Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

William Clarke
Resending because the message was over 40K... I removed most of the internal\external zones and logs to shorten the message.
We have a split DNS chrooted master\slave setup running on CentOS 5.11. I have 3 named.conf files below, Working master, working slave and a new CentOS 7 non-working slave that I'm trying to spin up. The internal zones do get transferred\updated however the external zones aren't transferring at all, the master doesn't even have any mentioning of external transfers for this specific slave. I have a hunch that this is either happening because I don't have multiple network adapters configured ie split DNS for slave or possibly a hostname issue. I tried to basically mirror the setup of my new slave all except the ip address. My new slave is 192.168.1.224. The instructions I followed to set this up was from: http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps/

Any assistance would be greatly appreciated, please let me know if\what other info you might need from me.

Working Master (CentOS 5.11 Bind 9.3.6-25-P1) named.conf
:

/* This comment tests the subversion commit */
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named.stats";
        recursive-clients 10000;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
#       forward only;
        forwarders {
#               64.212.106.84; //dns2.jfk.gblx.net
#               209.130.136.2; //dns1.roc.gblx.net
                8.8.8.8; //google-public-dns-a.google.com
                8.8.4.4; //google-public-dns-b.google.com
        };
        allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
logging {
        channel update_debug {
                 file "/var/log/update-debug.log";
                 severity  debug 3;
                 print-category yes;
                 print-severity yes;
                 print-time     yes;
        };
        channel security_info    {
                 file "/var/log/named-auth.info";
                 severity  debug 3;
                 print-category yes;
                 print-severity yes;
                 print-time     yes;
        };
        category update { update_debug; };
        category security { security_info; };
};
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
        match-clients {
                 !192.168.1.4; 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8;
        };
        allow-transfer { key slave-internal; };
        notify yes ;
        also-notify { 192.168.1.222; 192.168.1.224; 192.168.1.227; };
        notify-source 192.168.1.221 ;
        zone "simons-rock.edu." IN {
           type master;
           file "internal/simons-rock.edu.internal.db";
        };
        zone "southberkshireconcerts.org." IN {
           type master;
           file "internal/southberkshireconcerts.org.int.db";
        };
};
view "external" {
        match-clients { any; };
        allow-transfer { key slave-external; };
        also-notify { 192.168.1.4; 192.168.1.224; 192.168.1.227; };
        notify yes ;
        notify-source 192.168.1.3 ;
        zone "simons-rock.edu." IN {
           type master;
           file "external/simons-rock.edu.ext.db";
        };
        zone "southberkshireconcerts.org." IN {
           type master;
           file "external/southberkshireconcerts.org.ext.db";
        };
};

#zone "." IN {
#       type hint;
#       file "named.ca";
#}
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
include "/etc/netreg-update.key";
-------------------------------------------------------------------------------------

Working slave (CentOS 5.11 Bind 9.3.6-25-P1) named.conf

/* This comment tests the subversion commit */
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named.stats";
        recursive-clients 10000;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
#        // query-source address * port 53;
#       forward only;
        forwarders {
#               64.212.106.84; //dns2.jfk.gblx.net
#               209.130.136.2; //dns1.roc.gblx.net
                8.8.8.8; //google-public-dns-a.google.com
                8.8.4.4; //google-public-dns-b.google.com
        };
        allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
        match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8; };
        query-source address 192.168.1.222 ;
        transfer-source 192.168.1.222 ;
        allow-notify { 192.168.1.221; };
        zone "simons-rock.edu." IN {
           type slave;
           masterfile-format text;
           masters { 192.168.1.221; };
           file "internal/simons-rock.edu.internal.db";
        };
        zone "southberkshireconcerts.org." IN {
           type slave;
           masterfile-format text;
           masters { 192.168.1.221; };
           file "internal/southberkshireconcerts.org.int.db";
        };
};
view "external" {
        match-clients { any; };
        query-source address 192.168.1.4 ;
        transfer-source 192.168.1.4 ;
        allow-notify { 192.168.1.3; };
        zone "simons-rock.edu." IN {
           type slave;
           masters { 192.168.1.3; };
           file "external/simons-rock.edu.ext.db";
        };
        zone "southberkshireconcerts.org." IN {
           type slave;
           masters { 192.168.1.3; };
           file "external/southberkshireconcerts.org.ext.db";
        };
};
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";

server 192.168.1.221 {
        keys {
                slave-internal;
        };
};

server 192.168.1.3 {
        keys {
                slave-external;
        };
};

------------------------------------------------------------------------------------------------------------

Non-working slave (CentOS 7.0 BIND 9.9.4-RedHat-9.9.4-18.el7_1.1) named.conf:

/* This comment tests the subversion commit */
options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursive-clients 10000;
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
#        // query-source address * port 53;
#       forward only;
        forwarders {
#               64.212.106.84; //dns2.jfk.gblx.net
#               209.130.136.2; //dns1.roc.gblx.net
                8.8.8.8; //google-public-dns-a.google.com
                8.8.4.4; //google-public-dns-b.google.com
        };
        allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12;};
};
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
view "internal" {
        match-clients { 10.0.0.0/8; 192.168.0.0/16; 127.0.0.0/8; };
        query-source address 192.168.1.224 ;
        transfer-source 192.168.1.224 ;
        allow-notify { 192.168.1.221; };
         zone "simons-rock.edu." IN {
           type slave;
           masterfile-format text;
           masters { 192.168.1.221; };
           file "internal/simons-rock.edu.internal.db";
        };
        zone "southberkshireconcerts.org." IN {
           type slave;
           masterfile-format text;
           masters { 192.168.1.221; };
           file "internal/southberkshireconcerts.org.int.db";
        };
};
view "external" {
        match-clients { any; };
        query-source address 192.168.1.224 ;
        transfer-source 192.168.1.224 ;
        allow-notify { 192.168.1.3; };
        zone "simons-rock.edu." IN {
           type slave;
           masters { 192.168.1.3; };
           file "external/simons-rock.edu.ext.db";
        };
        zone "southberkshireconcerts.org." IN {
           type slave;
           masters { 192.168.1.3; };
           file "external/southberkshireconcerts.org.ext.db";
        };
};
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";

server 192.168.1.221 {
        keys {
                slave-internal;
        };
};
server 192.168.1.3 {
        keys {
                slave-external;
        };
};
--------------------------------------------------------------------------
Some error logs from non-working slave:
--------------------------------------------------------------------------
Apr  2 13:40:29 localhost named[9800]: zone 93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr  2 13:40:31 localhost named[9800]: zone southberkshireconcerts.org/IN/external: Transfer started.
Apr  2 13:40:31 localhost named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: connected using 192.168.1.224#42883
Apr  2 13:40:31 localhost named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: failed while receiving responses: REFUSED
Apr  2 13:40:31 localhost named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: zone southberkshireconcerts.org/IN/external: Transfer started.
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: connected using 192.168.1.224#42188
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: failed while receiving responses: REFUSED
Apr 02 13:53:16 letitroost.simons-rock.edu named[9800]: transfer of 'southberkshireconcerts.org/IN/external' from 192.168.1.3#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Apr 02 13:54:10 letitroost.simons-rock.edu named[9800]: zone 89111.cn/IN/internal: refresh: non-authoritative answer from master 192.168.1.221#53 (source 192.168.1.224#0)
Apr 02 13:54:11 letitroost.simons-rock.edu named[9800]: zone 89.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:54:21 letitroost.simons-rock.edu named[9800]: zone 93.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:54:42 letitroost.simons-rock.edu named[9800]: zone evilman.cn/IN/internal: refresh: non-authoritative answer from master 192.168.1.221#53 (source 192.168.1.224#0)
Apr 02 13:54:53 letitroost.simons-rock.edu named[9800]: zone 95.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.3#53 (source 192.168.1.224#0)
Apr 02 13:55:18 letitroost.simons-rock.edu named[9800]: zone 92.81.208.in-addr.arpa/IN/external: refresh: non-authoritative answer from master 192.168.1.3#53 (source 192.168.1.224#0)


-- 

William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
[hidden email]





_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

Barry Margolin
In article <[hidden email]>,
 William Clarke <[hidden email]> wrote:

> Resending because the message was over 40K... I removed most of the
> internal\external zones and logs to shorten the message.
> We have a split DNS chrooted master\slave setup running on CentOS 5.11.
> I have 3 named.conf files below, Working master, working slave and a new
> CentOS 7 non-working slave that I'm trying to spin up. The internal
> zones do get transferred\updated however theexternal zones aren't
> transferring at all, the master doesn't even have any mentioning of
> external transfers for this specific slave. I have a hunch that this is
> either happening because I don't have multiple network adapters
> configured ie split DNS for slave or possibly a hostname issue. I tried
> to basically mirror the setup of my new slave all except the ip address.
> My new slave is 192.168.1.224. The instructions I followed to set this
> up was from:
> http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps
> /

Since the new slave only has one address, you can't use the IP to
distinguish which view should be sent in a zone transfer. You need to
use TSIG keys.

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

William Clarke
In reply to this post by William Clarke
Barry,

Thanks you. I appreciate your response Barry. I'm fairly new to Bind and
DNS and have gotten a bit lost. Is there any way you can provide a
little more information for me? Am I not correct in saying that I'm
already using TSIG keys in the include lines?
------------------------------------------------------------
view "external" {
         match-clients { any; };
         allow-transfer { key slave-external; };
....
...
..
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
------------------------------------------------------------

/var/named/chroot/etc/transfer-external.key
key "slave-external" {
         algorithm       hmac-md5;
         secret          "blahblahblahblahblah";
};

Thanks,

William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
[hidden email]

On 4/8/2015 10:54 AM, Barry Margolin wrote:

> In article <[hidden email]>,
>   William Clarke <[hidden email]> wrote:
>
>> Resending because the message was over 40K... I removed most of the
>> internal\external zones and logs to shorten the message.
>> We have a split DNS chrooted master\slave setup running on CentOS 5.11.
>> I have 3 named.conf files below, Working master, working slave and a new
>> CentOS 7 non-working slave that I'm trying to spin up. The internal
>> zones do get transferred\updated however theexternal zones aren't
>> transferring at all, the master doesn't even have any mentioning of
>> external transfers for this specific slave. I have a hunch that this is
>> either happening because I don't have multiple network adapters
>> configured ie split DNS for slave or possibly a hostname issue. I tried
>> to basically mirror the setup of my new slave all except the ip address.
>> My new slave is 192.168.1.224. The instructions I followed to set this
>> up was from:
>> http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-vps
>> /
> Since the new slave only has one address, you can't use the IP to
> distinguish which view should be sent in a zone transfer. You need to
> use TSIG keys.
>

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

Barry Margolin
In reply to this post by William Clarke
In article <[hidden email]>,
 William Clarke <[hidden email]> wrote:

> Barry,
>
> Thanks you. I appreciate your response Barry. I'm fairly new to Bind and
> DNS and have gotten a bit lost. Is there any way you can provide a
> little more information for me? Am I not correct in saying that I'm
> already using TSIG keys in the include lines?

You need to use the TSIG key in the "match-clients" clause so it will be
used to select the appropriate view.

view "internal" {
   match-clients { !key slave-external; !192.168.1.4; 10.0.0.0/8;
192.168.0.0/16; 127.0.0.0/8; };
   allow-transfer { key slave-internal; };
   ...
}
view "external" {
   match-clients { any; };
   allow-transfer { key slave-external; };
   ...
}

> ------------------------------------------------------------
> view "external" {
>          match-clients { any; };
>          allow-transfer { key slave-external; };
> ....
> ...
> ..
> include "/etc/rndc.key";
> include "/etc/transfer-internal.key";
> include "/etc/transfer-external.key";
> ------------------------------------------------------------
>
> /var/named/chroot/etc/transfer-external.key
> key "slave-external" {
>          algorithm       hmac-md5;
>          secret          "blahblahblahblahblah";
> };
>
> Thanks,
>
> William Clarke
> ITS System Administrator
> Bard College at Simon's Rock
> 84 Alford Road
> Great Barrington, MA  01230
> (413) 528-7428 (voice)
> (413) 528-7405 (fax)
> [hidden email]
>
> On 4/8/2015 10:54 AM, Barry Margolin wrote:
> > In article <[hidden email]>,
> >   William Clarke <[hidden email]> wrote:
> >
> >> Resending because the message was over 40K... I removed most of the
> >> internal\external zones and logs to shorten the message.
> >> We have a split DNS chrooted master\slave setup running on CentOS 5.11.
> >> I have 3 named.conf files below, Working master, working slave and a new
> >> CentOS 7 non-working slave that I'm trying to spin up. The internal
> >> zones do get transferred\updated however theexternal zones aren't
> >> transferring at all, the master doesn't even have any mentioning of
> >> external transfers for this specific slave. I have a hunch that this is
> >> either happening because I don't have multiple network adapters
> >> configured ie split DNS for slave or possibly a hostname issue. I tried
> >> to basically mirror the setup of my new slave all except the ip address.
> >> My new slave is 192.168.1.224. The instructions I followed to set this
> >> up was from:
> >> http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-
> >> vps
> >> /
> > Since the new slave only has one address, you can't use the IP to
> > distinguish which view should be sent in a zone transfer. You need to
> > use TSIG keys.
> >

--
Barry Margolin
Arlington, MA
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Need assistance with configuring external zone on a 2nd CentOS 7 bind v9.4.4 dns slave

William Clarke
In reply to this post by William Clarke
WOW!!! Thank you so much Barry... external zone is now transferring. Thank you thank you thank you...
William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
[hidden email]
On 4/8/2015 12:26 PM, Barry Margolin wrote:
In article [hidden email],
 William Clarke [hidden email] wrote:

Barry,

Thanks you. I appreciate your response Barry. I'm fairly new to Bind and 
DNS and have gotten a bit lost. Is there any way you can provide a 
little more information for me? Am I not correct in saying that I'm 
already using TSIG keys in the include lines?
You need to use the TSIG key in the "match-clients" clause so it will be 
used to select the appropriate view.

view "internal" {
   match-clients { !key slave-external; !192.168.1.4; 10.0.0.0/8; 
192.168.0.0/16; 127.0.0.0/8; };
   allow-transfer { key slave-internal; };
   ...
}
view "external" {
   match-clients { any; };
   allow-transfer { key slave-external; };
   ...
}

------------------------------------------------------------
view "external" {
         match-clients { any; };
         allow-transfer { key slave-external; };
....
...
..
include "/etc/rndc.key";
include "/etc/transfer-internal.key";
include "/etc/transfer-external.key";
------------------------------------------------------------

/var/named/chroot/etc/transfer-external.key
key "slave-external" {
         algorithm       hmac-md5;
         secret          "blahblahblahblahblah";
};

Thanks,

William Clarke
ITS System Administrator
Bard College at Simon's Rock
84 Alford Road
Great Barrington, MA  01230
(413) 528-7428 (voice)
(413) 528-7405 (fax)
[hidden email]

On 4/8/2015 10:54 AM, Barry Margolin wrote:
In article [hidden email],
  William Clarke [hidden email] wrote:

Resending because the message was over 40K... I removed most of the
internal\external zones and logs to shorten the message.
We have a split DNS chrooted master\slave setup running on CentOS 5.11.
I have 3 named.conf files below, Working master, working slave and a new
CentOS 7 non-working slave that I'm trying to spin up. The internal
zones do get transferred\updated however theexternal zones aren't
transferring at all, the master doesn't even have any mentioning of
external transfers for this specific slave. I have a hunch that this is
either happening because I don't have multiple network adapters
configured ie split DNS for slave or possibly a hostname issue. I tried
to basically mirror the setup of my new slave all except the ip address.
My new slave is 192.168.1.224. The instructions I followed to set this
up was from:
http://www.ehowstuff.com/how-to-setup-bind-chroot-dns-server-on-centos-7-0-
vps
/
Since the new slave only has one address, you can't use the IP to
distinguish which view should be sent in a zone transfer. You need to
use TSIG keys.


    


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users