. Adding some # or / to the configs takes maybe 5 minutes, whereas rebuilding might be an hour or so.
Dig is behaving correctly, it is your resolv.conf that is off. Instead of
Code:
domain elder
nameserver 127.0.0.1
try
Code:
search elder
nameserver 127.0.0.1
That will give you the correct answers for running dig against a hostname rather than a FQDN. Your BIND will only reply to FQDN queries, the trickery to get around that is to let the resolv.conf tag the .elder onto the end of any hostname, and that is what the "search elder" accomplishes. That way when you type in
Code:
dig sauron
what actually gets asked is
Code:
dig sauron.elder
You can also tag the @ symbol onto a dig command to ask a specific machine. That doesn't help much in your case as this box will be the default DNS for everything on the LAN, but if you open port 53, you could do something like
Code:
sig sauron.elder @yourIP
and get the box's LAN address from anywhere in the world, should you want it.
As to the localhost file, I have never altered that file on a BIND install. I suspect doing so might cause something strange to happen. What are you trying to accomplish by editing it? The computer still needs to identify localhost as itself, and it already knows both its FQDN and hostname, so I don't see what you're going for here.
I'm glad you have most of this figured out, and you're very welcome for the help. Please write back if I haven't been clear or if you hit problems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.