Bind issues

puzzled_one · 03-14-2010, 12:56 AM

Ok, well im all square-eyed now, spent far too much time on this when it should be easy apparently, haha..

Basically it goes like this...

192.168.1.2 = adsl2+ router

server pc
192.168.1.1 = eth1 - goes to the router
192.168.0.1 = eth0 - goes to network switch

Have 3 pc's on the 192.168.0 range

with the gateway for the internal pc's being

192.168.0.1 = eth0

192.168.0.12 Browsing Box
192.168.0.14 Gaming Box
...

I have routing sorted, i think...

eg, internal network pc's can say browse the internet etc, while the server pc cant...

I have tried to employ bind as i hosts 2 domains...

what i cannot figure out for the life of me is how to use bind correctly..

basically i want the internal pc's to use 192.168.0.1 as the dns & Gateway
if they visit either of the hosted domains

(not actual domain names obviously)

example.com

axample.com

they are routed to that and not to the web then back to my router login..

I also still want the internal pc's of course to browse the web too though..

any help would be awesome..

Some more information incase its a simple error

ifconfig

Quote:

eth0 Link encap:Ethernet HWaddr 00:02:44:67:9E:8B
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::202:44ff:fe67:9e8b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:84047 errors:0 dropped:0 overruns:0 frame:0
TX packets:81387 errors:0 dropped:0 overruns:0 carrier:0
collisions:6034 txqueuelen:1000
RX bytes:7183332 (6.8 MiB) TX bytes:11576500 (11.0 MiB)
Interrupt:10 Base address:0x6000

eth1 Link encap:Ethernet HWaddr 00:04:5A:6A:29:40
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::204:5aff:fe6a:2940/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14934 errors:0 dropped:0 overruns:0 frame:0
TX packets:16016 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6973047 (6.6 MiB) TX bytes:2577524 (2.4 MiB)
Interrupt:11 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1890 errors:0 dropped:0 overruns:0 frame:0
TX packets:1890 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:205230 (200.4 KiB) TX bytes:205230 (200.4 KiB)

Route

Quote:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 complex.example 255.255.255.0 UG 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
default 192.168.1.2 0.0.0.0 UG 0 0 0 eth1

/var/named/chroot//etc/named.conf

Quote:

options {
directory "/etc";
pid-file "/var/run/named/named.pid";
};

zone "www.example.net" {
type master;
file "/var/named/www.example.net.hosts";
};
zone "www.axample.net" {
type master;
file "/var/named/www.axample.net.hosts";
};
zone "." {
type hint;
file "/var/named/db.cache";
};

/var/hosts

Quote:

# hostname complex.example.net added to /etc/hosts by anaconda
127.0.0.1 localhost.localdomain localhost complex.example.net
192.168.1.1 complex.example.net localhost
::1 localhost6.localdomain6 localhost6 complex.example.net

/var/resolv.conf

Quote:

# Generated by NetworkManager

# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com

spampig · 03-14-2010, 01:21 AM

All BIND {or any DNS server} can do is resolve example1.com and example2.com to IP addresses and this would be done with a zone file for each and an entry in named.conf to point to those zone files. Once the PC has the IP address from the DNS server then it becomes the job of routing as to how and where the packets go.

In case there is any confusion, all BIND can do for you is give your clients IP addresses for example1.com and example2.com - that the only job it does. It's also important to note that a DNS server usually needs an internet connection to recurse requests that it does not know the answer to. If your ordinary clients are using it for their day to day DNS needs, it's going to need to be able to call out to the wild.

HTH

puzzled_one · 03-14-2010, 01:55 AM

I fully understand that... in theory

putting it to practical use on the other hand is the problem...

I feel like a dummie for not understand how to impliment that as its so confusing writting the configs or using webmin to acomplish the same using the bind interface... basically im wondering if someone can give me a working example...

spampig · 03-14-2010, 06:21 AM

I'm pretty much a dummy too, but I get by :-) Here is a basic working config that covers most of what you need.

It's impossible to give you a total Montell Jordon {grin 'this is how we do it....} that will fit your exact needs without knowing a fair bit about your set up, but here is a rough working example.

You probably know that BIND has a utility called 'RNDC' (remote named daemon controller) that is useful for controlling it. Think of it as a 'remote control' system. So that not every Tom, Dick and Harry can control your BIND server you create a secret key and tell BIND about it. There are a couple of ways to do this. One is to put the key itself into the named.conf file, the other is to put the path to a separate key file in named.conf. This example uses the latter.

The key needs some kind of random data and usually uses data from /dev/random. However, there is a known issue with the key generation script that can cause it to hang if it can't get random data drom that location. The workaround is to use 'mashing' the keyboard as a random source, but it takes a fair bit of typing to get the key. Enough waffle, generate the key by running 'rndc-confgen -a -r keyboard'

Code:

rndc-confgen -a -r keyboard
start typing:
...............................
...........................
...........................
...........................
...........................
...........................
...........................
...........................
stop typing.
wrote key file "/etc/bind/rndc.key"

The next step is to configure the rndc program so it can talk to BIND using the right key. This is done by copying the key details from the file you've just created (/etc/bind/rndc.key) and putting them in rndc.conf AND named.conf (note there are various ways to achieve this, some using external key files, but this will keep it simple for now)

So if the contents of /etc/bind/rndc.key look like this

Code:

key "rndc-key" {
        algorithm hmac-md5;
        secret "/laladadadadeedaa==";
};

Create the file /etc/bind/rndc.conf containing:

Code:

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "/laladadadadeedaa==";
};
options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};

We will also put the secret key "/laladadadadeedaa==" into named.conf....

Create named.conf file:

Code:

# BIND example Server Configuration
        key "rndc-key" {
        algorithm hmac-md5;
        secret "/laladadadadeedaa==";
        };
        controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

acl blacklisted { 
66.90.64.0/18;
75.151.0.0/16;
208.36.0.0/15;
204.11.48.0/21;
};

acl lookups-allowed {
localhost;
localnets;
192.168.0.0/24;
192.168.1.0/24;
};

acl xfer-allowed {
192.168.0.0/24;
192.168.1.0/24;
};

options {
blackhole {blacklisted; };
	directory "/etc/bind/";
	recursion yes;
	allow-query {lookups-allowed; };
  	allow-recursion {lookups-allowed; };
	notify yes;
};
################################################################################
# Logging Configuration
#
logging {
    #
    # Define channels for the two log files
    #
    channel query_log {
        severity info;
        print-time yes;
	syslog syslog_facility;
    };
    channel activity_log {
        severity info;
        print-time yes;
        print-category yes;
        print-severity yes;
	syslog syslog_facility;
    };
    #
    # Send the interesting messages to the appropriate channels
    #
    category queries         { query_log; };
    category default         { activity_log; };
    category xfer-in         { activity_log; };
    category xfer-out        { activity_log; };
    category notify          { activity_log; };
    category security        { activity_log; };
    category update          { activity_log; };
    #
    # Dump all uninteresting messages
    #
    category network         { null; };
    category lame-servers    { null; };
};

################################################################################
# Zone Configuration
#

#
# Specify the root name servers
#
zone "." IN {
	type hint;
	file "/etc/bind/zones/db.root";
};

#
# Configure zonefile
#
zone "example1.com" IN {
	type master;
	file "/etc/bind/zones/example1.com.zone";
	#WHO ARE WE GOING TO ALLOW ACCESS TO THIS ZONE? IF IT IS LIMITED TO LOCAL USERS WE USE:
	allow-query {lookups-allowed; };
	#IF WE WANT THE WHOLE WORLD TO BE ABLE TO QUERY YOUR SERVER FOR THIS ZONE WE USE allow-query {any; };
    	allow-transfer {xfer-allowed; };
	allow-update { none; };
};
zone "example2.com" IN {
	type master;
	file "/etc/bind/zones/example2.com.zone";
	#WHO ARE WE GOING TO ALLOW ACCESS TO THIS ZONE? IF IT IS LIMITED TO LOCAL USERS WE USE:
	allow-query {lookups-allowed; };
	#IF WE WANT THE WHOLE WORLD TO BE ABLE TO QUERY YOUR SERVER FOR THIS ZONE WE USE allow-query {any; };
	allow-transfer {xfer-allowed; };
	allow-update { none; };
};
# Reverse IP mapping
#
zone "0.0.127.in-addr.arpa" {
	type master;
	file "/etc/bind/zones/db.127";
};
# reverse mapping to stop leaking of private address space
#
zone "10.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "16.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "17.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "18.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "19.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "20.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "21.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "22.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "23.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "24.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "25.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "26.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "27.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "28.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "29.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "30.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "31.172.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};
zone "1.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/zones/192.168.1.zone";
};
zone "0.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/zones/192.168.0.zone";
};
zone "168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/empty.zone";
};

You now need to create your zonefiles, both to resolve the name to an IP address AND to do the opposite - resolve an IP back to a name.
For clarity I'll assume you have created a directory '/etc/bind/zones' to hold them. I'm going to assume that your domain is called 'example.local'

I'll start with the generic empty zone used to stop requests for private networks 'leaking' to the internet:
'/etc/bind/zones/empty.zone'

Code:

@ 10800 IN SOA ns.example.local. admin.example.local (
        1 3600 1200 604800 10800 )
@ 10800 IN NS ns.example.local.

Now a reverse zonefile for your 192.168.0.x network. I'll assume you have three hosts in this network; 'Tom (192.168.0.10), Dick(192.168.0.20) & Harry(192.168.0.30)'
/etc/bind/zones/192.168.0.zone

Code:

@ 10800 IN SOA ns.example.local. admin.example.local (
        1 3600 1200 604800 10800 )
	IN NS ns.example.local.
10	IN      PTR     tom
20	IN      PTR     dick
30	IN      PTR     harry

Now a forward zonefile for file example1.com - I'm going to assume your DNS Name Server is 192.168.0.1 and that you have a mail server (mx) called 'mail' at 192.168.0.50, a web server at 192.168.0.60 and for the sake of illustration a SQUID proxy server called 'squid' running on 192.168.0.70
/etc/bind/zones/example1.com.zone

Code:

$TTL 86400      ; 1 day
@ 10800 IN SOA ns.example.local. admin.example.local (
        1 3600 1200 604800 10800 )
	IN NS ns.example.local.
        A 192.168.0.60
        MX 10 mail.example1.com.
ns	A 192.168.0.1
mail	A 192.168.0.50
www     A 192.168.0.60
squid	A 192.168.0.70

And example2.com - this time assuming a similar set of hosts but in the 192.168.0.1xx range
/etc/bind/zones/example2.com.zone

Code:

$TTL 86400      ; 1 day
@ 10800 IN SOA ns.example.local. admin.example.local (
        1 3600 1200 604800 10800 )
	IN NS ns.example.local.
        A 192.168.0.160
        MX 10 mail.example2.com.
ns	A 192.168.0.1
mail	A 192.168.0.150
www     A 192.168.0.160
squid	A 192.168.0.170

A reverse zone for 127.x called 'db.127'

Code:

$TTL 86400      ; 1 day
0.0.127.in-addr.arpa.   IN SOA ns.example.local. admin.example.local (
                        2008083001 ; serial
                        21600      ; refresh (6 hours)
                        3600       ; retry (1 hours)
                        604800     ; expire (1 week)
                        86400      ; minimum (1 day)
                        )
0.0.127.in-addr.arpa. IN NS ns.example.local.

With the zone files in place all you would need to do is restart or reload the server either using '/etc/init.d/bind restart' - or 'rndc reload'.

This is basic and should work but lacks additional name servers, slave set up, if and how you are going to let it be authorative to the whole world or just locally and fine tuning for your hosts and needs.

You can test your server with the DIG or NSLOOKUP commands - example:

Code:

FORWARD TEST:
dig @192.168.0.1 mail.example1.com
dig @192.168.0.1 www.example1.com
dig @192.168.0.1 mx example1.com
REVERSE TEST
dig @192.168.0.1 -x 192.168.1.50
WITH NSLOOKUP
FORWARD TEST:
nslookup -querytype=A mail.example1.com 192.168.0.1
nslookup -querytype=A www.example1.com 192.168.0.1
nslookup -querytype=MX example1.com 192.168.0.1
REVERSE TEST
nslookup -querytype=PTR 192.168.1.60 192.168.0.1

FINALLY - MAKE SURE PORT 53 IS OPEN ON THE DNS SERVER TO ACCEPT REQUESTS, that you have set /etc/resolv.conf on any linux clients to use the nameserver you have just created, and pointed any Windows/Mac/Other hosts to use your NS ONLY and not multiple NSs (or your results will not be reliable)

THIS IS A VERY USEFUL GUIDE: http://www.redhat.com/docs/manuals/l...e/ch-bind.html

NOTES ABOUT rndc. These are mentioned as I've seen lots of issues with the key if changed whilst BIND/NAMED is running
If you should get warnings like this:

Quote:

rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.

And you are sure the key /etc/bind/rndc.key matches in /etc/bind/rndc.conf and /etc/bind/named.conf try and stop bind with
/etc/init.d/bind9 stop
If you spot 'FAIL' then 'killall named', make sure it has stopped with /etc/init.d/bind9 stop {should report 'rndc: connect failed: 127.0.0.1#953: connection refused' as it's down already} then restart it '/etc/init.d/bind9 start' and check 'rndc reload' works.

puzzled_one · 03-14-2010, 06:27 AM

i think while u were writting your post i had edited my first post with information that would probley be helpful to pin pointing the problem

cheers for taking the time to help out a fellow newb..

For clarity i have chrooted named etc ..

spampig · 03-14-2010, 06:35 AM

Work through what you have here and let us know where you get stuck

puzzled_one · 03-14-2010, 06:53 AM

well i dont have a /etc/bind folder - not sure if because my named is chroot'd ?
i do how-ever have /etc/rndc.conf & /etc/rndc.key

and a rndc.key located in /var/named/chroot/etc

am using fedora core 12

puzzled_one · 03-14-2010, 08:13 AM

Ok huge problems with your post

as im using fedora and that uses named instead of bind so theres no /etc/bind folder so that has created multitude of issues..

so everything that points to /etc/bind errors...

named is located /var/named and /var/name/chroot/

have had to point stuff to there correct places but still have issues

i also dont have a db.root either... or half of the inarpa

Code:

Stopping named:                                            [  OK  ]
Starting named:
Error in named configuration:
zone example.net/IN: example.net/MX 'mail.example.net' has no address records (A or AAAA)
zone example.net/IN: loaded serial 1
zone axample.net/IN: axample.net/MX 'mail.axample.net' has no address records (A or AAAA)
zone axample.net/IN: loaded serial 1
zone 0.0.127.in-addr.arpa/IN: loading from master file /var/named/db.127 failed: file not found
_default/0.0.127.in-addr.arpa/IN: file not found
zone 10.in-addr.arpa/IN: loaded serial 1
zone 16.172.in-addr.arpa/IN: loaded serial 1
zone 17.172.in-addr.arpa/IN: loaded serial 1
zone 18.172.in-addr.arpa/IN: loaded serial 1
zone 19.172.in-addr.arpa/IN: loaded serial 1
zone 20.172.in-addr.arpa/IN: loaded serial 1
zone 21.172.in-addr.arpa/IN: loaded serial 1
zone 22.172.in-addr.arpa/IN: loaded serial 1
zone 23.172.in-addr.arpa/IN: loaded serial 1
zone 24.172.in-addr.arpa/IN: loaded serial 1
zone 25.172.in-addr.arpa/IN: loaded serial 1
zone 26.172.in-addr.arpa/IN: loaded serial 1
zone 27.172.in-addr.arpa/IN: loaded serial 1
zone 28.172.in-addr.arpa/IN: loaded serial 1
zone 29.172.in-addr.arpa/IN: loaded serial 1
zone 30.172.in-addr.arpa/IN: loaded serial 1
zone 31.172.in-addr.arpa/IN: loaded serial 1
/var/named/192.168.0.zone:3: using RFC1035 TTL semantics
zone 0.168.192.in-addr.arpa/IN: loaded serial 1
zone 168.192.in-addr.arpa/IN: loaded serial 1
                                                           [FAILED]

spampig · 03-14-2010, 09:34 AM

The paths are likely to be different - particularly if you are running chrooted. Naturally you would need to correct this to suit your needs.

As for the errors, these are self explanatory:
1. In your zonefile for example.net you have set an entry to 'mail' but not given it a corresponding A record.
2. As above for axample.net (same error)
3. You have a zone file missing: db.127 - this would look something like this:

Code:

$TTL 86400      ; 1 day
0.0.127.in-addr.arpa.   IN SOA ns.example.local. admin.example.local (
                        2008083001 ; serial
                        21600      ; refresh (6 hours)
                        3600       ; retry (1 hours)
                        604800     ; expire (1 week)
                        86400      ; minimum (1 day)
                        )
0.0.127.in-addr.arpa. IN NS ns.example.local.

The most important part of my post was this:

http://www.redhat.com/docs/manuals/l...e/ch-bind.html

Refer to it if you have any more problems, it's clear and well written and covers how things should be.

Blue_Ice · 03-14-2010, 09:34 AM

You have to put your forwarders in your dns zones of named.conf. The forwarders should point to your ISP's DNS servers.
What is not clear to me is if you are using DHCP on your internal network. In case you do, then dhcp will configure resolv.conf for you. If not, then you need to configure resolv.conf yourself.

spampig · 03-14-2010, 09:43 AM

You DON'T need to put forwarders in it at all. A recursive DNS server is perfectly capable of operating without it. In addition, the OP is trying to set this up to resolve his own domains, example1.com and example2.com. Forwarders would play no part in this.

Blue_Ice · 03-14-2010, 01:47 PM

Quote:

Originally Posted by spampig

You DON'T need to put forwarders in it at all. A recursive DNS server is perfectly capable of operating without it. In addition, the OP is trying to set this up to resolve his own domains, example1.com and example2.com. Forwarders would play no part in this.

Sorry, you are right...
However the resolv.conf part remains valid. If you are not using dhcp, then this file will not be updated. If this file on all his clients is like the one he posted here, the system doesn't know where to look for the dns server.

spampig · 03-15-2010, 02:36 AM

Quote:

Originally Posted by Blue_Ice

Sorry, you are right...
However the resolv.conf part remains valid.

:-) Which is why I said so in here in POST4...

Quote:

FINALLY......that you have set /etc/resolv.conf on any linux clients to use the nameserver you have just created, and pointed any Windows/Mac/Other hosts to use your NS ONLY and not multiple NSs (or your results will not be reliable)

There are times when specifying forwarders is not only NOT required, but can be a bad move - particularly if they belong to an ISP, Google or other large scale DNS providers. One such scenario springs to mind - if you are running a mail server making use of DNSBL's like Spamhaus and happen to forward queries. Spamhaus will see your requests as originating from the forwarder. There may be hundreds of other customers of the ISP doing the same thing. This would probably exceed their free feed policy and lead to unreliable service where known spammer IP's no longer get positive hits when they should.

A specific example - Spamhaus won't honour requests made from Google's new public name servers - here is an example using a UK Virgin Media IP known to be on the PBL:

Code:

.....cable.virginmedia.com[92.236.2.200]......
Query made from private server:

dig 200.2.236.92.zen.spamhaus.org

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ....

;; ANSWER SECTION:
200.2.236.92.zen.spamhaus.org. 900 IN	A	127.0.0.4
200.2.236.92.zen.spamhaus.org. 900 IN	A	127.0.0.11

Same query against Google's public DNS server (8.8.8.8) give a negative response (NXDOMAIN):

dig @8.8.8.8 200.2.236.92.zen.spamhaus.org
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: ...
NO RESULTS RETURNED......

There are times when forwarders can be useful and I'm sure other LQ readers can cite some examples, but they can safely be ignored as the root/hints zone allows BIND to find what it needs without them.