Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
named.conf script?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Wed Dec 08, 2010 1:29 pm    Post subject: named.conf script? Reply with quote

I'm running named. I'm a nooby on this one.
When I add an internal view I get a start error for named.
Here's my named conf: and my zone file.

Are glaring errors? Is it my named conf or the zone file?

also I've never seen this line before:
azzerare.casa. IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
I just threw it in per http://www.gentoo.org/doc/en/bind-guide.xml

Thanks
Code:


acl "xfer" {
   
   none;
};


acl "trusted" {
   127.0.0.0/8;
   ::1/128;
};

options {
   directory "/var/bind";
   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 {none; };
   listen-on { 127.0.0.1;192.168.1.14; };

   allow-query {
      /*
       * Accept queries from our "trusted" ACL.  We will
       * allow anyone to query our master zones below.
       * This prevents us from becoming a free DNS server
       * to the masses.
       */
      trusted;
   };

   allow-query-cache {
      /* Use the cache for the "trusted" ACL. */
      trusted;
   };

   allow-recursion {
      /* Only trusted addresses are allowed to use recursion. */
      trusted;
   };

   allow-transfer {
      /* Zone tranfers are denied by default. */
      none;
   };

   allow-update {
      /* Don't allow updates, e.g. via nsupdate. */
      none;
   };


};

logging {
   channel default_log {
      file "/var/log/named/named.log" versions 5 size 50M;
      print-time yes;
      print-severity yes;
      print-category yes;
   };

   category default { default_log; };
   category general { default_log; };
};
*/

include "/etc/bind/rndc.key";
controls {
   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

zone "." in {
   type hint;
   file "/var/bind/root.cache";
};

zone "localhost" IN {
   type master;
   file "pri/localhost.zone";
   notify no;
};

zone "127.in-addr.arpa" IN {
   type master;
   file "pri/127.zone";
   notify no;
};

view "internal" {
        match-clients { 192,168,1.14/24; localhost; };
        recursion yes;

        zone "casa" {
                type master;
                file "pri/azzerare.internal";
                allow-transfer { any; };
        };
};



pri/azzerare.internal
Code:

$TTL 2d
@   IN SOA   ns.azzerare.casa.   root.azzerare.casa. (
   1012071   ; 1012071
   3h   ; refresh
   1h   ; retry
   1w   ; expiry
   1d )   ; minimum

azzerare.casa.      IN MX   0 mail.azzerare.casa.
azzerare.casa.      IN TXT   "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
azzerare.casa.      IN NS   ns.azzerare.casa.
azzerare.casa.      IN NS   24.217.29.6
www.azzerare.casa.   IN A   192.168.1.14
ns.azzerare.casa.   IN A   192.168.1.14
mail.azzerare.casa.   IN A   192.168.1.14
router.azzerare.casa.   IN A   192.168.1.1



_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Thu Dec 09, 2010 10:21 am    Post subject: Reply with quote

cwc wrote:
also I've never seen this line before:
azzerare.casa. IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
I just threw it in per http://www.gentoo.org/doc/en/bind-guide.xml
That is meant to prevent source spoofing in e-mail.

As for the rest:
named-checkconf:
./named.conf:67: unknown option '*'
./named.conf:92: missing ';' before '/'
./named.conf:92: expected IP match list element near '/'

named-checkzone:
azzerare.internal:13: NS record '24.217.29.6' appears to be an address
zone casa/IN: has no NS records
zone casa/IN: not loaded due to errors.


Try these instead:
Code:
acl "xfer" {
        none;
};


acl "trusted" {
        127.0.0.0/8;
        ::1/128;
};

options {
        directory "/var/bind";
        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 {none; };
        listen-on { 127.0.0.1;192.168.1.14; };

        allow-query {
                /*
                 * Accept queries from our "trusted" ACL.  We will
                 * allow anyone to query our master zones below.
                 * This prevents us from becoming a free DNS server
                 * to the masses.
                 */
                trusted;
        };

        allow-query-cache {
                /* Use the cache for the "trusted" ACL. */
                trusted;
        };

        allow-recursion {
                /* Only trusted addresses are allowed to use recursion. */
                trusted;
        };

        allow-transfer {
                /* Zone tranfers are denied by default. */
                none;
        };

        allow-update {
                /* Don't allow updates, e.g. via nsupdate. */
                none;
        };


};

logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default { default_log; };
        category general { default_log; };
};

include "/home/dean/tmp/sandbox/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

view "internal" IN {
        match-clients { 192.168.1.14/24; localhost; };
        recursion yes;

        zone "." in {
                type hint;
                file "/var/bind/root.cache";
        };

        zone "localhost" IN {
                type master;
                file "pri/localhost.zone";
                notify no;
        };

        zone "127.in-addr.arpa" IN {
                type master;
                file "pri/127.zone";
                notify no;
        };

        zone "casa" IN {
                type master;
                file "pri/azzerare.internal";
                allow-transfer { any; };
        };
};

Code:
$TTL 2d
@       IN SOA  ns.azzerare.casa.       root.azzerare.casa. (
        1012071 ; 1012071
        3h      ; refresh
        1h      ; retry
        1w      ; expiry
        1d )    ; minimum

                        IN MX   0 mail.azzerare.casa.
                        IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
                        IN NS   ns.azzerare
www.azzerare.casa.      IN A    192.168.1.14
ns.azzerare.casa.       IN A    192.168.1.14
mail.azzerare.casa.     IN A    192.168.1.14
router.azzerare.casa.   IN A    192.168.1.1


If that fails, post any and all error messages and the output of named-checkconf and named-checkzone.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Sat Dec 11, 2010 3:16 pm    Post subject: Reply with quote

desultory wrote:
cwc wrote:
also I've never seen this line before:
azzerare.casa. IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
I just threw it in per http://www.gentoo.org/doc/en/bind-guide.xml
That is meant to prevent source spoofing in e-mail.

As for the rest:
named-checkconf:
./named.conf:67: unknown option '*'
./named.conf:92: missing ';' before '/'
./named.conf:92: expected IP match list element near '/'

named-checkzone:
azzerare.internal:13: NS record '24.217.29.6' appears to be an address
zone casa/IN: has no NS records
zone casa/IN: not loaded due to errors.


Try these instead:
Code:
acl "xfer" {
        none;
};


acl "trusted" {
        127.0.0.0/8;
        ::1/128;
};

options {
        directory "/var/bind";
        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 {none; };
        listen-on { 127.0.0.1;192.168.1.14; };

        allow-query {
                /*
                 * Accept queries from our "trusted" ACL.  We will
                 * allow anyone to query our master zones below.
                 * This prevents us from becoming a free DNS server
                 * to the masses.
                 */
                trusted;
        };

        allow-query-cache {
                /* Use the cache for the "trusted" ACL. */
                trusted;
        };

        allow-recursion {
                /* Only trusted addresses are allowed to use recursion. */
                trusted;
        };

        allow-transfer {
                /* Zone tranfers are denied by default. */
                none;
        };

        allow-update {
                /* Don't allow updates, e.g. via nsupdate. */
                none;
        };


};

logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default { default_log; };
        category general { default_log; };
};

include "/home/dean/tmp/sandbox/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};

view "internal" IN {
        match-clients { 192.168.1.14/24; localhost; };
        recursion yes;

        zone "." in {
                type hint;
                file "/var/bind/root.cache";
        };

        zone "localhost" IN {
                type master;
                file "pri/localhost.zone";
                notify no;
        };

        zone "127.in-addr.arpa" IN {
                type master;
                file "pri/127.zone";
                notify no;
        };

        zone "casa" IN {
                type master;
                file "pri/azzerare.internal";
                allow-transfer { any; };
        };
};

Code:
$TTL 2d
@       IN SOA  ns.azzerare.casa.       root.azzerare.casa. (
        1012071 ; 1012071
        3h      ; refresh
        1h      ; retry
        1w      ; expiry
        1d )    ; minimum

                        IN MX   0 mail.azzerare.casa.
                        IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
                        IN NS   ns.azzerare
www.azzerare.casa.      IN A    192.168.1.14
ns.azzerare.casa.       IN A    192.168.1.14
mail.azzerare.casa.     IN A    192.168.1.14
router.azzerare.casa.   IN A    192.168.1.1


If that fails, post any and all error messages and the output of named-checkconf and named-checkzone.


thank for the line. give me a few days to try this out. work calls :)
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Tue Dec 14, 2010 1:40 pm    Post subject: Reply with quote

thanks for the help!
i got things to work with the internal zone

I can not resolve azzerare.casa with my /etc/resolv.conf set to:

azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14

To do my external zone do I follow the pattern below?

$TTL 2d
@ IN SOA ns.YOUR_DOMAIN. ADMIN.YOUR_DOMAIN. (
MODIFICATION ;serial
3h ;refresh
1h ;retry
1w ;expiry
1d ) ;minimum

YOUR_DOMAIN. IN MX 0 mail.YOUR_DOMAIN.
YOUR_DOMAIN. IN TXT "v=spf1 ip4:YOUR_PUBLIC_IP/32 mx ptr mx:mail.YOUR_DOMAIN ~all"
YOUR_DOMAIN. IN NS ns.YOUR_DOMAIN.
YOUR_DOMAIN. IN NS SLAVE_DNS_SERVER
www.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
ns.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
mail.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Wed Dec 15, 2010 10:40 am    Post subject: Reply with quote

cwc wrote:
I can not resolve azzerare.casa with my /etc/resolv.conf set to:

azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14
From where?

cwc wrote:
To do my external zone do I follow the pattern below?
If I read your meaning correctly, you can.
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Wed Dec 15, 2010 12:09 pm    Post subject: Reply with quote

desultory wrote:
cwc wrote:
I can not resolve azzerare.casa with my /etc/resolv.conf set to:

azzerare ~ # more /etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14
From where?

cwc wrote:
To do my external zone do I follow the pattern below?
If I read your meaning correctly, you can.


Thanks for the line.
I actually only got "/etc/init.d/named restart" to work without an error. I can not ping anything other than names in my hosts file.

azzerare ~ # ping www.azzerare.casa
ping: unknown host www.azzerare.casa

Here's my host file:
# /etc/hosts: Local Host Database
# IPv4 and IPv6 localhost aliases
127.0.0.1 azzerare localhost
::1 azzerare localhost
192.168.1.14 azzerare.casa azzerare localhost

/etc/resolv.conf
# Generated by net-scripts for interface eth0
nameserver 192.168.1.1
nameserver 192.168.1.14

azzerare ~ # named-checkzone azzerare.casa /var/bind/pri/azzerare.internal
zone azzerare.casa/IN: loaded serial 1012142

azzerare ~ # cat /var/bind/pri/azzerare.internal
$TTL 2d
@ IN SOA ns.azzerare.casa. root.azzerare.casa. (
1012142 ; 1012142
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum

IN MX 0 mail.azzerare.casa.
IN TXT "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
IN NS ns.azzerare.casa.
www.azzerare.casa. IN A 192.168.1.14
ns.azzerare.casa. IN A 192.168.1.14
mail.azzerare.casa. IN A 192.168.1.14
router.azzerare.casa. IN A 192.168.1.1
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Thu Dec 16, 2010 11:32 am    Post subject: Reply with quote

My prior revision of your zone file was a bit too conservative in correcting problems, try this.

Code:
$TTL 2d
@       IN SOA  mail.azzerare.casa.       root.azzerare.casa. (
        1012071 ; 1012071
        3h      ; refresh
        1h      ; retry
        1w      ; expiry
        1d )    ; minimum

         IN MX   0 mail.azzerare.casa.
         IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
         IN NS   ns
www      IN A    192.168.1.14
ns       IN A    192.168.1.14
mail     IN A    192.168.1.14
router   IN A    192.168.1.1
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Thu Dec 16, 2010 12:39 pm    Post subject: Reply with quote

desultory wrote:
My prior revision of your zone file was a bit too conservative in correcting problems, try this.

Code:
$TTL 2d
@       IN SOA  mail.azzerare.casa.       root.azzerare.casa. (
        1012071 ; 1012071
        3h      ; refresh
        1h      ; retry
        1w      ; expiry
        1d )    ; minimum

         IN MX   0 mail.azzerare.casa.
         IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
         IN NS   ns
www      IN A    192.168.1.14
ns       IN A    192.168.1.14
mail     IN A    192.168.1.14
router   IN A    192.168.1.1


named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.
this is interesting:
azzerare ~ # ping www.azzerare.casa
PING www.azzerare.casa (184.106.31.166) 56(84) bytes of data.
64 bytes from 184.106.31.166: icmp_req=1 ttl=114 time=64.4 ms
64 bytes from 184.106.31.166: icmp_req=2 ttl=114 time=64.2 ms

thank you so much for the help!
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Fri Dec 17, 2010 7:08 am    Post subject: Reply with quote

cwc wrote:
named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.
What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa?
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Fri Dec 17, 2010 12:30 pm    Post subject: Reply with quote

desultory wrote:
cwc wrote:
named started but I could not resolve ping router.azzerare.casa . i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.
What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa?


azzerare ~ # dig router.azzerare.casa

; <<>> DiG 9.7.1 <<>> router.azzerare.casa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47387
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;router.azzerare.casa. IN A

;; Query time: 5 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 17 04:24:09 2010
;; MSG SIZE rcvd: 38

azzerare ~ #
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Sun Dec 19, 2010 11:53 am    Post subject: Reply with quote

Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly?
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Sun Dec 19, 2010 6:16 pm    Post subject: Reply with quote

desultory wrote:
Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly?



yes. only azzerare and azzerare.casa resolve but they are in my /etc/hosts file
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Mon Dec 20, 2010 10:21 am    Post subject: Reply with quote

cwc wrote:
only azzerare and azzerare.casa resolve but they are in my /etc/hosts file
Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.

Code:
acl "xfer" {
        none;
};


acl "trusted" {
        127.0.0.0/8;
        ::1/128;
};

options {
        directory "/var/bind";
        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 {none; };
        listen-on { 127.0.0.1;192.168.1.14; };

        allow-query {
                /*
                 * Accept queries from our "trusted" ACL.  We will
                 * allow anyone to query our master zones below.
                 * This prevents us from becoming a free DNS server
                 * to the masses.
                 */
                192.168.1.14/24;
                trusted;
        };

        allow-query-cache {
                /* Use the cache for the "trusted" ACL. */
                trusted;
        };

        allow-recursion {
                /* Only trusted addresses are allowed to use recursion. */
                trusted;
        };

        allow-transfer {
                /* Zone tranfers are denied by default. */
                none;
        };

        allow-update {
                /* Don't allow updates, e.g. via nsupdate. */
                none;
        };


};

logging {
        channel default_log {
                file "/var/log/named/named.log" versions 5 size 50M;
                print-time yes;
                print-severity yes;
                print-category yes;
        };

        category default { default_log; };
        category general { default_log; };
};

include "/home/dean/tmp/sandbox/rndc.key";
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};


zone "." in {
        type hint;
        file "/var/bind/root.cache";
};

zone "localhost" IN {
        type master;
        file "pri/localhost.zone";
        notify no;
};

zone "127.in-addr.arpa" IN {
        type master;
        file "pri/127.zone";
        notify no;
};

zone "casa" IN {
        type master;
        file "pri/azzerare.internal";
        allow-transfer { any; };
};
Back to top
View user's profile Send private message
cwc
Veteran
Veteran


Joined: 20 Mar 2006
Posts: 1164
Location: Tri-Cities, WA USA

PostPosted: Tue Dec 21, 2010 3:51 pm    Post subject: Reply with quote

desultory wrote:
cwc wrote:
only azzerare and azzerare.casa resolve but they are in my /etc/hosts file
Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.

Code:
acl "xfer" {
        none;
};
.....


thanks again for the lines. the last name.conf worked along with my zone file

I got this to work. I like the way I access the nodes on my network this way. eg. router.casa azzerare.casa
I set /etc/resolv.conf to :
nameserver 192.168.1.14
nameserver 192.168.1.1

all seems to be working fine. EXCEPT Chromium will work with the real and local dns but not Firefox or Epiphany

do I need an outside zone?

azzerare / # dig casa

; <<>> DiG 9.7.1 <<>> casa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9206
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;casa. IN A

;; AUTHORITY SECTION:
casa. 86400 IN SOA mail.casa. root.casa. 101221 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Tue Dec 21 22:28:31 2010
;; MSG SIZE rcvd: 68

thanks again!
_________________
Without diversity there can be no evolution:)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum