LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 11-13-2014, 04:58 PM   #1
sbmechanics
LQ Newbie
 
Registered: Nov 2014
Posts: 3

Rep: Reputation: Disabled
BIND classless DNS query - recursion problems


I'm running BIND 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 on CentOS 6.6. The only zone is for classless reverse DNS, which has been delegated.

I'm no BIND or DNS expert, but as I understand it, classless reverse DNS requires recursion.

With recursion set to "any", the server returns correct PTR records, but also functions as an open DNS server, which is not desired. With recursion set to localhost, all queries are denied.

Recursion any:
Code:
> 64.19.199.56
Server:  slcdns1.redacted.com
Address:  64.19.199.55
Aliases:  55.199.19.64.in-addr.arpa

Non-authoritative answer:
56.199.19.64.in-addr.arpa       canonical name = 56.0-127.199.19.64.in-addr.arpa

56.0-127.199.19.64.in-addr.arpa name = slcdns2.redacted.com

0-127.199.19.64.in-addr.arpa    nameserver = slcdns1.redacted.com
0-127.199.19.64.in-addr.arpa    nameserver = slcdns2.redacted.com
slcdns1.redacted.com    internet address = 64.19.199.55
slcdns2.redacted.com    internet address = 64.19.199.56
Recursion localhost:
Code:
> 64.19.199.56
Server:  slcdns1.redacted.com
Address:  64.19.199.55
Aliases:  55.199.19.64.in-addr.arpa

*** slcdns1.redacted.com can't find 56.199.19.64.in-addr.arpa.: Query refused
Any thoughts on how I can get this to respond to queries for the reverse zone without functioning as an open server? Also, is it the correct behavior for the first query to show as non-authoritative?

named.conf:
Code:
options {
        listen-on port 53 { 10.10.1.55; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

view "outsiderev" {
empty-zones-enable no;
allow-recursion { 127.0.0.1; };
allow-query { none; };
additional-from-auth no;
additional-from-cache no;
 
zone "0-127.199.19.64.in-addr.arpa" {
        type master;
        file "/var/named/64.19.199.rev";
        allow-update {
                10.10.1.56;
                };
        allow-query {
                any;
                };
        allow-transfer {
                10.10.1.56;
                };
        notify yes;
        };

        zone "." IN {
        type hint;
        file "named.ca";
        };

zone "redacted.com" {
        type master;
        file "/var/named/redacted.com.hosts";
        allow-update {
                10.10.1.56;
                };
        allow-query {
                any;
                };
        notify yes;
        allow-transfer {
                10.10.1.56;
                };
        };

zone "0.0.127.in-addr.arpa" {
        type master;
        file "/var/named/127.0.0.rev";
        allow-update {
                none;
                };
        allow-query {
                none;
                };
        };

zone "localhost" in{
  type master;
  file "master.localhost";
     };

};

Zone file:
Code:
$ORIGIN 0-127.199.19.64.IN-ADDR.ARPA.
@       IN      SOA     slcdns1.redacted.com. administrator.redacted.com. (
                        1379648159
                        10800
                        3600
                        604800
                        38400 )
@       IN      NS      slcdns1.redacted.com.
@       IN      NS      slcdns2.redacted.com.

55      IN      PTR     slcdns1.redacted.com.
56      IN      PTR     slcdns2.redacted.com.
...
...
...
 
Old 11-14-2014, 03:18 PM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,505

Rep: Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769
Hi,

You can use
Code:
allow-recursion {"localnets"; localhost;};
Regards
 
Old 11-14-2014, 03:35 PM   #3
sbmechanics
LQ Newbie
 
Registered: Nov 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
Hi,

You can use
Code:
allow-recursion {"localnets"; localhost;};
Regards
Thanks very much. I tried that, and the queries are still denied.
 
Old 11-14-2014, 04:20 PM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,505

Rep: Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769
Well, if 64.19.199.55, 64.19.199.56 don't belong to your local network, you should add them in the allow-recursion directive, along with any other host that can submit recursive queries:
Code:
allow-recursion {64.19.199.55; 64.19.199.56; localnets; localhost;};
Also comment out the "allow-query { none; };" in global section, because I don't know if it supersedes the "allow-query {any;};" in the zone definition.
Besides you want your server to answer queries for the zones it's authoritative for.

Last edited by bathory; 11-15-2014 at 01:40 AM. Reason: typo
 
Old 11-15-2014, 11:05 AM   #5
sbmechanics
LQ Newbie
 
Registered: Nov 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by bathory View Post
Well, if 64.19.199.55, 64.19.199.56 don't belong to your local network, you should add them in the allow-recursion directive, along with any other host that can submit recursive queries:
Code:
allow-recursion {64.19.199.55; 64.19.199.56; localnets; localhost;};
Also comment out the "allow-query { none; };" in global section, because I don't know if it supersedes the "allow-query {any;};" in the zone definition.
Besides you want your server to answer queries for the zones it's authoritative for.
Thanks for the update. I changed allow-recursion and commented out allow-query in the global section. I'm getting the same results.

When, from an outside network, I query the server directly:

client 1.2.3.4#1509: view outsiderev: query (cache) '40.199.19.64.in-addr.arpa/PTR/IN' denied
client 1.2.3.4#1509: view outsiderev: query failed (REFUSED) for 40.199.19.64.in-addr.arpa/IN/PTR at query.c:5426
client 1.2.3.4#1509: view outsiderev: error

When, from an outside network, I query a different server which then hits the nameserver in question:
client 74.125.19.146#44510: view outsiderev: query '42.0-127.199.19.64.in-addr.arpa/PTR/IN' approved

Thanks
 
Old 11-15-2014, 01:07 PM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 12,505

Rep: Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769Reputation: 1769
Quote:
Thanks for the update. I changed allow-recursion and commented out allow-query in the global section. I'm getting the same results.
According to the following dig output, your servers are denied queries (to themselves!!!) and also they are denied recursion:
Code:
dig -x 64.19.199.55 @64.19.199.55

; <<>> DiG 9.10.1 <<>> -x 64.19.199.55 @64.19.199.55
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 42934
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;55.199.19.64.in-addr.arpa.     IN      PTR

;; Query time: 243 msec
;; SERVER: 64.19.199.55#53(64.19.199.55)
;; WHEN: Sat Nov 15 20:49:32 EET 2014
;; MSG SIZE  rcvd: 54
So, are you sure you're restarting bind for the changes to take effect?

Also if you're not using views (I can see only 1 view definition, but no ACLs for it), remove or comment out the following:
Quote:
view "outsiderev" {
empty-zones-enable no;
allow-recursion { 127.0.0.1; };
allow-query { none; };
additional-from-auth no;
additional-from-cache no;
and the closing view bracket (the one after the zones definition)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BIND DNS recursion now working? vonedaddy Linux - Server 46 01-24-2012 01:23 PM
DNS (bind) query problem Ammad Linux - Networking 6 11-18-2009 06:14 AM
bind dns recursion, is this supposed to do that? sir-lancealot Linux - Server 1 08-30-2007 07:26 PM
BIND 9.3.3 split dns recursion disallow twantrd Linux - Software 2 12-15-2006 06:12 PM
Problems with BIND-9.2.3 - No Recursion ScooterB Linux - Server 4 11-25-2006 11:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 10:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration