Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 on CentOS 6.6. The only zone is for classless reverse DNS, which has been delegated.
I'm no BIND or DNS expert, but as I understand it, classless reverse DNS requires recursion.
With recursion set to "any", the server returns correct PTR records, but also functions as an open DNS server, which is not desired. With recursion set to localhost, all queries are denied.
Recursion any:
Code:
> 64.19.199.56
Server: slcdns1.redacted.com
Address: 64.19.199.55
Aliases: 55.199.19.64.in-addr.arpa
Non-authoritative answer:
56.199.19.64.in-addr.arpa canonical name = 56.0-127.199.19.64.in-addr.arpa
56.0-127.199.19.64.in-addr.arpa name = slcdns2.redacted.com
0-127.199.19.64.in-addr.arpa nameserver = slcdns1.redacted.com
0-127.199.19.64.in-addr.arpa nameserver = slcdns2.redacted.com
slcdns1.redacted.com internet address = 64.19.199.55
slcdns2.redacted.com internet address = 64.19.199.56
Any thoughts on how I can get this to respond to queries for the reverse zone without functioning as an open server? Also, is it the correct behavior for the first query to show as non-authoritative?
named.conf:
Code:
options {
listen-on port 53 { 10.10.1.55; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity debug;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
view "outsiderev" {
empty-zones-enable no;
allow-recursion { 127.0.0.1; };
allow-query { none; };
additional-from-auth no;
additional-from-cache no;
zone "0-127.199.19.64.in-addr.arpa" {
type master;
file "/var/named/64.19.199.rev";
allow-update {
10.10.1.56;
};
allow-query {
any;
};
allow-transfer {
10.10.1.56;
};
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "redacted.com" {
type master;
file "/var/named/redacted.com.hosts";
allow-update {
10.10.1.56;
};
allow-query {
any;
};
notify yes;
allow-transfer {
10.10.1.56;
};
};
zone "0.0.127.in-addr.arpa" {
type master;
file "/var/named/127.0.0.rev";
allow-update {
none;
};
allow-query {
none;
};
};
zone "localhost" in{
type master;
file "master.localhost";
};
};
Zone file:
Code:
$ORIGIN 0-127.199.19.64.IN-ADDR.ARPA.
@ IN SOA slcdns1.redacted.com. administrator.redacted.com. (
1379648159
10800
3600
604800
38400 )
@ IN NS slcdns1.redacted.com.
@ IN NS slcdns2.redacted.com.
55 IN PTR slcdns1.redacted.com.
56 IN PTR slcdns2.redacted.com.
...
...
...
Well, if 64.19.199.55, 64.19.199.56 don't belong to your local network, you should add them in the allow-recursion directive, along with any other host that can submit recursive queries:
Also comment out the "allow-query { none; };" in global section, because I don't know if it supersedes the "allow-query {any;};" in the zone definition.
Besides you want your server to answer queries for the zones it's authoritative for.
Last edited by bathory; 11-15-2014 at 01:40 AM.
Reason: typo
Well, if 64.19.199.55, 64.19.199.56 don't belong to your local network, you should add them in the allow-recursion directive, along with any other host that can submit recursive queries:
Also comment out the "allow-query { none; };" in global section, because I don't know if it supersedes the "allow-query {any;};" in the zone definition.
Besides you want your server to answer queries for the zones it's authoritative for.
Thanks for the update. I changed allow-recursion and commented out allow-query in the global section. I'm getting the same results.
When, from an outside network, I query the server directly:
When, from an outside network, I query a different server which then hits the nameserver in question:
client 74.125.19.146#44510: view outsiderev: query '42.0-127.199.19.64.in-addr.arpa/PTR/IN' approved
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.