LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-26-2011, 02:00 PM   #1
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Rep: Reputation: 0
strange behavior of my BIND 9 server answering to PTR record request


Hi,
I notice in the last months that my BIND 9 servers don't answer anymore to request of PTR record undefined (I don't defined PTR record for all private ip classes in my config file). Example:

# dig -x 10.192.75.19 @217.18.208.130
; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 10.192.75.19 @217.18.208.130
;; global options: +cmd
;; connection timed out; no servers could be reached

This is a big problem for me because when a go to use ssh, mysql, ecc. client in machine with private ip address I have to wait 20 second of timeout of request of PTR record to my DNS server.

I think this happen after a security patch of bind, but I'm unable to find the right solution to modify my BIND config file.

Any help?
 
Old 01-26-2011, 06:37 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
I think the ordering is important - try 'dig @217.18.208.130 -x 10.192.75.19'
 
Old 01-27-2011, 10:23 AM   #3
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
SOrry, but the order isn't a problem: try yourself! the result is the same!

Any other ideas?
 
Old 01-27-2011, 04:38 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
Can you show us the relevant section from /etc/named.conf ? ... you could also try named-checkzone (I think thats it's name)
 
Old 01-28-2011, 03:19 AM   #5
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
Hi,
this is my BIND configuration in named.conf:

*************************************************
options {

directory "/var/lib/named";
version "none";

dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";

listen-on port 53 { 217.18.208.130; };

query-source address 217.18.208.130;

notify yes;

dnssec-enable yes;

allow-transfer {
localhost;
XXX;
};

allow-notify {
XXX;
};

max-cache-size 150M;

};


zone "." in {
type hint;
file "root.hint";
};

zone "localhost" in {
type master;
file "localhost.zone";
};

zone "0.0.127.in-addr.arpa" in {
type master;
file "127.0.0.zone";
};


include "/etc/named.conf.include";


key TRANSFER {
algorithm hmac-md5;
secret "XXX";
};


server XXX {
keys {
rndc-key;
};
transfer-format many-answers;
};
*************************************************

I don't understand you suggestion to use named-checkzone command: I haven't a zone for PTR record of 10.192.75.19! what I have to check?
 
Old 01-28-2011, 03:37 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
Blog Entries: 1

Rep: Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074
Hi,

Comment out:
Quote:
query-source address 217.18.208.130;
restart bind and see if it works
 
Old 01-28-2011, 08:45 AM   #7
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
Sorry,
but this don't help me because this config is used only for set the IP address to use during queries to other dns server.
 
Old 01-28-2011, 08:54 AM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
Blog Entries: 1

Rep: Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074
Yes, but it's used if there is a firewall with only port 53 is open for outgoing traffic.
Anyway the dig in your 1st post was ran from the same server or from a different host? If it was ran from a different host it could be a firewall on 217.18.208.130 blocking port 53 for incoming
 
Old 01-28-2011, 09:05 AM   #9
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
I tried to do dns queries from dns server and from another host: same result.

The dns server works fine for all zones properly configured: the problem happen when the dns server receive a dns query for a PTR record that the server don't know.
 
Old 01-28-2011, 09:26 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
Blog Entries: 1

Rep: Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074
It works if you toggle recursion off:
Code:
dig -x 10.192.75.19 @217.18.208.130 +norec
but I agree that it's a strange behavior.
 
Old 01-28-2011, 10:10 AM   #11
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
this isn't hte solution, but this could useful to understand why this happen...

- I couldn't disable recursion in Bind because than it don't is able to answer to dns queries of zone non-authorative;
- dns client, such dig, use recursion as default;

So, why this happen from last months?
 
Old 01-28-2011, 10:49 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 13,220
Blog Entries: 1

Rep: Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074Reputation: 2074
I know it's not a solution. I wanted to show you that it works without recursion
Quote:
So, why this happen from last months?
I cannot say why that happens, but if you are the admin of this dns, enable logging and watch the logs, to see if you get something.
 
Old 04-06-2011, 11:38 AM   #13
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
I observed the same proble with other bind server, so I suppose it is an effect of a patch of bind server or bind tools.
 
Old 04-06-2011, 08:57 PM   #14
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653Reputation: 653
I'm confused ... if you want to resolve PTR records for 'private' network ranges you'll need to host the zone yourself. The zones for 'public' network ranges will be hosted by the ISP that owns the block, they're unlikely to be hosting rfc1918 zones so you may have just been lucky before.
 
Old 04-07-2011, 07:05 AM   #15
pilot
LQ Newbie
 
Registered: Jan 2011
Posts: 8

Original Poster
Rep: Reputation: 0
yes, but 6 months ago ssh connection work fine; now if you try to connect to ssh server with private ip address I have to wait until the nslookup request of ssh server go in timeout....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
*SOLVED* BIND server test not answering authoritatively mhammett Linux - Server 13 06-16-2010 08:04 AM
Problem with PTR Record using BIND version 9.3.3 on RHEL amitkush Linux - Server 6 01-29-2010 11:59 AM
Automatic PTR record updates while updating A records in Bind haariseshu Linux - Server 1 10-04-2009 02:01 AM
IPV6 BIND 9.2 PTR Record toraghun Linux - Networking 3 08-18-2005 04:42 AM
Strange, inconsistent BIND 9 behavior.... registering Linux - Networking 1 06-18-2004 05:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration