luminaire
Premium
join:2005-03-22
Oakville, ON
clubs:
 ·Cogeco Cable
| DNS Strangeness
I have a DNS server that hosts several hundred zones, and is the secondary DNS server for a large network. Everything works all well and good when the settings are all default, however when I block recursion from anything outside of our netblocks anyone outside of our netblocks can no longer query the server. These are the lines I added:
acl clients {
x.x.x.0/19;
x.x.x.0/19;
x.x.x.0/19;
y.y.y.y/16;
127.0.0.1/32;
::1;
};
options {
directory "/var/named";
#auth-nxdomain no;
recursive-clients 10000;
allow-recursion { clients; };
allow-query { "any"; };
};
From outside of those netblocks I have a computer configured to query that server. When I do a couple test pings:
user@host:~$ ping www.acura.com
ping: unknown host www.acura.com
When I dig however:
dig -t A www.acura.com @1.1.1.1
; > DiG 9.4.2 > -t A www.acura.com @1.1.1.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER--
Luminaire
My Blog |
|
nwrickert
Premium,MVM
join:2004-09-04
Geneva, IL | Try removing the quotes are around "any"
allow-query { any; };
instead of
allow-query { "any"; }; |
|
luminaire
Premium
join:2005-03-22
Oakville, ON
clubs:
·Cogeco Cable
| Negative, doesn't seem to have fixed it.
ndavey@monkey:~$ ping www.dslreports.com
ping: unknown host www.dslreports.com
I actually had that omitted for the first little while but when things started not working I figured I'd explicitly state what is allowed. Here's a packet capture of the client to the server:
12:34:24.408887 IP (tos 0x0, ttl 64, id 44054, offset 0, flags [DF], proto UDP (17), length 64) 192.168.20.52.45861 > 1.1.1.1.53: [bad udp cksum f306!] 55115+ A? www.dslreports.com. (36)
12:34:24.423450 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 288) 1.1.1.1.53 > 192.168.20.52.45861: 55115- q: A? www.dslreports.com. 0/13/0 ns: com. NS[|domain]
12:34:24.423595 IP (tos 0x0, ttl 64, id 44056, offset 0, flags [DF], proto UDP (17), length 64) 192.168.20.52.39439 > 1.1.1.1.53: [bad udp cksum 920!] 55115+ A? www.dslreports.com. (36)
12:34:24.435409 IP (tos 0x0, ttl 57, id 0, offset 0, flags [DF], proto UDP (17), length 288) 1.1.1.1.53 > 192.168.20.52.39439: 55115- q: A? www.dslreports.com. 0/13/0 ns: com. NS[|domain]
As soon as this line is commented out it starts working:
allow-recursion { clients; };
It's almost like if the clients can't have recursive requests they don't bother asking again.
--
Luminaire
My Blog |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE
 ·Verizon FIOS
·Comcast Workplace
 ·DSL EXTREME
| The same construct works fine here:
acl internal { 10.0.0/24; 127.0.0.1; };
options {
allow-recursion { internal; };
...
For shits and giggles, have you tried using the masks instead, e.g.:
allow-recursion {
x.x.x.0/19;
x.x.x.0/19;
x.x.x.0/19;
y.y.y.y/16;
127.0.0.1/32;
::1;
};
--
Hello...is there anybody in there? |
|
luminaire
Premium
join:2005-03-22
Oakville, ON
clubs:
·Cogeco Cable
| reply to luminaire
I should have been more clear in saying that from inside those netblocks everything works great. It's from outside of them where things start going funny. I tried the suggested change Deblin, so far no good  .
--
Luminaire
My Blog |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | Mine works fine, not sure what's up with your config. It would be useful to see the entire thing.
--
Hello...is there anybody in there? |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| reply to luminaire
In your acl clients list, I see
::1;
No idea what that is or is supposed to be.
In options I see what appears to be a commented out auth-nxdomain statement using # for the comment delimiter. I don't think that's valid in BIND. Try // instead.
Have you looked in any/all of BIND's logs for errors? |
|
deblin
Dark Side of the Moon
Premium,MVM
join:2001-09-01
Middletown, DE | ::1 is IPv6...
I concur, looking in logs at this point should be the next step.
--
Hello...is there anybody in there? |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL | OK, IP6.
I wonder if he is actually running IP6, and if not what happens when things get configured to use it but can't. |
|
nwrickert
Premium,MVM
join:2004-09-04
Geneva, IL | Should not cause a problem, except perhaps delays timing out failed connections to IPv6 root servers. |
|
luminaire
Premium
join:2005-03-22
Oakville, ON
clubs:
·Cogeco Cable
| reply to luminaire
Ok, I seem to have an answer. I was trolling through some old information, and it appears that hosts require recursive lookups from the name server's they are querying. At no point has anything broken from inside my netblocks, it only really breaks for the freeloaders outside of my network. The iterative queries are still returned, so servers trying to query mine for zones I host still work, just not end users querying the servers. Basically, it looks like this is all good and intended behavior. Just to tie up some loose ends:
Yes, I checked the logs, and even ran the server in -fg mode to analyze the output. The only thing I didn't do was enable query logging.
The ::1 address, as discussed is IPv6. It's enabled on the server but not on it's upstream internet connection so it should be all good there.
I'm filing this one under case closed. Thanks for all your help guys!
--
Luminaire
My Blog |
|
supapupa
@rr.com
| reply to graysonf
said by graysonf  :OK, IP6. I wonder if he is actually running IP6, and if not what happens when things get configured to use it but can't. BIND is IPv6 aware, it doesn't matter if he's running a server with IPv6 addressing or not. If it didn't like the ::1 loopback IP, then named.conf would not load and named would not start. And it's only an ACL, and simply an entry allowing the IPv6 loopback of the server to do recursion. That's all that entry would be able to do.
But you're right, the # should not be a valid comment delimiter for BIND, it should be //. Although, I would expect BIND not to start if it saw that line, since it would be invalid. |
|
luminaire
Premium
join:2005-03-22
Oakville, ON
clubs:
·Cogeco Cable
| Dunno about valid comment, but when I comment that line out as such it is deactivated, named starts with no complaints. I'd say it looks valid. A quick google confirmed.
Quoted: »www.zytrax.com/books/dns/ch7/
named.conf format, structure and overview
A named.conf file can contain comments and will contain a number of clauses which group together related statements which control the functionality and security of the BIND server.
BIND provides a number of comment formats as follows:
/* C style comment format needs opening and closing markers
** but allows multiple lines or */
/* single lines */
// C++ style comments single line format no closing required
# PERL/SHELL style comments single lines no closing required
--
Luminaire
My Blog |
|
graysonf
Premium,MVM
join:1999-07-16
Fort Lauderdale, FL
| I don't have an answer, but I'll ask it anyway.
What happens when you use a single line comment approach within a command that spans more than one line?
I'd try it this way just for grins:
options {
directory "/var/named";
/*auth-nxdomain no;*/
recursive-clients 10000;
allow-recursion { clients; };
allow-query { "any"; };
}; |
|
