Issues with Stub Zone

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issues with Stub Zone

Ben Lavender
Hi,

I've been trying to configure a stub zone using both BIND 9.8x and 9.9x
for some split-brain internal DNS.

The problem I have is that any client that requests the NS or SOA
records for this zone gets SERVFAIL. The BIND server populates the
/var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records
straight away and can query them over UDP 53 to the masters if need be.

I've had a look through the logs that are used in this config but the
only issues I see are in /lame-servers.log shows some IPv6 failures and
that the client is getting a SERVFAIL back in the /default.log:

05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk):
query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038

The config I'm using in /etc/named.conf is:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about
the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
         listen-on port 53 { 127.0.0.1; 172.16.4.31;};
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         recursing-file  "/var/named/data/named.recursing";
         secroots-file   "/var/named/data/named.secroots";
         allow-query     { localhost; 172.16.4.2; 172.16.4.3;
192.168.1.4;};

         /*
          - If you are building an AUTHORITATIVE DNS server, do NOT
enable recursion.
          - If you are building a RECURSIVE (caching) DNS server, you
need to enable
            recursion.
          - If your recursive DNS server has a public IP address, you
MUST enable access
            control to limit queries to your legitimate users. Failing
to do so will
            cause your server to become part of large scale DNS
amplification
            attacks. Implementing BCP38 within your network would greatly
            reduce such attack surface
         */
         recursion yes;

         dnssec-enable yes;
         dnssec-validation yes;

         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

         managed-keys-directory "/var/named/dynamic";

         pid-file "/run/named/named.pid";
         session-keyfile "/run/named/session.key";
};

logging {
     channel default_file {
         file "/var/named/default.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel general_file {
         file "/var/named/general.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel database_file {
         file "/var/named/database.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel security_file {
         file "/var/named/security.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel config_file {
         file "/var/named/config.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel resolver_file {
         file "/var/named/resolver.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel xfer-in_file {
         file "/var/named/xfer-in.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel xfer-out_file {
         file "/var/named/xfer-out.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel notify_file {
         file "/var/named/notify.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel client_file {
         file "/var/named/client.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel unmatched_file {
         file "/var/named/unmatched.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel queries_file {
         file "/var/named/queries.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel network_file {
         file "/var/named/network.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel update_file {
         file "/var/named/update.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel dispatch_file {
         file "/var/named/dispatch.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel dnssec_file {
         file "/var/named/dnssec.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };
     channel lame-servers_file {
         file "/var/named/lame-servers.log" versions 3 size 5m;
         severity debug;
         print-time yes;
     };

     category default { default_file; };
     category general { general_file; };
     category database { database_file; };
     category security { security_file; };
     category config { config_file; };
     category resolver { resolver_file; };
     category xfer-in { xfer-in_file; };
     category xfer-out { xfer-out_file; };
     category notify { notify_file; };
     category client { client_file; };
     category unmatched { unmatched_file; };
     category queries { queries_file; };
     category network { network_file; };
     category update { update_file; };
     category dispatch { dispatch_file; };
     category dnssec { dnssec_file; };
     category lame-servers { lame-servers_file; };
};

zone "." IN {
         type hint;
         file "named.ca";
};

zone benlavender.co.uk IN {
         type stub;
         masters {172.16.4.2; 172.16.4.3;};
         file "slaves/benlavender.co.uk.SEC";
         multi-master yes;
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Stub Zone

Chris Buxton
Remembering that a stub zone is a cache hint, more information is needed.

 o  What do the two "master" DNS servers say when asked for the SOA record of 'benlavender.co.uk'?
 o  Are there A or AAAA records in the Additional section? If so, can the indicated IP addresses be reached?

It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub".

Regards,
Chris Buxton

> On May 7, 2019, at 4:08 PM, Ben Lavender <[hidden email]> wrote:
>
> Hi,
>
> I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for some split-brain internal DNS.
>
> The problem I have is that any client that requests the NS or SOA records for this zone gets SERVFAIL. The BIND server populates the /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records straight away and can query them over UDP 53 to the masters if need be.
>
> I've had a look through the logs that are used in this config but the only issues I see are in /lame-servers.log shows some IPv6 failures and that the client is getting a SERVFAIL back in the /default.log:
>
> 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038
>
> The config I'm using in /etc/named.conf is:
>
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details about the
> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
>
> options {
>         listen-on port 53 { 127.0.0.1; 172.16.4.31;};
>         listen-on-v6 port 53 { ::1; };
>         directory       "/var/named";
>         dump-file       "/var/named/data/cache_dump.db";
>         statistics-file "/var/named/data/named_stats.txt";
>         memstatistics-file "/var/named/data/named_mem_stats.txt";
>         recursing-file  "/var/named/data/named.recursing";
>         secroots-file   "/var/named/data/named.secroots";
>         allow-query     { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};
>
>         /*
>          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>          - If you are building a RECURSIVE (caching) DNS server, you need to enable
>            recursion.
>          - If your recursive DNS server has a public IP address, you MUST enable access
>            control to limit queries to your legitimate users. Failing to do so will
>            cause your server to become part of large scale DNS amplification
>            attacks. Implementing BCP38 within your network would greatly
>            reduce such attack surface
>         */
>         recursion yes;
>
>         dnssec-enable yes;
>         dnssec-validation yes;
>
>         /* Path to ISC DLV key */
>         bindkeys-file "/etc/named.iscdlv.key";
>
>         managed-keys-directory "/var/named/dynamic";
>
>         pid-file "/run/named/named.pid";
>         session-keyfile "/run/named/session.key";
> };
>
> logging {
>     channel default_file {
>         file "/var/named/default.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel general_file {
>         file "/var/named/general.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel database_file {
>         file "/var/named/database.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel security_file {
>         file "/var/named/security.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel config_file {
>         file "/var/named/config.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel resolver_file {
>         file "/var/named/resolver.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel xfer-in_file {
>         file "/var/named/xfer-in.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel xfer-out_file {
>         file "/var/named/xfer-out.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel notify_file {
>         file "/var/named/notify.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel client_file {
>         file "/var/named/client.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel unmatched_file {
>         file "/var/named/unmatched.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel queries_file {
>         file "/var/named/queries.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel network_file {
>         file "/var/named/network.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel update_file {
>         file "/var/named/update.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel dispatch_file {
>         file "/var/named/dispatch.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel dnssec_file {
>         file "/var/named/dnssec.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>     channel lame-servers_file {
>         file "/var/named/lame-servers.log" versions 3 size 5m;
>         severity debug;
>         print-time yes;
>     };
>
>     category default { default_file; };
>     category general { general_file; };
>     category database { database_file; };
>     category security { security_file; };
>     category config { config_file; };
>     category resolver { resolver_file; };
>     category xfer-in { xfer-in_file; };
>     category xfer-out { xfer-out_file; };
>     category notify { notify_file; };
>     category client { client_file; };
>     category unmatched { unmatched_file; };
>     category queries { queries_file; };
>     category network { network_file; };
>     category update { update_file; };
>     category dispatch { dispatch_file; };
>     category dnssec { dnssec_file; };
>     category lame-servers { lame-servers_file; };
> };
>
> zone "." IN {
>         type hint;
>         file "named.ca";
> };
>
> zone benlavender.co.uk IN {
>         type stub;
>         masters {172.16.4.2; 172.16.4.3;};
>         file "slaves/benlavender.co.uk.SEC";
>         multi-master yes;
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Stub Zone

Ben Lavender
Thanks for your reply Chris,

When querying the SOA for that domain I successfully receive the full
SOA details including the addition NS and A record for the authoritative
server of the domain.

The stub server can contact the primary zone but only by IP, DNS
resolution fails unless I add in a record in /etc/hosts.

Also the stub zone file updates correctly. I have tested static-stubs
and they work as expected but stubs don't when recursion is enabled on
the BIND server.

Ben

On 08/05/2019 17:02, Chris Buxton wrote:

> Remembering that a stub zone is a cache hint, more information is needed.
>
>   o  What do the two "master" DNS servers say when asked for the SOA record of 'benlavender.co.uk'?
>   o  Are there A or AAAA records in the Additional section? If so, can the indicated IP addresses be reached?
>
> It may be that the behavior you're expecting is more in line with type "static-stub" than with type "stub".
>
> Regards,
> Chris Buxton
>
>> On May 7, 2019, at 4:08 PM, Ben Lavender <[hidden email]> wrote:
>>
>> Hi,
>>
>> I've been trying to configure a stub zone using both BIND 9.8x and 9.9x for some split-brain internal DNS.
>>
>> The problem I have is that any client that requests the NS or SOA records for this zone gets SERVFAIL. The BIND server populates the /var/named/slaves/benlavender.co.uk.DB file with the SOA and NS records straight away and can query them over UDP 53 to the masters if need be.
>>
>> I've had a look through the logs that are used in this config but the only issues I see are in /lame-servers.log shows some IPv6 failures and that the client is getting a SERVFAIL back in the /default.log:
>>
>> 05-May-2019 22:58:32.846 client 192.168.1.4#51612 (benlavender.co.uk): query failed (SERVFAIL) for benlavender.co.uk/IN/NS at query.c:7038
>>
>> The config I'm using in /etc/named.conf is:
>>
>> //
>> // named.conf
>> //
>> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
>> // server as a caching only nameserver (as a localhost DNS resolver only).
>> //
>> // See /usr/share/doc/bind*/sample/ for example named configuration files.
>> //
>> // See the BIND Administrator's Reference Manual (ARM) for details about the
>> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
>>
>> options {
>>          listen-on port 53 { 127.0.0.1; 172.16.4.31;};
>>          listen-on-v6 port 53 { ::1; };
>>          directory       "/var/named";
>>          dump-file       "/var/named/data/cache_dump.db";
>>          statistics-file "/var/named/data/named_stats.txt";
>>          memstatistics-file "/var/named/data/named_mem_stats.txt";
>>          recursing-file  "/var/named/data/named.recursing";
>>          secroots-file   "/var/named/data/named.secroots";
>>          allow-query     { localhost; 172.16.4.2; 172.16.4.3; 192.168.1.4;};
>>
>>          /*
>>           - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>>           - If you are building a RECURSIVE (caching) DNS server, you need to enable
>>             recursion.
>>           - If your recursive DNS server has a public IP address, you MUST enable access
>>             control to limit queries to your legitimate users. Failing to do so will
>>             cause your server to become part of large scale DNS amplification
>>             attacks. Implementing BCP38 within your network would greatly
>>             reduce such attack surface
>>          */
>>          recursion yes;
>>
>>          dnssec-enable yes;
>>          dnssec-validation yes;
>>
>>          /* Path to ISC DLV key */
>>          bindkeys-file "/etc/named.iscdlv.key";
>>
>>          managed-keys-directory "/var/named/dynamic";
>>
>>          pid-file "/run/named/named.pid";
>>          session-keyfile "/run/named/session.key";
>> };
>>
>> logging {
>>      channel default_file {
>>          file "/var/named/default.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel general_file {
>>          file "/var/named/general.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel database_file {
>>          file "/var/named/database.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel security_file {
>>          file "/var/named/security.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel config_file {
>>          file "/var/named/config.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel resolver_file {
>>          file "/var/named/resolver.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel xfer-in_file {
>>          file "/var/named/xfer-in.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel xfer-out_file {
>>          file "/var/named/xfer-out.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel notify_file {
>>          file "/var/named/notify.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel client_file {
>>          file "/var/named/client.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel unmatched_file {
>>          file "/var/named/unmatched.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel queries_file {
>>          file "/var/named/queries.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel network_file {
>>          file "/var/named/network.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel update_file {
>>          file "/var/named/update.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel dispatch_file {
>>          file "/var/named/dispatch.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel dnssec_file {
>>          file "/var/named/dnssec.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>      channel lame-servers_file {
>>          file "/var/named/lame-servers.log" versions 3 size 5m;
>>          severity debug;
>>          print-time yes;
>>      };
>>
>>      category default { default_file; };
>>      category general { general_file; };
>>      category database { database_file; };
>>      category security { security_file; };
>>      category config { config_file; };
>>      category resolver { resolver_file; };
>>      category xfer-in { xfer-in_file; };
>>      category xfer-out { xfer-out_file; };
>>      category notify { notify_file; };
>>      category client { client_file; };
>>      category unmatched { unmatched_file; };
>>      category queries { queries_file; };
>>      category network { network_file; };
>>      category update { update_file; };
>>      category dispatch { dispatch_file; };
>>      category dnssec { dnssec_file; };
>>      category lame-servers { lame-servers_file; };
>> };
>>
>> zone "." IN {
>>          type hint;
>>          file "named.ca";
>> };
>>
>> zone benlavender.co.uk IN {
>>          type stub;
>>          masters {172.16.4.2; 172.16.4.3;};
>>          file "slaves/benlavender.co.uk.SEC";
>>          multi-master yes;
>> };
>>
>> include "/etc/named.rfc1912.zones";
>> include "/etc/named.root.key";
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> [hidden email]
>> https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Issues with Stub Zone

Cathy Almond
Echoing Chris Buxton - you may be better served by using static-stub
rather than stub.  Explanation here:

https://bugs.isc.org/Ticket/Display.html?id=45734

Cathy
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users