query-source/transfer-source have no effect (bind 9.2.1)

query-source/transfer-source have no effect (bind 9.2.1)

Post by Monu Ogb » Sun, 04 Jan 2004 00:35:25


Hello,

My name server is called 'ns1.dns.ournet.com' which maps to the IP
address '192.168.240.56/23' (eth0:1). Multiple IP addresses are aliased
to eth0 on the server.

Since a recent upgrade from RedHat 7.3/Bind 8 to Redhat 9/Bind 9.2.1, I
have been unable to get the name server to perform queries and transfers
on the addresses specified in the query-source and transfer-source
options. Instead, the server defaults to performing queries and
transfers using the primary IP address assigned to eth0.

The following IP addresses are configured on the name server:

eth0 inet addr:192.168.240.90 Bcast:192.168.241.255
Mask:255.255.254.0
eth0:0 inet addr:192.168.240.61 Bcast:192.168.241.255
Mask:255.255.254.0
eth0:1 inet addr:192.168.240.56 Bcast:192.168.241.255
Mask:255.255.254.0
lo inet addr:127.0.0.1 Mask:255.0.0.0

The options statement in /etc/named.conf is as follows:

options {
listen-on { 192.168.240.56; };
query-source address 192.168.240.56 port 53;
transfer-source 192.168.240.56;
directory "/var/named";
notify yes;
also-notify {
192.168.240.57;
192.168.244.249;
192.168.244.252;
};
allow-transfer {
192.168.240.57;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//query-source address 192.168.240.56 port 53;
};

The symptoms are that peer servers reject our requests because they
expect these to come from 192.168.240.56 instead of which the queries
and transfer requests come from 192.168.240.90. =20

tcpdumps of queries and transfer requests show this to be true; such
that performing a dig from the server to a peer:

# dig @192.168.244.227 test.ournet.com -t any

produces the following (unexpected) tcpdump output:

tcpdump: listening on eth0
15:16:21.797540 192.168.240.90.35218 > 192.168.244.227.53: 35824+ ANY?
test.ournet.com. (33) (DF)
15:16:26.798564 192.168.240.90.35218 > 192.168.244.227.53: 35824+ ANY?
test.ournet.com. (33) (DF)

On the other-hand, I AM able to force a query to take place from a
specified address using dig's -b option; and:

# dig @192.168.244.227 test.ournet.com -b192.168.240.56 -t any

produces the following (expected) tcpdump output:

tcpdump: listening on eth0
15:20:57.553985 192.168.240.56.35219 > 192.168.244.227.53: 65062+ ANY?
test.ournet.com. (33) (DF)
15:21:02.564697 192.168.240.56.35219 > 192.168.244.227.53: 65062+ ANY?
test.ournet.com. (33) (DF)

I'm flummoxed by this, and would grately appreciate a steer.

Many thanks in advance,=20

Monu Ogbe
-----------------------------------------------------------
www.houxou.com
-----------------------------------------------------------
 
 
 

query-source/transfer-source have no effect (bind 9.2.1)

Post by Mark_Andre » Tue, 06 Jan 2004 08:50:13


BIND 9.2.1 is old. Why upgrade to a old version?

-rw-r--r-- 1 marka marka 201 Nov 25 2001 bind-9.2.0/version
-rw-r--r-- 1 marka marka 202 Mar 29 2002 bind-9.2.1/version
-rw-r--r-- 1 marka marka 206 Feb 17 2003 bind-9.2.2/version
-rw-r--r-- 1 marka marka 202 Oct 9 17:00 bind-9.2.3/version


What exactly is being rejected? Log messages would be
useful to see.

Also you don't have a notify-source specified.


What makes you think that dig looks at named.conf?
The traces above is exactly what is to be expected
192.168.240.90 is used unless a query source is forced.


 
 
 

query-source/transfer-source have no effect (bind 9.2.1)

Post by Monu Ogb » Wed, 07 Jan 2004 00:58:14

ello Mark,=20

Understanding that 'dig' does not read /etc/named.conf is just the steer
I needed. =20

As the peer name servers that reject our connections are not operated by
us, I have requested that a colleague send me extracts from his logs.
In the meantime fingers crossed that I don't have a problem after all!
:-)

Again, very many thanks.=20

Monu Ogbe

aliased
I
transfers
>BIND 9.2.1 is old. Why upgrade to a old version?
>
>What exactly is being rejected? Log messages would be
>Also you don't have a notify-source specified.
ANY?
ANY?
ANY?
ANY?
>What makes you think that dig looks at named.conf?=20
>192.168.240.90 is used unless a query source is forced.