View previous topic :: View next topic |
Author |
Message |
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Wed Dec 08, 2010 1:29 pm Post subject: named.conf script? |
|
|
I'm running named. I'm a nooby on this one.
When I add an internal view I get a start error for named.
Here's my named conf: and my zone file.
Are glaring errors? Is it my named conf or the zone file?
also I've never seen this line before:
azzerare.casa. IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
I just threw it in per http://www.gentoo.org/doc/en/bind-guide.xml
Thanks
Code: |
acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 {none; };
listen-on { 127.0.0.1;192.168.1.14; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
*/
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
view "internal" {
match-clients { 192,168,1.14/24; localhost; };
recursion yes;
zone "casa" {
type master;
file "pri/azzerare.internal";
allow-transfer { any; };
};
};
|
pri/azzerare.internal
Code: |
$TTL 2d
@ IN SOA ns.azzerare.casa. root.azzerare.casa. (
1012071 ; 1012071
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
azzerare.casa. IN MX 0 mail.azzerare.casa.
azzerare.casa. IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
azzerare.casa. IN NS ns.azzerare.casa.
azzerare.casa. IN NS 24.217.29.6
www.azzerare.casa. IN A 192.168.1.14
ns.azzerare.casa. IN A 192.168.1.14
mail.azzerare.casa. IN A 192.168.1.14
router.azzerare.casa. IN A 192.168.1.1
|
_________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Thu Dec 09, 2010 10:21 am Post subject: |
|
|
That is meant to prevent source spoofing in e-mail.
As for the rest:
named-checkconf: | ./named.conf:67: unknown option '*'
./named.conf:92: missing ';' before '/'
./named.conf:92: expected IP match list element near '/'
|
named-checkzone: | azzerare.internal:13: NS record '24.217.29.6' appears to be an address
zone casa/IN: has no NS records
zone casa/IN: not loaded due to errors.
|
Try these instead:
Code: | acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 {none; };
listen-on { 127.0.0.1;192.168.1.14; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/home/dean/tmp/sandbox/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
view "internal" IN {
match-clients { 192.168.1.14/24; localhost; };
recursion yes;
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
zone "casa" IN {
type master;
file "pri/azzerare.internal";
allow-transfer { any; };
};
};
|
Code: | $TTL 2d
@ IN SOA ns.azzerare.casa. root.azzerare.casa. (
1012071 ; 1012071
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns.azzerare
www.azzerare.casa. IN A 192.168.1.14
ns.azzerare.casa. IN A 192.168.1.14
mail.azzerare.casa. IN A 192.168.1.14
router.azzerare.casa. IN A 192.168.1.1
|
If that fails, post any and all error messages and the output of named-checkconf and named-checkzone. |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Sat Dec 11, 2010 3:16 pm Post subject: |
|
|
desultory wrote: | That is meant to prevent source spoofing in e-mail.
As for the rest:
named-checkconf: | ./named.conf:67: unknown option '*'
./named.conf:92: missing ';' before '/'
./named.conf:92: expected IP match list element near '/'
|
named-checkzone: | azzerare.internal:13: NS record '24.217.29.6' appears to be an address
zone casa/IN: has no NS records
zone casa/IN: not loaded due to errors.
|
Try these instead:
Code: | acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 {none; };
listen-on { 127.0.0.1;192.168.1.14; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/home/dean/tmp/sandbox/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
view "internal" IN {
match-clients { 192.168.1.14/24; localhost; };
recursion yes;
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
zone "casa" IN {
type master;
file "pri/azzerare.internal";
allow-transfer { any; };
};
};
|
Code: | $TTL 2d
@ IN SOA ns.azzerare.casa. root.azzerare.casa. (
1012071 ; 1012071
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns.azzerare
www.azzerare.casa. IN A 192.168.1.14
ns.azzerare.casa. IN A 192.168.1.14
mail.azzerare.casa. IN A 192.168.1.14
router.azzerare.casa. IN A 192.168.1.1
|
If that fails, post any and all error messages and the output of named-checkconf and named-checkzone. |
thank for the line. give me a few days to try this out. work calls _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Tue Dec 14, 2010 1:40 pm Post subject: |
|
|
thanks for the help!
i got things to work with the internal zone
I can not resolve azzerare.casa with my /etc/resolv.conf set to:
azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14
To do my external zone do I follow the pattern below?
$TTL 2d
@ IN SOA ns.YOUR_DOMAIN. ADMIN.YOUR_DOMAIN. (
MODIFICATION ;serial
3h ;refresh
1h ;retry
1w ;expiry
1d ) ;minimum
YOUR_DOMAIN. IN MX 0 mail.YOUR_DOMAIN.
YOUR_DOMAIN. IN TXT "v=spf1 ip4:YOUR_PUBLIC_IP/32 mx ptr mx:mail.YOUR_DOMAIN ~all"
YOUR_DOMAIN. IN NS ns.YOUR_DOMAIN.
YOUR_DOMAIN. IN NS SLAVE_DNS_SERVER
www.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
ns.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
mail.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Wed Dec 15, 2010 10:40 am Post subject: |
|
|
cwc wrote: | I can not resolve azzerare.casa with my /etc/resolv.conf set to:
azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14 | From where?
cwc wrote: | To do my external zone do I follow the pattern below? | If I read your meaning correctly, you can. |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Wed Dec 15, 2010 12:09 pm Post subject: |
|
|
desultory wrote: | cwc wrote: | I can not resolve azzerare.casa with my /etc/resolv.conf set to:
azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14 | From where?
cwc wrote: | To do my external zone do I follow the pattern below? | If I read your meaning correctly, you can. |
Thanks for the line.
I actually only got "/etc/init.d/named restart" to work without an error. I can not ping anything other than names in my hosts file.
azzerare ~ # ping www.azzerare.casa
ping: unknown host www.azzerare.casa
Here's my host file:
# /etc/hosts: Local Host Database
# IPv4 and IPv6 localhost aliases
127.0.0.1 azzerare localhost
::1 azzerare localhost
192.168.1.14 azzerare.casa azzerare localhost
/etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14
azzerare ~ # named-checkzone azzerare.casa /var/bind/pri/azzerare.internal
zone azzerare.casa/IN: loaded serial 1012142
azzerare ~ # cat /var/bind/pri/azzerare.internal
$TTL 2d
@ IN SOA ns.azzerare.casa. root.azzerare.casa. (
1012142 ; 1012142
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns.azzerare.casa.
www.azzerare.casa. IN A 192.168.1.14
ns.azzerare.casa. IN A 192.168.1.14
mail.azzerare.casa. IN A 192.168.1.14
router.azzerare.casa. IN A 192.168.1.1 _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Thu Dec 16, 2010 11:32 am Post subject: |
|
|
My prior revision of your zone file was a bit too conservative in correcting problems, try this.
Code: | $TTL 2d
@ IN SOA mail.azzerare.casa. root.azzerare.casa. (
1012071 ; 1012071
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns
www IN A 192.168.1.14
ns IN A 192.168.1.14
mail IN A 192.168.1.14
router IN A 192.168.1.1
|
|
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Thu Dec 16, 2010 12:39 pm Post subject: |
|
|
desultory wrote: | My prior revision of your zone file was a bit too conservative in correcting problems, try this.
Code: | $TTL 2d
@ IN SOA mail.azzerare.casa. root.azzerare.casa. (
1012071 ; 1012071
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns
www IN A 192.168.1.14
ns IN A 192.168.1.14
mail IN A 192.168.1.14
router IN A 192.168.1.1
|
|
named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.
this is interesting:
azzerare ~ # ping www.azzerare.casa
PING www.azzerare.casa (184.106.31.166) 56(84) bytes of data.
64 bytes from 184.106.31.166: icmp_req=1 ttl=114 time=64.4 ms
64 bytes from 184.106.31.166: icmp_req=2 ttl=114 time=64.2 ms
thank you so much for the help! _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Fri Dec 17, 2010 7:08 am Post subject: |
|
|
cwc wrote: | named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded. | What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa? |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Fri Dec 17, 2010 12:30 pm Post subject: |
|
|
desultory wrote: | cwc wrote: | named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded. | What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa? |
azzerare ~ # dig router.azzerare.casa
; <<>> DiG 9.7.1 <<>> router.azzerare.casa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47387
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;router.azzerare.casa. IN A
;; Query time: 5 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 17 04:24:09 2010
;; MSG SIZE rcvd: 38
azzerare ~ # _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Sun Dec 19, 2010 11:53 am Post subject: |
|
|
Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly? |
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Sun Dec 19, 2010 6:16 pm Post subject: |
|
|
desultory wrote: | Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly? |
yes. only azzerare and azzerare.casa resolve but they are in my /etc/hosts file _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Mon Dec 20, 2010 10:21 am Post subject: |
|
|
cwc wrote: | only azzerare and azzerare.casa resolve but they are in my /etc/hosts file | Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.
Code: | acl "xfer" {
none;
};
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 {none; };
listen-on { 127.0.0.1;192.168.1.14; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
192.168.1.14/24;
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/home/dean/tmp/sandbox/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
zone "casa" IN {
type master;
file "pri/azzerare.internal";
allow-transfer { any; };
};
|
|
|
Back to top |
|
|
cwc Veteran
Joined: 20 Mar 2006 Posts: 1275 Location: Tri-Cities, WA USA
|
Posted: Tue Dec 21, 2010 3:51 pm Post subject: |
|
|
desultory wrote: | cwc wrote: | only azzerare and azzerare.casa resolve but they are in my /etc/hosts file | Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.
Code: | acl "xfer" {
none;
};
.....
|
|
thanks again for the lines. the last name.conf worked along with my zone file
I got this to work. I like the way I access the nodes on my network this way. eg. router.casa azzerare.casa
I set /etc/resolv.conf to :
nameserver 192.168.1.14
nameserver 192.168.1.1
all seems to be working fine. EXCEPT Chromium will work with the real and local dns but not Firefox or Epiphany
do I need an outside zone?
azzerare / # dig casa
; <<>> DiG 9.7.1 <<>> casa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9206
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;casa. IN A
;; AUTHORITY SECTION:
casa. 86400 IN SOA mail.casa. root.casa. 101221 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Tue Dec 21 22:28:31 2010
;; MSG SIZE rcvd: 68
thanks again! _________________ Without diversity there can be no evolution:) |
|
Back to top |
|
|
|