Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-26-2011, 02:00 PM
|
#1
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Rep:
|
strange behavior of my BIND 9 server answering to PTR record request
Hi,
I notice in the last months that my BIND 9 servers don't answer anymore to request of PTR record undefined (I don't defined PTR record for all private ip classes in my config file). Example:
# dig -x 10.192.75.19 @217.18.208.130
; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 10.192.75.19 @217.18.208.130
;; global options: +cmd
;; connection timed out; no servers could be reached
This is a big problem for me because when a go to use ssh, mysql, ecc. client in machine with private ip address I have to wait 20 second of timeout of request of PTR record to my DNS server.
I think this happen after a security patch of bind, but I'm unable to find the right solution to modify my BIND config file.
Any help?
|
|
|
01-26-2011, 06:37 PM
|
#2
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
I think the ordering is important - try 'dig @217.18.208.130 -x 10.192.75.19'
|
|
|
01-27-2011, 10:23 AM
|
#3
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
SOrry, but the order isn't a problem: try yourself! the result is the same!
Any other ideas?
|
|
|
01-27-2011, 04:38 PM
|
#4
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
Can you show us the relevant section from /etc/named.conf ? ... you could also try named-checkzone (I think thats it's name)
|
|
|
01-28-2011, 03:19 AM
|
#5
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
Hi,
this is my BIND configuration in named.conf:
*************************************************
options {
directory "/var/lib/named";
version "none";
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
listen-on port 53 { 217.18.208.130; };
query-source address 217.18.208.130;
notify yes;
dnssec-enable yes;
allow-transfer {
localhost;
XXX;
};
allow-notify {
XXX;
};
max-cache-size 150M;
};
zone "." in {
type hint;
file "root.hint";
};
zone "localhost" in {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};
include "/etc/named.conf.include";
key TRANSFER {
algorithm hmac-md5;
secret "XXX";
};
server XXX {
keys {
rndc-key;
};
transfer-format many-answers;
};
*************************************************
I don't understand you suggestion to use named-checkzone command: I haven't a zone for PTR record of 10.192.75.19! what I have to check?
|
|
|
01-28-2011, 03:37 AM
|
#6
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
|
Hi,
Comment out:
Quote:
query-source address 217.18.208.130;
|
restart bind and see if it works
|
|
|
01-28-2011, 08:45 AM
|
#7
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
Sorry,
but this don't help me because this config is used only for set the IP address to use during queries to other dns server.
|
|
|
01-28-2011, 08:54 AM
|
#8
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
|
Yes, but it's used if there is a firewall with only port 53 is open for outgoing traffic.
Anyway the dig in your 1st post was ran from the same server or from a different host? If it was ran from a different host it could be a firewall on 217.18.208.130 blocking port 53 for incoming
|
|
|
01-28-2011, 09:05 AM
|
#9
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
I tried to do dns queries from dns server and from another host: same result.
The dns server works fine for all zones properly configured: the problem happen when the dns server receive a dns query for a PTR record that the server don't know.
|
|
|
01-28-2011, 09:26 AM
|
#10
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
|
It works if you toggle recursion off:
Code:
dig -x 10.192.75.19 @217.18.208.130 +norec
but I agree that it's a strange behavior.
|
|
|
01-28-2011, 10:10 AM
|
#11
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
this isn't hte solution, but this could useful to understand why this happen...
- I couldn't disable recursion in Bind because than it don't is able to answer to dns queries of zone non-authorative;
- dns client, such dig, use recursion as default;
So, why this happen from last months?
|
|
|
01-28-2011, 10:49 AM
|
#12
|
LQ Guru
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
|
I know it's not a solution. I wanted to show you that it works without recursion
Quote:
So, why this happen from last months?
|
I cannot say why that happens, but if you are the admin of this dns, enable logging and watch the logs, to see if you get something.
|
|
|
04-06-2011, 11:38 AM
|
#13
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
I observed the same proble with other bind server, so I suppose it is an effect of a patch of bind server or bind tools.
|
|
|
04-06-2011, 08:57 PM
|
#14
|
Senior Member
Registered: Aug 2009
Posts: 3,790
|
I'm confused ... if you want to resolve PTR records for 'private' network ranges you'll need to host the zone yourself. The zones for 'public' network ranges will be hosted by the ISP that owns the block, they're unlikely to be hosting rfc1918 zones so you may have just been lucky before.
|
|
|
04-07-2011, 07:05 AM
|
#15
|
LQ Newbie
Registered: Jan 2011
Posts: 8
Original Poster
Rep:
|
yes, but 6 months ago ssh connection work fine; now if you try to connect to ssh server with private ip address I have to wait until the nslookup request of ssh server go in timeout....
|
|
|
All times are GMT -5. The time now is 06:06 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|