RHEL5 named.caching-nameserver.conf does not work!
 

Hello guys after an entire of day of busting my brains trying to get a caching-nameserver to work on RHEL5 I finally threw in the towel and used the system-config-bind utility to generate a config that works. However my question is what am I missing from the current named-caching-nameserver.conf that will not allow hosts to query the server. Here is an example of a query to google.com using the same config below.


Here is a proxy test machine that I am working and querying this nameserver with no sucess:

[root@proxy01 ~]# nslookup google.com
Server: 192.168.2.222
Address: 192.168.2.222#53

** server can't find google.com: REFUSED

I got this configuration file by installing just caching-nameserver-9.3.3 with bind 9.3.3 and bind-utils as well as the bind-libs. Doing some reading I was told that you could simply copy the named-caching-server-conf file into named.conf and edit the "Listen-on port" directive to include your local interface as well as edit the "allow-query" directive and place the network which in my case is 192.168.2.0/24 however to be safe I included 192.168.0.0/24. After that I restarted bind and everything went well however I could not perform a query from a host on the network pointing to this name server. I am reading a book that states clearly these are the only directives you need to change to get a working caching-server to work but this is not the case as I can see. Please let me know what I am missing. The /var/log/messages file does not say a single thing except for showing the zones that were loaded.


I know this is very long but I want a clue on why I had to resort to using system-config-bind to generate a working copy of named.conf that allows caching.

Here is the named.caching-nameserver.com

[root@dns01 ~]# cat /etc/named.conf
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.2.222; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
// query-source-v6 port 53;
// allow-query { localhost; 192.168.0.0/24; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
};


Thanks

Having this "view" paragraph in your bind configuration will make bind work only for localhost. I.e. it resolves names for requests coming from localhost and refuses those coming for other clients.
To create a caching name server, all you need is to define the "." zone (hint zone) and get yourself a copy of the root.hints file. Have a look at this howto for more details.

Regards

...and next to that, how about switching to a caching nameserver (Pdnsd) that doesn't come with all the dependencies BIND has, can load records from source and saves the cache to disk?

bathory,

I did not paste in the named.rfc1912.zones section which includes the hints: There is an includes directive in the /etc/named.conf file that points to this named.rfc1912.zones file


// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
type hint;
file "named.ca";
};

zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};

zone "255.in-addr.arpa" IN {
type master;
file "named.broadcast";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.zero";
allow-update { none; };
};




I also have the named.ca in /var/named here are the contents:



[root@dns01 ~]# cat /var/named/named.ca
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File


Thanks for the replies though I'll give your link a good read. Could be possible that I am missing the "controls directive" and the key "rndc_key" directive?


controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

unSpawn,

I'll have to give pdnsd a try, thanks for the tip. I did some reading about it and there was a line that stated:

"This program is also has a limited capability of acting as an authoritative nameserver for a local DNS zone within a private network."


Would this indicate that it would not work as a public facing DNS server and be best suited for a LAN dns setup?



Thanks

Remove or comment out the view clause (leave only the include line that's needed) and restart named to see if it works for clients other than localhost.

No, AFAIK the emphasis is on "limited" even though it's fully RFC compliant.

bathory, I have uncommented the views directory with no luck. However I'll just go over the link you sent to create a working caching DNS server. I wanted to go over this file because in a book that is preparing me for my RHCE simply states to make changes to the two directives and you'll have a perfectly working caching DNS server (NOT TRUE!) I don't understand how they could include a file such as named.caching.nameserver and have it not do what it is set out to do.

Thanks for all the help

[root@dns01 ~]# cat /etc/named.caching-nameserver.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.2.222; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { localhost; 192.168.0.0/24; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//view localhost_resolver {
// match-clients { localhost; };
// match-destinations { localhost; };
// recursion yes;
include "/etc/named.rfc1912.zones";
//};

I've tested your named.conf and as I told you, it's the view clause that doesn't allow client requests. As soon as I've commented it out it worked as expected. I dunno what you're doing wrong and it's not working for you. You can also change the match-clients statement as follows:

Bathory,

Is your named.conf commented out exactly as I have in the above post? Please let me know or please post your named.conf. I still get this refused error and its driving me nuts.

The named.conf I used to test your configuration is pretty much the same as yours:
The only differences is the IP address of my dns and the line adding the location of the pid file, since without it named did not startup. I've also copied named.rfc1912.zones in /var/named and edit it to contain just:

bathory,

Your caching config works! I believe the problem was with the /etc/named.rfc.1912 zones file. There were simply a ton of default zone entries that could have been removed. I slimed it down to the 0.0.127.in.addr.arpa and the root.cache just as you have it and sure enough I was able to send out requests. I am going to go home tonight and remove slowly each zone to determine which one was causing the hickups, I'll post back shortly my findings.

Thanks for all the help.

bathory
 

thanks for you insight bathory. I also commented out the view section and it worked for me. Out of curiosity, I tried uncommenting it and adding "localnets" to the match-clients/destinations clauses:

match-clients {localnets; };
match-destinations {localnets; };

and it still worked! So ultimately the only thing the RHCE book is leaving out is that if you want the caching nameserver to work for any host other than the one dns services is configured on, you have to add "localnets" as I did above or remove the view section altogether from the named.conf file. There is a warning about the view clauses in the /usr/share/doc/bind-*/sample/named.conf file but it is recommended that you use views.

Using views is a good thing, but you need to define the correct acls to match the "match-clients" or "match destinations" directives. I guess that you or the book you're reading have missed to include the correct acls in named.conf.

Regards