Help DNS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Int
Reply | Threaded
Open this post in threaded view
|

Help DNS

Int
Giving problem the DNS's resolution of names
When I sell off a nslookup from localhost:127.0.0.1 in the servers DNS Bind9

 Here what the DNS's log generates goes: For the following consultation to the DNS

 # nslookup ctc.cu

Server:  127.0.0.1
Address: 127.0.0.1 #53

** server can't find ctc.cu: NXDOMAIN
---------------------------------------------
tail -1000 /var/log/syslog |grep namedd
Respond

 Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied
---------------------------------------------
In another one views the IP for ctc.cu makes up its mind correctly

Somebody knows like solving it (Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied)

------------------------
My configuration's attached file of the servers sent them BIND 9,
please check my views's configuration and zones,
tell me if you have any recommendation to configure views's and the DNS's zones
or they can send me some example of configuration for a servers DNS with 3 Interfaces of net
------------------------

Please tell me as I can configure the inverse,
general- form zones that they can recommend me to configure the servers DNS Bind
with the bigger possible security

Greetings
  William
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

bind.rar (12K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Abdul Khader
Is 127.0.0.1 allowed to query in your named.conf ?


On 8/21/2015 8:22 PM, Int wrote:
Giving problem the DNS's resolution of names
When I sell off a nslookup from localhost:127.0.0.1 in the servers DNS Bind9

 Here what the DNS's log generates goes: For the following consultation to the DNS

 # nslookup ctc.cu

Server:  127.0.0.1
Address: 127.0.0.1 #53

** server can't find ctc.cu: NXDOMAIN
---------------------------------------------
tail -1000 /var/log/syslog |grep namedd
Respond

 Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied
---------------------------------------------
In another one views the IP for ctc.cu makes up its mind correctly

Somebody knows like solving it (Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied)

------------------------
My configuration's attached file of the servers sent them BIND 9,
please check my views's configuration and zones, 
tell me if you have any recommendation to configure views's and the DNS's zones 
or they can send me some example of configuration for a servers DNS with 3 Interfaces of net
------------------------

Please tell me as I can configure the inverse, 
general- form zones that they can recommend me to configure the servers DNS Bind 
with the bigger possible security

Greetings
  William


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

RE: Help DNS

Kevin Darcy

nslookup is horrible. I’m assuming that the base query (ctc.cu) is getting REFUSED (probably due to lack of loopback in the allow-query-cache clause), then nslookup is stepping through the searchlist, getting one or more NXDOMAINs, and misreporting the overall failure as NXDOMAIN.

 

If nslookup *must* be used (try dig instead), at least turn on debug so you can see what it’s doing behind the scenes.

 

                                                                                    - Kevin

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Abdul Khader
Sent: Friday, August 21, 2015 11:36 AM
To: [hidden email]
Subject: Re: Help DNS

 

Is 127.0.0.1 allowed to query in your named.conf ?

 

On 8/21/2015 8:22 PM, Int wrote:

Giving problem the DNS's resolution of names
When I sell off a nslookup from localhost:127.0.0.1 in the servers DNS Bind9
 
 Here what the DNS's log generates goes: For the following consultation to the DNS
 
 # nslookup ctc.cu
 
Server:  127.0.0.1
Address: 127.0.0.1 #53
 
** server can't find ctc.cu: NXDOMAIN
---------------------------------------------
tail -1000 /var/log/syslog |grep namedd
Respond
 
 Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied
---------------------------------------------
In another one views the IP for ctc.cu makes up its mind correctly
 
Somebody knows like solving it (Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied)
 
------------------------
My configuration's attached file of the servers sent them BIND 9,
please check my views's configuration and zones, 
tell me if you have any recommendation to configure views's and the DNS's zones 
or they can send me some example of configuration for a servers DNS with 3 Interfaces of net
------------------------
 
Please tell me as I can configure the inverse, 
general- form zones that they can recommend me to configure the servers DNS Bind 
with the bigger possible security
 
Greetings
  William



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
 
bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Daniel Ryslink
In reply to this post by Int
Hello,

Your view "local" is not configured to propagate domain "ctc.cu"
authoritatively. This view is configured to propagate only two zones
authoritatively: cam.ctc.cu and Konsole outp0.168.192.in-addr.arpa
Konsole output
0.168.192.in-addr.arpa. Since "ctc.cu" is neither of them, the
nameserver would have to resolve your request via a recursive query, and
since no record for ctu.cu exists in the global domain tree hierarchy,
you get the NXDOMAIN response.

A few pointers - try to use the recommended YYYYMMDDnn format for SERIAL
in SOA. Also try not to use nslookup.

Konsole output

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 21.8.2015 18:22, Int wrote:

> Giving problem the DNS's resolution of names
> When I sell off a nslookup from localhost:127.0.0.1 in the servers DNS Bind9
>
>   Here what the DNS's log generates goes: For the following consultation to the DNS
>
>   # nslookup ctc.cu
>
> Server:  127.0.0.1
> Address: 127.0.0.1 #53
>
> ** server can't find ctc.cu: NXDOMAIN
> ---------------------------------------------
> tail -1000 /var/log/syslog |grep namedd
> Respond
>
>   Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied
> ---------------------------------------------
> In another one views the IP for ctc.cu makes up its mind correctly
>
> Somebody knows like solving it (Aug 21 01:19:08 ns2 named[4481]: client 127.0.0.1#58899: view local: query (cache) 'ctc.cu/A/IN' denied)
>
> ------------------------
> My configuration's attached file of the servers sent them BIND 9,
> please check my views's configuration and zones,
> tell me if you have any recommendation to configure views's and the DNS's zones
> or they can send me some example of configuration for a servers DNS with 3 Interfaces of net
> ------------------------
>
> Please tell me as I can configure the inverse,
> general- form zones that they can recommend me to configure the servers DNS Bind
> with the bigger possible security
>
> Greetings
>    William
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Alan Clegg
On 8/23/15 8:30 PM, Daniel Ryšlink wrote:

> A few pointers - try to use the recommended YYYYMMDDnn format for SERIAL
> in SOA. Also try not to use nslookup.

Half of this I agree with.  Half I do not.

The serial number is just a number, as long as you increment it, the
"format" is completely up to you.  I like using the epoch date if I'm
updating via script, or n+1 where n was the previous serial number if
I'm editing by hand.

Never, EVER use nslookup.

AlanC
--
When I do still catch the odd glimpse, it's peripheral; mere fragments
of mad-doctor chrome, confining themselves to the corner of the eye.


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (573 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Tim Daneliuk
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/23/2015 10:05 PM, Alan Clegg wrote:
> Never, EVER use nslookup.


Could you explain why?

- --
- ----------------------------------------------------------------------------
Tim Daneliuk     [hidden email]
PGP Key:         http://www.tundraware.com/PGP/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBAgAGBQJV2qJ6AAoJEMLZ2alfelsnWrQP/2ECFXKjuUkK/ZMJUv0DNwAd
/K+TmGd1vpn4rLOFH063j8/fTnqzltFEXmUpx37MtUODa/BQl1rhppgdlfOrAIK5
FG1WTwVHy01g8ZXSUciPayACGW1MR+FX7d9bkmWh80GIX83RShH5YsEEkIIKsROB
oOdL3/o6oJCy/MIxlr27tfWC4phe11UMBGIWs0QFa2uvWozfDov5wn6+0iiLfnOu
Hn9fd7lT82GFMYJYSwgoTbxApzHAku32gm54Q3KQKhtBCGF0kg87G3sXXkRK7lpJ
EA/Ch0WrRmHsWw2C6PYGcZ0UnDrXs1+5cpLai7jrMs4TLahMS6495cvp9vylC3wS
N1ZqG8/GasPISvpLLlqLy5er6qEPXvaYL0K4KmQuT+v9M1ExeJcyfFMxPBbDI73k
zxaNJ633ER4H6HglQ3VtWB5oUw5aERCoBHm77VNbVEjei+6GzjHujoc6BTejHv5j
yKAg3wYw3SkKow2/nAmp4Of5FwtRqhYYwllvJQfVlk0BN10SffkcKVNP0gYbIzyj
LsAsPy1kyy8o1u1I9SYBbtxkjoZ0hTh5N4jYlZDF0fD5ejUtZyevNQcNuBvoW1aF
5yfPi2IOLDqoHcsVQcIJVAyWugLLDopNDhkAXWXjffwXUhr4tFZ28IwURcQop/dF
nXE5/iyVFMKBR5TENLxr
=pubu
-----END PGP SIGNATURE-----
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Daniel Ryslink
The reasons why not to use nslookup are summarized here:

http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/nslookup-flaws.html

I have seen ISC developers discourage from using it in tihis mailing
list too.

As for the SERIAL in SOA, it's just a good practice, it gives you the
information about when the zone was published, and creates less problems
when you transfer hosting of the domain to another nameserver. Basically
yes, it's just a number, but there is no real good reason not to use the
recommended format.

Also note that I wrote "try to", and not "you absolutely must have to".

--
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
[hidden email]
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------

On 08/24/2015 06:50 AM, Tim Daneliuk wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 08/23/2015 10:05 PM, Alan Clegg wrote:
>> Never, EVER use nslookup.
>
> Could you explain why?
>
> - --
> - ----------------------------------------------------------------------------
> Tim Daneliuk     [hidden email]
> PGP Key:         http://www.tundraware.com/PGP/
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iQIcBAEBAgAGBQJV2qJ6AAoJEMLZ2alfelsnWrQP/2ECFXKjuUkK/ZMJUv0DNwAd
> /K+TmGd1vpn4rLOFH063j8/fTnqzltFEXmUpx37MtUODa/BQl1rhppgdlfOrAIK5
> FG1WTwVHy01g8ZXSUciPayACGW1MR+FX7d9bkmWh80GIX83RShH5YsEEkIIKsROB
> oOdL3/o6oJCy/MIxlr27tfWC4phe11UMBGIWs0QFa2uvWozfDov5wn6+0iiLfnOu
> Hn9fd7lT82GFMYJYSwgoTbxApzHAku32gm54Q3KQKhtBCGF0kg87G3sXXkRK7lpJ
> EA/Ch0WrRmHsWw2C6PYGcZ0UnDrXs1+5cpLai7jrMs4TLahMS6495cvp9vylC3wS
> N1ZqG8/GasPISvpLLlqLy5er6qEPXvaYL0K4KmQuT+v9M1ExeJcyfFMxPBbDI73k
> zxaNJ633ER4H6HglQ3VtWB5oUw5aERCoBHm77VNbVEjei+6GzjHujoc6BTejHv5j
> yKAg3wYw3SkKow2/nAmp4Of5FwtRqhYYwllvJQfVlk0BN10SffkcKVNP0gYbIzyj
> LsAsPy1kyy8o1u1I9SYBbtxkjoZ0hTh5N4jYlZDF0fD5ejUtZyevNQcNuBvoW1aF
> 5yfPi2IOLDqoHcsVQcIJVAyWugLLDopNDhkAXWXjffwXUhr4tFZ28IwURcQop/dF
> nXE5/iyVFMKBR5TENLxr
> =pubu
> -----END PGP SIGNATURE-----
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Tony Finch
Daniel Ryslink <[hidden email]> wrote:
>
> As for the SERIAL in SOA, it's just a good practice, it gives you the
> information about when the zone was published, and creates less problems
> when you transfer hosting of the domain to another nameserver. Basically
> yes, it's just a number, but there is no real good reason not to use the
> recommended format.

There are good reasons depending on the tools you use for automatically
maintaining your zones.

For dynamic zones, BIND before version 9.9 could only increment the serial
number. If you wanted it to be a date stamp you would have to explicitly
adjust the serial number in your UPDATE request. (For instance, nsdiff -S
date will do this for you.)

BIND 9.9 and later have a serial-update-method option which allows you to
choose increment or unixtime modes. But not ISO 8601 style date stamps.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
moderate, but rough in southwest Viking. Showers later. Good, occasionally
poor later.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Help DNS

Dave Warren
In reply to this post by Daniel Ryslink
On 2015-08-24 03:57, Daniel Ryslink wrote:
> As for the SERIAL in SOA, it's just a good practice, it gives you the
> information about when the zone was published, and creates less
> problems when you transfer hosting of the domain to another
> nameserver. Basically yes, it's just a number, but there is no real
> good reason not to use the recommended format.

For me, the reason is that I don't track the serial number when
generating zones. I don't have any need to track revision counts or
dates for any other purpose, so I don't; I just generate a number which
is guaranteed to be higher than any previous number based on the current
time.

As a nod to poorly written DNS validation tools that tossed errors
rather than warnings, I do start my numbers with YYYY.

Currently this limits me to around 2 updates a minute with the serial
creation algorithm I'm using, but that's good enough for our typical
customer, and we can offer dynamic zones to customers that need it. I
don't think we have any of those left anymore.

--
Dave Warren
http://www.hireahit.com/
http://ca.linkedin.com/in/davejwarren


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users