Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up a network firewall / router (with an external interface alias of eth0 and eth0:0 for two ip addresses corresponding to two dns servers on my home office adsl like in the diagram below). To do this I am using DNAT for all external inquires for my DMZ servers and SNAT for outgoing traffic with the local network's outgoing traffic sharing the IP of my secondary server.
Currently all external clients can access all DMZ services (http, dns, mail) but none of the internal clients on the local network can browse the internet or access the servers using their domain names. All the local clients can ping the firewall /router and the DMZ servers using both the servers' public and private addresses.
It seems that this a DNS problem and that it can best be solved by "split" views on my DNS. I am having a problem with my /etc/named.conf file (modified copy of named.conf from shorewall.net below). When I try to use this I get the error message from /var/log/messages that "view" is an unknown option. Can someone tell me what I am doing wrong? Thanks.
#
# This is the view presented to our internal systems
#
view "internal" {
#
# These are the clients that see this view
#
match-clients { 192.168.201.0/29;
192.168.202.0/29;
127.0.0.0/8;
192.0.2.176/32;
192.0.2.178/32;
192.0.2.179/32;
192.0.2.180/32; };
#
# If this server can't complete the request, it should use
# outside servers to do so
#
recursion yes;
zone "." in {
type hint;
file "int/root.cache";
};
zone "foobar.net" in {
type master;
notify no;
allow-update { none; };
file "int/db.foobar";
};
zone "0.0.127.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.127.0.0";
};
zone "201.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.201";
};
zone "202.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "int/db.192.168.202";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.206.124.146.179";
};
};
#
# This is the view that we present to the outside world
#
view "external" {
match-clients { any; };
#
# If we can't answer the query, we tell the client so
#
recursion no;
zone "foobar.net" in {
type master;
notify yes;
allow-update {none; };
allow-transfer { <secondary NS IP>; };
file "ext/db.foobar";
};
zone "176.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.176";
};
zone "177.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.177";
};
zone "178.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.178";
};
zone "179.2.0.192.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { <secondary NS IP>; };
file "db.192.0.2.179";
};
};
Odd! I copy/pasted your named.conf file into my test FC1 system and the only error I get was...
Sep 20 16:41:00 voyager named[19531]: could not configure root hints from 'root.cache': file not found
Sep 20 16:41:00 voyager named[19531]: loading configuration: file not found
Which is correct. root.cache does not exist on my system in the directory strcuture you specifed. So to me, named is reading the "view" statement without an error.
At this point, I would start checking for errors before the the "view" statement. Like missing semi-colons, left/right brackets not closed, non printable characters at the end of a line, DOS formatted file. Something like that.
i think you must be right. i have started again with a clean file and have eliminated this problem. i still need to edit the file to make it fit my system. i suspect that am unknowingly inserting some strange characters in vi when i forget to hit the insert command and just start typing. i'll post back with results.
i have been getting another error message in /var/log/messages.
Sep 27 04:10:28 ns2 named[29498]: couldn't add command channel 127.0.0.1#953: not found
Sep 27 04:10:28 ns2 named[29498]: couldn't add command channel ::1#953: not found
I configured rndc correctly by removing /etc/rndc.conf and commenting
out the rndc key lines in /etc/named.conf. Next, I ran rndc-confgen -a, which created all the appropriate entries and then cut and paste the key generated into my named.conf (SEE BELOW).
From there, i have triedt (without success) to follow the fix suggested by another thread but i can't seem to follow a key step. Can someone explain what this passage is referring to?
Quote:
In other words, the default permissions of the /var/run directory do not allow a user other than root to create a file/directory.
EXCERPT FROM NAMED.CONF
key "rndckey" {
algorithm hmac-md5;
secret "VWP7hSbGKHTQGm+67KCIjA==";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
directory "/var/named";
listen-on { 127.0.0.1 ; 192.168.202./24 ; 192.168.0.0/24 ; 69.17.65.161 ;};
// we varied here by using only the local IP
// because we are using DNAT / SNAT instead of
// proxy arp since we only have two public IP's
};
1) Your key definition is named "rndckey", but you are referencing this key in the control statement with the key name of "rndc-key". The key names need to match. Pick one and be sure that this name is also referenced in /etc/rndc.conf
2) Your key definition does not have the closing bracket.
3) Although it will still work, there is no need to cut/paste the key into named.conf. Simply include the key file in named.conf. i.e.
Hopefully the above is a type-o, checkout the 192.168.202 part.
From there, i have triedt (without success) to follow the fix suggested by another thread but i can't seem to follow a key step. Can someone explain what this passage is referring to?
Quote:
In other words, the default permissions of the /var/run directory do not allow a user other than root to create a file/directory.
Named will create files at startup, through channel specific logging, or through rndc. In particular, the process ID file which should be referenced in named.conf as option pid-file. So if named is started with the "-u named" parameter (which is good), then named is started as that user, thus will not have the proper permission to create any files in the /var/run directory because the default permissions of that directory do not allow any user but root to create a file in this directory. To fix this problem, you will need to:
1) Create a /var/run/named directory which is owned by the user specifed by the -u parameter. This is usually the user named.
# cd /var/run
# mkdir named
# chown named.named named
# chmod 770
2) Add/Change the pid-file global option in named.conf to point to /var/run/named/named.pid
pid-file "/var/run/named/named.pid";
3) Repeat steps 1 & 2 for the following global named.conf options. If the directory doesn't exist (like /var/log/named), create it and change the ownership/permissions to allow the user "named" to write to the new directories.
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
statistics-file "/var/log/named/named.stats";
dump-file "/var/log/named/named.dump";
zone-statistics yes;
};
thanks / fedora core special dns configuration issues?
Thank you for your help. I am still working through your solution. I wonder if this solution will affect some of the chroot features of DNS under fedora. In persuing your solution, I have read several postings suggesting that Fedora chroots the named user. This limits the files that the named user can see outside of the directory /var/named/chroot. Fedora puts the named.conf and named.ca files in the standard /etc directory (where the chrooted named user can't read them). A possible solution might be something like this from the root terminal: (1) cp -f /etc/named.conf /var/named/chroot/etc/ ; and (2) cp -f /etc/rndc.* /var/named/chroot/etc/
Note: files formerly found in /var/named now belong in /var/named/chroot/var/named.
A possible solution might be something like this from the root terminal: (1) cp -f /etc/named.conf /var/named/chroot/etc/ ; and (2) cp -f /etc/rndc.* /var/named/chroot/etc/
Note: files formerly found in /var/named now belong in /var/named/chroot/var/named.
Thats correct! Fedora sets named to start as user named and start in a chroot'd jail. So the above is the correct procedure to follow. You would still need to set the proper permissions on the chrooted directories as noted in my previous reply though.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Right, the above is what OpenBSD does by default. It's mystifying why the Fedora develoers chroot'd named but forgot to make the config files available to it after it's there (and I've seen this problem several times now, so it's not like it's not a known problem).
Originally posted by chort Right, the above is what OpenBSD does by default. It's mystifying why the Fedora develoers chroot'd named but forgot to make the config files available to it after it's there (and I've seen this problem several times now, so it's not like it's not a known problem).
Maybe I'm misunderstanding your reply, but if the "bind-chroot" rpm is installed (which is a dependency against the bind rpm), all the chrooted files are available. Only problem is the permissions are still wrong (based on the options in the supplied named.conf). Plus, it would be nice if the rpm post-install script would copy /etc/localtime to the chroot'd environment so that the dates are not logged in UTC.
I'm not a linux guru but this seems like a really core issue for Fedora.
When I upgraded to Fedora, two really bad things happened.
1. My DNS stopped working.
2. DNS failing hammered my mail server immediately.
I'd be happy to do what is necessary to help because I saw a lot of postings on this and a lot of varying solutions. I am sure they probably represent valid approaches to solving the problem but I suspect that they all affect the security of DNS in differing ways that the DNS developers might not have anticipated. Since DNS is essential to the internet's correct functioning, this probably deserves some attention in a larger forum (i'd do it myself but doubt that i have the knowledge necessary to conduct that conversation).
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
scowles, are you sure that creating properly owned files outside /var/named will actually work? On OpenBSD /var/named has it's own dev/log device in order to write to syslog when in chroot.
The redhat bind-chroot rpm creates a similar directory structure as well, but I don't see anything regarding /dev/log (which does seem strange) and I don't have any problem logging (via syslog) at this end. I do define other channel specific logging mechanisms in named.conf, but these are done without the syslog facility.
For reference, here is what bind-chroot loads:
Code:
[root@excelsior dev]# rpm -ql bind-chroot
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/rndc.key
/var/named/chroot/var/named
/var/named/chroot/var/run/named
root@excelsior dev]# ls -l
total 0
crw-r----- 1 root named 1, 3 Nov 28 2003 null
crw-r----- 1 root named 1, 8 Nov 28 2003 random
and here is an actual syslog entry via syslog. My version of bind is started with the "-u named" command line argument and in a chroot'd jail. Which I think is the default in FC2.
i still can't make this file load
/etc/named.conf:12: unknown option 'controls'
/etc/named.conf:17: unknown option 'view'
/etc/named.conf:145: unknown option 'view'
/etc/named.conf:249: '}' expected near end of file
[root@testy root]#
:
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
// local subnet for the pc's
zone "0.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.168.0";
};
// dmz subnet for the servers
zone "202.168.192.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.192.168.202";
};
// firewall
zone "105.65.17.69.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.69.17.65.105";
};
// number 1 server http, dns, imap
zone "22.65.17.69.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.69.17.65.22";
};
// number 2 server http, dns, imap
zone "161.65.17.69.in-addr.arpa" in {
type master;
notify no;
allow-update { none; };
file "db.69.17.65.161";
};
// our first primary zone
zone "substantis.com" {
type master;
file "db.substantis";
allow-update {none;};
notify no;
};
// our second primary zone
zone "lubuto.org" {
type master;
file "db.lubuto";
allow-update {none;};
notify no;
};
// our third primary zone
zone "danielleworden.com" {
type master;
file "db.danielleworden";
allow-update {none;};
notify no;
};
//our fourth primary zone
zone "familynetpix.com" {
type master;
file "db.familynetpix";
allow-update {none;};
notify no;
};
//our fifth primary zone
zone "mrcstudio.com" {
type master;
file "db.mrcstudio";
allow-update {none;};
notify no;
};
// our sixth primary zone
zone "doldaycare.com" {
type master;
file "db.doldaycare";
allow-update {none;};
notify yes;
};
//our seventh primary zone
zone "dexter1976.com" {
type master;
file "db.dexter1976";
allow-update {none;};
notify no;
};
//our eighth primary zone
zone "nelsonbeaudoin.com" {
type master;
file "db.nelsonbeaudoin";
allow-update {none;};
notify no;
};
};
//
//This is the view that we present to the outside world
//
view "external" {
match-clients { any; };
// version "[I don't respond to version queries]";
query-source address * port 53;
allow-query { any; };
allow-transfer { 216.231.41.19; 216.254.0.9; 69.17.65.161; };
//
// If we can't answer the query, we tell the client so
//
recursion yes;
// our first primary zone
zone "substantis.com" {
type master;
file "named.substantis.com";
allow-update {none;};
notify yes;
};
// our second primary zone
zone "lubuto.org" {
type master;
file "named.lubuto.org";
allow-update {none;};
notify yes;
};
// our third primary zone
zone "danielleworden.com" {
type master;
file "named.danielleworden.com";
allow-update {none;};
notify yes;
};
//our fourth primary zone
zone "familynetpix.com" {
type master;
file "named.familynetpix.com";
allow-update {none;};
notify yes;
};
//our fifth primary zone
zone "mrcstudio.com" {
type master;
file "named.mrcstudio.com";
allow-update {none;};
notify yes;
};
//our sixth primary
zone "doldaycare.com" {
type master;
file "named.doldaycare.com";
allow-update {none;};
notify yes;
};
//our seventh
zone "dexter1976.com" {
type master;
file "named.dexter1976.com";
allow-update {none;};
notify yes;
};
//our eighth
zone "nelsonbeaudoin.com" {
type master;
file "named.nelsonbeaudoin.com";
allow-update {none;};
notify yes;
};
zone "161.65.17.69.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { 69.17.65.161 ; };
file "db.69.17.65.161";
};
zone "22.65.17.69.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { 69.17.65.161 ; };
file "db.69.17.65.22";
};
zone "105.65.17.69.in-addr.arpa" in {
type master;
notify yes;
allow-update { none; };
allow-transfer { 69.17.65.161 ; };
file "db.69.17.65.105";
};
};
//
//
//controls {
// inet 127.0.0.1 allow { localhost; } keys { rndckey; };
//
//zone "localhost" IN {
// type master;
// file "localhost.zone";
// allow-update { none; };
//};
//
//zone "0.0.127.in-addr.arpa" IN {
// type master;
// file "named.local";
// allow-update { none; };
//};
//
// include "/etc/rndc.key";
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.