Twin DNS Servers on SuSE - Options?
 

I am wanting to implement a stable DNS solution at work to get away from nasty hosts files. I have tested with Open SuSE DNS and while it's easy to get up and running, I have concerns about high availability and failover.

Does the built in SuSE DNS solution allow you to have two servers that communicate with eachother and where updates to one will update the other?

Any other advice you can give would be most appreciated.

Not sure if it matters but the servers are:

Open SuSE 11.1 PowerPC
Open SuSE 11.2 x86

Many thanks in advance

OK I have answered my own question regarding twin servers.

I have installed BIND and in YaST I have an option of DNS Server under network services.

I have been through the wizard, configured forwarders etc, but whenever I do nslookup in Windows I get:

*** Can't find server name for address 192.168.1.98: Query refused
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

How can I change this? Why is the default server "UnKnown"?

I can look up A records that I specify but if I try to look up say Google I get:

> google.com
Server: UnKnown
Address: 192.168.1.98

*** UnKnown can't find google.com: Query refused

Any help appreciated

Take a look through your logs (not sure where BIND logs on SuSE but /var/log/daemon or /var/log/syslog may be in the right area. You are looking for 'denied' entries against the process 'named'. I suspect his will be acl/view/permission based and would concentrate my search around the allow-query { } options in named.conf

hth

Thanks Dave, that gives me something to look for!

I will take a poke around and post back with my findings.

Well..not having a lot of luck

I have noticed that if i manually change named.conf, it changes back when i restart named.

I have added the following via YaST and can be seen in named.conf:

acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };

But I still can't get it working...

One thing to mention is that this is running on a hosted partition on an IBM server and within its own subnet with mask 255.255.255.248. The clients are in the same address range but with a 255.255.255.0 mask. They server is set to allow any requests...but could this be making a difference?

Also I couldn't find the logs so I told it to go to /home/myaccount/dns.log and log everything...but I can't see anything.

Also in YaST it says bind stats will write to /var/log/named.stats...but there is nothing in /var/log with that name

Rather confused here!!

As a further update, I see the following in the syslog (now that I found the right place!) for each external DNS query:

Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1066: query: google.com.acme.com IN A +
Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1067: query: google.com IN A +
Jan 5 13:04:59 suse named[18617]: client 192.168.1.224#1067: query (cache) 'google.com/A/IN' denied


Doesn't really say much to me (other than the obvious fact it's denied)...but perhaps it does to someone else?

I have changed my company name to "acme" - I note on the first line - query: google.com.acme.com

is that correct?? why is it appending my domain suffix?

Also, when I enter "nslookup" into windows and I see this in the command prompt:

*** Can't find server name for address 192.168.1.98: Query refused
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

I see the following in the log for named:

Jan 5 13:11:52 suse named[18617]: client 192.168.1.224#1082: query: 98.1.168.192.in-addr.arpa IN PTR +
Jan 5 13:11:52 suse named[18617]: client 192.168.1.224#1082: query (cache) '98.1.168.192.in-addr.arpa/PTR/IN' denied

OK, there are some 'if's' and 'buts' there with the networking and hosting and your original question about running dual name servers may be clouding things here. I'm sure you know that a single IP can only host one BIND listening on port 53. but let's go back to basics.

If your run NSLOOKUP {or 'dig' if it's installed} from the command line of the SuSE where you are trying to run this instance of Bind, will it resolve? Let's not try and query it from another machine or OS, query it from itself just to troubleshoot this. Say the IP address of SuSE is 1.2.3.4, from it's own command line do:

nslookup bbc.co.uk 1.2.3.4

and see if it gives you anything back. If not check the logs to see what went wrong.

It's also worth a quick check to rule out any basic failures by running a test against the google public DNS servers at 8.8.8.8 and compare the results:
nslookup bbc.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

I'm not that familiar with SuSE and I'm not sure what you have running that is overwriting your named.conf. The gist of what you have should be good as long as you have something like this within your options {} section:

recursion yes;
allow-query {any; };

In reality 'any' may be bad in production, depending on your application, but I'd be inclined to get it working first.
HTH

It means that the server refused access to client 192.168.1.224 looking up google. What's the IP of the server?

Thanks for your reply Dave. I agree that the thread title isn't really relevant anymore. I am just trying to get this single nameserver working for now (and then all I do is set up the second one as a slave).

The ip address of the DNS server is 192.168.1.98

I performed the first test, and it was fine:

suse:/ # nslookup bbc.co.uk 192.168.1.98
Server: 192.168.1.98
Address: 192.168.1.98#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

And using google:

suse:/ # nslookup bbc.co.uk 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

I agree any isn't going to be good practice - at the minute it's just a case of learning the ropes and then locking it down. Thanks for pointing that out though. I think that when using BIND via YaST, there is something you need to do in order to manually edit named.conf and have it save the changes. However, the idea is that you shouldn't really need to in the first place.

Certainly appreciate the help

PS - If a mod happens to read this, can you please change the thread title to "Problem with BIND - Query Refused"

So, we it's safe to say the server works.....>

suse:/ # nslookup bbc.co.uk 192.168.1.98
Server: 192.168.1.98
Address: 192.168.1.98#53

Non-authoritative answer:
Name: bbc.co.uk
Address: 212.58.224.138

But other clients are not able to query it. We know that BIND is getting those queries from your Syslog, it's just refusing them:
client 192.168.1.224#1067: query (cache) 'google.com/A/IN' denied

So something in the config of your BIND is refusing those lookups. It may be helpful to post the entire output of your named.conf here {munging any sensitive bits} as I suspect there is some kind of Access Control in place.

At a wild outside guess I wonder if it is something to do with the 'localnets' directive? If that server has a netmask of .248 I make that:
Network: 192.168.1.96
HostMin: 192.168.1.97
HostMax: 192.168.1.102
Broadcast: 192.168.1.103

And this client: client 192.168.1.224 would not fall within that. It should *not* matter with 'any', but I suspect there is something else at work going on. Perhaps you could try a query from a client in the range of 192.168.1.97-102 just to rule that out?

Thanks again!

Getting a client up in that range is possible but not easy...it's a transparent subnet on an IBM Power System for use with virtual interfaces with proxy arp, so I will have to set up another partition on the Power system and then give it an IP in the range. I will try if I get no further though.

Here is named.conf (changed company name to "acme"):

The ACL statements were added via yast as a test. Not fully sure if the syntax is correct. Lots of stuff seems to be commented out...

suse:/var/lib/named/etc # cat named.conf
# Copyright (c) 2001-2004 SuSE Linux AG, Nuernberg, Germany.
# All rights reserved.
#
# Author: Frank Bodammer, Lars Mueller <lmuelle@suse.de>
#
# /etc/named.conf
#
# This is a sample configuration file for the name server BIND 9. It works as
# a caching only name server without modification.
#
# A sample configuration for setting up your own domain can be found in
# /usr/share/doc/packages/bind/sample-config.
#
# A description of all available options can be found in
# /usr/share/doc/packages/bind/misc/options.

options {

# The directory statement defines the name server's working directory

directory "/var/lib/named";

# Write dump and statistics file to the log subdirectory. The
# pathenames are relative to the chroot jail.

dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";

# The forwarders record contains a list of servers to which queries
# should be forwarded. Enable this line and modify the IP address to
# your provider's name server. Up to three servers may be listed.

#forwarders { 192.0.2.1; 192.0.2.2; };

# Enable the next entry to prefer usage of the name server declared in
# the forwarders section.

#forward first;

# The listen-on record contains a list of local network interfaces to
# listen on. Optionally the port can be specified. Default is to
# listen on all interfaces found on your system. The default port is
# 53.

#listen-on port 53 { 127.0.0.1; };

# The listen-on-v6 record enables or disables listening on IPv6
# interfaces. Allowed values are 'any' and 'none' or a list of
# addresses.

listen-on-v6 { any; };

# The next three statements may be needed if a firewall stands between
# the local server and the internet.

#query-source address * port 53;
#transfer-source * port 53;
#notify-source * port 53;

# The allow-query record contains a list of networks or IP addresses
# to accept and deny queries from. The default is to allow queries
# from all hosts.

#allow-query { 127.0.0.1; };

# If notify is set to yes (default), notify messages are sent to other
# name servers when the the zone data is changed. Instead of setting
# a global 'notify' statement in the 'options' section, a separate
# 'notify' can be added to each zone definition.

notify yes;
include "/etc/named.d/forwarders.conf";
};

# To configure named's logging remove the leading '#' characters of the
# following examples.
#logging {
# # Log queries to a file limited to a size of 100 MB.
# channel query_logging {
# file "/var/log/named_querylog"
# versions 3 size 100M;
# print-time yes; // timestamp log entries
# };
# category queries {
# query_logging;
# };
#
# # Or log this kind alternatively to syslog.
# channel syslog_queries {
# syslog user;
# severity info;
# };
# category queries { syslog_queries; };
#
# # Log general name server errors to syslog.
# channel syslog_errors {
# syslog user;
# severity error;
# };
# category default { syslog_errors; };
#
# # Don't log lame server messages.
# category lame-servers { null; };
#};

# The following zone definitions don't need any modification. The first one
# is the definition of the root name servers. The second one defines
# localhost while the third defines the reverse lookup for localhost.

zone "." in {
type hint;
file "root.hint";
};

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};

# Include the meta include file generated by createNamedConfInclude. This
# includes all files as configured in NAMED_CONF_INCLUDE_FILES from
# /etc/sysconfig/named

include "/etc/named.conf.include";
logging {
category queries { log_file; };
channel log_file { file "/home/suse/dns.log" size 200M; };
category xfer-in { log_file; };
category xfer-out { log_file; };
category default { log_file; };
};
zone "acme.com" in {
allow-transfer { any; };
file "master/acme.com";
type master;
};
acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };

# You can insert further zone records for your own domains below or create
# single files in /etc/named.d/ and add the file names to
# NAMED_CONF_INCLUDE_FILES.
# See /usr/share/doc/packages/bind/README.SUSE for more details.

If we cut all the waffle out of that file we are left with:

A couple of things. I'm not sure if what is in this file: "/etc/named.conf.include" is relevant, but it's been included into your named.conf.

The big one, unless I'm mistaken, is within your options {} directive, you have not given permission to anything for queries, recursion or transfer. I guess that the default is to allow localhost or localnets {just a guess} which is why local queries work.

I note you have created three acl's at the foot of your config {Personally I would have had them at the top} but at no point are they being referenced. For now, comment out or remove:

acl allow-query { all; };
acl allow-recursion { any; };
acl allow-transfer { all; };
*not sure the syntax is right re 'all', as far as I recall the options are: "none"
"any"
"localhost"
"localnets"

Just above the line reading "options {" insert "recursion yes;" and pop this in below it's matching closing brace: "allow-query {any; };" as per below. I've removed the IP6, forwarders, ACL's and include - see if this works for lookups.

Give that a spin and see if it makes a blind bit of difference :-)

Cheers Dave! It does seem entirely logical that what you have pointed out may be the problem. The issue I have is that I just can't seem to make any changes to named.conf

named.conf.includes is empty - i tried changing this, and then restarted named, and it had reset again.

There is a file - /etc/sysconfig/named that has the following (garbage removed):


suse:/etc/sysconfig # cat named

NAMED_RUN_CHROOTED="yes"
NAMED_ARGS=""
NAMED_CONF_INCLUDE_FILES=""
NAMED_INITIALIZE_SCRIPTS="createNamedConfInclude"

Can I perhaps add the additional options/parameters to say 'custom.conf' and make it an include?

Would I be better off removing bind and the yast dns tool..then reinstalling bind and doing it by hand?

Let's narrow this down too. If you make the changes to your named.conf and *don't* restart bind, if you less or cat it, have the changes really been made? What I'm getting at is do the changes really get saved at all, or is it they are definitely being wiped out when you restart it?

The changes show up if I save it and then cat it. But if i restart named they revert back to how they were before.

I am not in the office today due to the snow so I will pick this up tomorrow.

Really appreciate the help you have given

No worries Chris - I couldn't use the snow as an excuse working from home and all that :-) I'm guessing that one of the SuSE helper scripts is being *really* helpful :-) I installed it on Virtualbox this morning and then spent some time fighting the firewall. I'll have a crack at BIND on it later and see if I can make any sense of it - right now I have to make a snowman....

OK, now I've finished my Snowman and Iglo, I've had a quick play with a Virtualbox SuSE -v- BIND.

By any chance are you editing:
/var/lib/named/etc/named.conf

rather than
/etc/named.conf

The reason I ask is this 'SuSE' 'helper' file (assume it may be the YaST thingy - not that familiar with it) called:
/etc/sysconfig/named
gives a hint:
So in other words, the usual /etc/named.conf will be copied to /var/lib/named/etc/named.conf overwriting it on each restart. This is to satisfy the CHROOT jail needing to access a named.conf file.

I can confirm if I edit the correct /etc/named.conf and restart:
/etc/named.conf overwrites /var/lib/named/etc/named.conf as expected.

If that's not what is going on for you Chrisgti, I'm stumped :-)
hth


ASIDE:
I'm guessing that the zonefiles either need to be placed relative to the chroot jail: /var/lib/named/

or included in the /etc/sysconfig/named NAMED_CONF_INCLUDE_FILES="" directive and judging by this:
/var/lib/named/localhost.zone
/var/lib/named/127.0.0.zone
The former seems to be in use.

Best of luck with it old chap ;-)

Ahh, I think this is exactly my problem. I am indeed editing /var/lib/named/etc/named.conf

I did see /etc/named.conf but the config looked different and I thought that since the live files were in /var/lib/named (as shown in the yast info) that I was probably barking up the wrong tree. Apparently not!

The snow has kept me at home again today (my snowman is loving it, he's an old man now in snowman years!)

I will try all this on Monday and report back (off tomorrow!), but I think you have got to the bottom of it.

Again, many thanks for taking the time to help me out. It's been a beneficial exercise, learned loads about DNS that I previously took for granted.

So...hopefully on Monday I will be updating saying it's working :D

(I'll also look up what CHROOT jail is all about!)

Cheers

Chris

No worries Chris. I wanted the excuse to look a SuSE - good luck with it old chap ;-)

Well the snow is going and dispite my best efforts I couldn't get stuck in my street again so here I am in the office!

I made the following changes to /etc/named.conf -

recursion yes;
allow-query {any; };

Restarted named and I the following output:

suse:~ # rcnamed restart
Shutting down name server BIND waiting for named to shut down (28s) done
Starting name server BIND rm: cannot remove `/var/lib/named/': Is a directory
cp: missing destination file operand after `/var/lib/named/'
Try `cp --help' for more information.
startproc: exit status of parent of /usr/sbin/named: 1
failed
suse:~ # rcnamed start
Starting name server BIND rm: cannot remove `/var/lib/named/': Is a directory
cp: missing destination file operand after `/var/lib/named/'
Try `cp --help' for more information.
/etc/named.conf:17: unknown option 'recursion'
skipped

Not too sure what the issue is with "cannot remove..." but I went back and removed the 'recursion yes;' line and then I was able to start the server (still with the rm issue mentioned)

The good news is my test box is now able to query google.com!

However now on the test machine where before I had "query refused" I get:

*** Can't find server name for address 192.168.1.98: Non-existant domain
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

So..how can I fix this?

Also - port 53 will never be open on our external firewall - this service is for internal use only so allowing any query should not be an issue - however, as a matter of good practice, I would like to restrict lookups to 192.168.0.0. /16 (we have several VLANs) AND a single 172.16.1.0 subnet - where do I do this? I tried 'allow-query { 192.168.1.0; };' but then started getting 'query refused' again

Looks like I'm getting there, many thanks for your time Dave :)

I'm not sure why it's trying to remove the directory, but I suspect the failure may be some kind of munging/bum character in the named.conf file, especially around the:
area

Have you edited the file on a Windows box that uses the wrong line endings (CRLF-v-LF)? Cut an paste from a browser? Did you change the permissions or owner on /var/lib/named at any stage?

Putting that to one side, this problem:..
Can you remind my old, snow blinded brain the query you are issuing to get this.

Rerun the query (or a few) whilst TCPDumping the server on port 53:

If the server is actually seeing your query, say a lookup for 'biscuit.com' you'll get a hive of activity:
If not, it's fair to say the server is not seeing the query. If so, we need to look at any networking issues or issues with the SuSE firewall.

I am editing the files using Putty in Windows. I will take a look at that in a bit.

The query I am issuing is simply "nslookup" (no args) from a cmd box in Windows.

Running tcpdump gives no output at all for any nslookup command (port in firewall is open, also tried stopping firewall entirely) - however I can see my requests in /var/log/messages and lookups to external domains are working and I can browse quite happily using my new nameserver. So that is a bit odd.

The research I have done on this points to the lack of a reverse lookup zone...so I made one

zone "1.168.192.in-addr.arpa" {
allow-transfer { any; };
file "master/192.168.1.rev";
type master;
};

And in that file I had simply:

$TTL 1W
@ IN SOA suse.acme.com. root.suse.acme.com. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS suse.acme.com
1 IN PTR suse.acme.com

But I still get UnKnown...so I made a small change:

$TTL 1W
@ IN SOA suse.acme.com. root.suse.acme.com. (
42 ; serial (d. adams)
2D ; refresh
4H ; retry
6W ; expiry
1W ) ; minimum

IN NS suse.acme.com
192.168.1.98 IN PTR suse.acme.com

And now I get:

C:\Documents and Settings\Chris>nslookup
1.168.192.in-addr.arpa
primary name server = suse.acme.com
responsible mail addr = root.suse.acme.com
serial = 42
refresh = 172800 (2 days)
retry = 14400 (4 hours)
expire = 3628800 (42 days)
default TTL = 604800 (7 days)
*** Can't find server name for address 192.168.1.98: No information
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.1.98

So..I am getting somewhere..it sees the name for the primary NS but then says no information?

Almost there now I presume..just the odd tweak to make.

I'm rather pleased it's not been a smooth process...it's been a cracking learning exercise

Right - Looked at PTR records more and clearly my Syntax was wrong!

I changed the PTD record to:

98.69.183.195.in-addr.arpa. IN PTR suse.acme.com

Now when I do nslookup I get:

C:\Documents and Settings\Chris>nslookup
Default Server: suse.acme.com.1.168.192.in-addr.arpa
Address: 192.168.1.98

But even with that I wasn't expecting anything after the suse.acme.com...is this still a config thing or is there now nothing to worry about?

I've also now figured out how to lock down requests to specific address ranges(I missed subnet mask earlier).

So..I think the next step is to add all the records and then set up the slave!

Dave...again, many thanks for your help. Have an e-beer.

I'm sorry I did not respond sooner, I was enjoying that virtual beer and had one two many ;-)
Glad you've got it sorted.