More than Caching DNS server

More than Caching DNS server

Post by Rudi Starc » Sun, 21 Sep 2003 00:44:00


Hi,

I've got a single install of BIND running sweetly after reading this tutorial:

http://www.yqcomputer.com/

It's working as a Caching DNS server.
But now I'd like to use my DNS server from other machine's not just
the machine which is running the dns server.

When I try a Dig from a remote box I get a refused connection.
For example the DNS server is at 64.235.238.29 and I'm wanting to
do a dig from 203.220.112.84 ( that's USA and Australia ).

Is there something simple I need to add to my named.conf file
to enable this feature ?

My named.conf file is almost identical to the one in the above mentioned
tutorial.

Once I have this up OK I'd like to move into setting up a slave dns server.
I really like this software.

Many thanks in advance.
Best regards
Rudi.
 
 
 

More than Caching DNS server

Post by Ladislav V » Sun, 21 Sep 2003 17:56:17

what is the dig command you have issued ?
do you allow DNS ports through your network ?
do you allow recursion for external clients ?
did you check the queries log file?

Ladislav

 
 
 

More than Caching DNS server

Post by Rudi Starc » Sun, 21 Sep 2003 23:22:12

Hi Ladislav,

Thanks for your reply.


Here is my 'dig' command and output:

rudi@central:~$ dig @64.235.238.29 rudistarcevic.net. any

; <<>> DiG 9.2.1 <<>> @64.235.238.29 rudistarcevic.net. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 52909
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;rudistarcevic.net. IN ANY

;; Query time: 2569 msec
;; SERVER: 64.235.238.29#53(64.235.238.29)
;; WHEN: Sat Sep 20 04:41:41 2003
;; MSG SIZE rcvd: 35

Yes.

I think so.
I just added the following 2 lines to my named.conf file
just under "options {"

allow-recursion { any; };
allow-query { any; };


Yes.
I'm using syslog right now but plan on using daemon.log in production.
There is output in there when I query bind from the same machine bind
is running on but no output for a query from the Internet.

I'm sure it's something simple.
Thanks for putting me on the right track by asking me these questions.

Regards
Rudi.
 
 
 

More than Caching DNS server

Post by Ladislav V » Mon, 22 Sep 2003 11:29:45


it works for me

$ dig @64.235.238.29 rudistarcevic.net. any

; <<>> DiG 9.2.2 <<>> @64.235.238.29 rudistarcevic.net. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48562
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;rudistarcevic.net. IN ANY

;; ANSWER SECTION:
rudistarcevic.net. 37354 IN NS water.oasis.net.au.
rudistarcevic.net. 37354 IN NS moon.oasis.net.au.

;; AUTHORITY SECTION:
rudistarcevic.net. 37354 IN NS moon.oasis.net.au.
rudistarcevic.net. 37354 IN NS water.oasis.net.au.

;; ADDITIONAL SECTION:
moon.oasis.net.au. 37354 IN A 210.8.139.4
water.oasis.net.au. 37354 IN A 210.8.139.2

;; Query time: 281 msec
;; SERVER: 64.235.238.29#53(64.235.238.29)
;; WHEN: Sun Sep 21 06:26:18 2003
;; MSG SIZE rcvd: 146


you don't want to do this, recursion should be available only for well
known clients, it can be easily misused, since DNS is mostly UDP service
and this can make lot of headache for your service.

Always restrict the recursion to your users only.

Ladislav
 
 
 

More than Caching DNS server

Post by Rudi Starc » Mon, 22 Sep 2003 20:29:26

Hi,

Yeah - I added this to my named.conf not long after my last post
which made it work. I tinkered with some of the options is this is
the only way it'll work for me so far:

view "external" {
#match-clients { 192.168.1.0/24; 127/8; };
match-clients { any; };
zone "." {
type hint;
file "root.hints";
};



I thought I needed recursion on as I want to be the authoritive
name server for some domain names I have ?

Thanks
Rudi.
 
 
 

More than Caching DNS server

Post by Barry Marg » Fri, 26 Sep 2003 02:57:28

In article <bkk18t$18q8$ XXXX@XXXXX.COM >,


A server doesn't have to recurse when it's authoritative for the domain. I
think you're confusing "allow-recursion" with "allow-query" -- you need the
latter.

--
Barry Margolin, XXXX@XXXXX.COM
Level(3), Woburn, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.