Re: bind-users Digest, Vol 2084, Issue 1

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: bind-users Digest, Vol 2084, Issue 1

STEPHEN EYRE
My named.conf.options is as follows

Options {
          directory "/var/cache/bind";

          recursion no;

          allow transfer { none; };

          dnssec-validation auto;

          auth-nxdomain no;

          listen-on { any; };

};

By the way my A records are still not not showing up on mydns.net.

Thanks

Sent from Yahoo Mail on Android


From:"[hidden email]" <[hidden email]>
Date:Mon, 6 Apr, 2015 at 13:00
Subject:bind-users Digest, Vol 2084, Issue 1

Send bind-users mailing list submissions to
    <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
    <a ymailto="mailto:bind-users-request@lists.isc.org" href="javascript:return">bind-users-request@...

You can reach the person managing the list at
    <a ymailto="mailto:bind-users-owner@lists.isc.org" href="javascript:return">bind-users-owner@...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

  1. Re: bind-users Digest, Vol 2083, Issue 1 (STEPHEN EYRE)
  2. Re: bind-users Digest, Vol 2083, Issue 1 (Reindl Harald)
  3. Re: bind-users Digest, Vol 2083, Issue 1 (Noel Butler)


----------------------------------------------------------------------

Message: 1
Date: Sun, 5 Apr 2015 16:52:07 +0100
From: STEPHEN EYRE <<a ymailto="mailto:sceyre@btinternet.com" href="javascript:return">sceyre@...>
To: "<a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@..." <<a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...>
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID:
    <<a ymailto="mailto:1428249127.19697.YahooMailAndroidMobile@web172401.mail.ir2.yahoo.com" href="javascript:return">1428249127.19697.YahooMailAndroidMobile@...>
Content-Type: text/plain; charset="iso-8859-1"

The aim is to make it authoritive as well as hosting my web sites.

Sent from Yahoo Mail on Android

From:"<a ymailto="mailto:bind-users-request@lists.isc.org" href="javascript:return">bind-users-request@..." <<a ymailto="mailto:bind-users-request@lists.isc.org" href="javascript:return">bind-users-request@...>
Date:Sun, 5 Apr, 2015 at 13:00
Subject:bind-users Digest, Vol 2083, Issue 1

Send bind-users mailing list submissions to
??? <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...

To subscribe or unsubscribe via the World Wide Web, visit
??? https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
??? <a ymailto="mailto:bind-users-request@lists.isc.org" href="javascript:return">bind-users-request@...

You can reach the person managing the list at
??? <a ymailto="mailto:bind-users-owner@lists.isc.org" href="javascript:return">bind-users-owner@...

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

? 1. Dig, open servers and A records (Stephen Eyre)
? 2. Re: Dig, open servers and A records (Steven Carr)


----------------------------------------------------------------------

Message: 1
Date: Sun, 05 Apr 2015 09:32:36 +0100
From: Stephen Eyre <<a ymailto="mailto:sceyre@btinternet.com" href="javascript:return">sceyre@...>
To: <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...
Subject: Dig, open servers and A records
Message-ID: <<a ymailto="mailto:5520F324.7050709@btinternet.com" href="javascript:return">5520F324.7050709@...>
Content-Type: text/plain; charset=utf-8; format=flowed

Dear All

The good news is that I have my server running. The not so good news is
that there are a few problems which could be interconnected.

My server is called server1.sportshost.co.uk and its ip address is
84.92.56.54.

Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
entries under the NS and SOA section. There are nothing but red crosses
under A records section - I was expecting my ip address.

Then when I dig a domain name like google.co.uk I get suitable replies
but when I dig an ip address like 8.8.8.8 the request gets the reply
REFUSED.

Further enquiries show that I dont have an open recursive site when the
errors above still apply.

When I change my /etc/bind/named.conf.local file from 'recursion no;' to
'recursion yes;' I get an inverse of the above. I get full replies from
all my dig enquiries but I get an open recursive warning - which I
obviously dont want.

whatsmydns.net replies remain the same.

So todays question is - what do I need to do to keep my server closed,
get proper dig replies and get my A records showing up on whatsmydns.net?

Or is everything working well and its not necessary to have dig
providing proper replies?

Thanks

Stephen Eyre


------------------------------

Message: 2
Date: Sun, 5 Apr 2015 09:57:08 +0100
From: Steven Carr <<a ymailto="mailto:sjcarr@gmail.com" href="javascript:return">sjcarr@...>
Cc: bind-users <<a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...>
Subject: Re: Dig, open servers and A records
Message-ID:
??? <<a ymailto="mailto:CALMep05dMFY0a_YBbTuNk3cQigYbJvSY_43W212sug0WGkPMVQ@mail.gmail.com" href="javascript:return">CALMep05dMFY0a_YBbTuNk3cQigYbJvSY_43W212sug0WGkPMVQ@...>
Content-Type: text/plain; charset=UTF-8

On 5 April 2015 at 09:32, Stephen Eyre <<a ymailto="mailto:sceyre@btinternet.com" href="javascript:return">sceyre@...> wrote:
> My server is called server1.sportshost.co.uk and its ip address is
> 84.92.56.54.
>
> Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
> entries under the NS and SOA section. There are nothing but red crosses
> under A records section - I was expecting my ip address.

Try again, you haven't given things enough time to propagate around
the internet, 24-72 hours is still the usual wait time.

> So todays question is - what do I need to do to keep my server closed, get
> proper dig replies and get my A records showing up on whatsmydns.net?

What is the purpose of the server? are you going to be hosting zones
that need to be accessible from other clients on the Internet
(authoritative) or is it just a DNS server that you can utilize to
handle your queries (recursive)? or are you doing both?

If you need recursion then you'll need an ACL to say which clients are
allowed to perform recursion to prevent it from being an open
recursor.

Steve


------------------------------

_______________________________________________
bind-users mailing list
<a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2083, Issue 1
*******************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150405/8beb543f/attachment-0001.html>

------------------------------

Message: 2
Date: Sun, 05 Apr 2015 18:07:59 +0200
From: Reindl Harald <<a ymailto="mailto:h.reindl@thelounge.net" href="javascript:return">h.reindl@...>
To: <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID: <<a ymailto="mailto:55215DDF.9070902@thelounge.net" href="javascript:return">55215DDF.9070902@...>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"



Am 05.04.2015 um 17:52 schrieb STEPHEN EYRE:
> The aim is to make it authoritive as well as hosting my web sites

but a authoritive nameserver don't need nor should it do recursion for
foreign zones, it only should respond for the zones he is authoritative
for and so the behavior is correctly, make sure it answers for your
zones and the point your domains to your nameservers (at least TWO) and
you are done

> Message: 1
> Date: Sun, 05 Apr 2015 09:32:36 +0100
> From: Stephen Eyre <<a ymailto="mailto:sceyre@btinternet.com" href="javascript:return">sceyre@... <javascript:return>>
> To: <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@... <javascript:return>
> Subject: Dig, open servers and A records
> Message-ID: <<a ymailto="mailto:5520F324.7050709@btinternet.com" href="javascript:return">5520F324.7050709@... <javascript:return>>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Dear All
>
> The good news is that I have my server running. The not so good news is
> that there are a few problems which could be interconnected.
>
> My server is called server1.sportshost.co.uk and its ip address is
> 84.92.56.54.
>
> Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
> entries under the NS and SOA section. There are nothing but red crosses
> under A records section - I was expecting my ip address.
>
> Then when I dig a domain name like google.co.uk I get suitable replies
> but when I dig an ip address like 8.8.8.8 the request gets the reply
> REFUSED.
>
> Further enquiries show that I dont have an open recursive site when the
> errors above still apply.
>
> When I change my /etc/bind/named.conf.local file from 'recursion no;' to
> 'recursion yes;' I get an inverse of the above. I get full replies from
> all my dig enquiries but I get an open recursive warning - which I
> obviously dont want.
>
> whatsmydns.net replies remain the same.
>
> So todays question is - what do I need to do to keep my server closed,
> get proper dig replies and get my A records showing up on whatsmydns.net?
>
> Or is everything working well and its not necessary to have dig
> providing proper replies?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150405/860cd24d/attachment-0001.bin>

------------------------------

Message: 3
Date: Mon, 06 Apr 2015 15:19:53 +1000
From: Noel Butler <<a ymailto="mailto:noel.butler@ausics.net" href="javascript:return">noel.butler@...>
To: <a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@..., <a ymailto="mailto:sceyre@btinternet.com" href="javascript:return">sceyre@...
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID: <<a ymailto="mailto:2f10c0bccb4561a89d384bd5e85fed40@ausics.net" href="javascript:return">2f10c0bccb4561a89d384bd5e85fed40@...>
Content-Type: text/plain; charset="us-ascii"



you need an allow-query and ACL, eg:

Assuming for example your LAN ip range is 192.168.0.0/24, then you would
use

for simplicity, at top of named.conf:

acl "trust" { localhost; 192.168.0.0/24; };

then in...

options {

....

allow-query { trust; };
allow-query-cache { trust; };

....

};

That should do it, if you need further assistance you'll need to supply
a copy of named.conf - in particular the options , ACL's and at least
one of your zones, but if your named.conf isnt 5 miles long, just past
the whole thing.

On 06/04/2015 01:52, STEPHEN EYRE wrote:

> The aim is to make it authoritive as well as hosting my web sites.
>
> Sent from Yahoo Mail on Android [1]
> -------------------------
>
> When I change my /etc/bind/named.conf.local file from 'recursion no;' to
> 'recursion yes;' I get an inverse of the above. I get full replies from
> all my dig enquiries but I get an open recursive warning - which I
> obviously dont want.


Links:
------
[1] https://overview.mail.yahoo.com/mobile/?.src=Android
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150406/5b77aae4/attachment-0001.html>

------------------------------

_______________________________________________
bind-users mailing list
<a ymailto="mailto:bind-users@lists.isc.org" href="javascript:return">bind-users@...
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2084, Issue 1
*******************************************

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: bind-users Digest, Vol 2084, Issue 1

Reindl Harald


Am 06.04.2015 um 17:37 schrieb STEPHEN EYRE:

> My named.conf.options is as follows
>
> Options {
>            directory "/var/cache/bind";
>
>            recursion no;
>
>            allow transfer { none; };
>
>            dnssec-validation auto;
>
>            auth-nxdomain no;
>
>            listen-on { any; };
>
> };
>
> By the way my A records are still not not showing up on mydns.net
not sure what that means

does the domain *really* point to your nameservers?
setup the DNS alone is not enough


you need to provide informations for help:

* which domain
* what records are you missing
* uncut input and output of dig command


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: bind-users Digest, Vol 2084, Issue 1

Noel Butler
In reply to this post by STEPHEN EYRE

Well, that certainly does not include what I told you to add, however it doesnt seem to be "open" to me, so you must have cleaned it up since posting this.

You only have one nameserver? that is not compliant, you require a primary and secondary, how your domain registrar passed that is beyond me. Ohh and they can not be on the same machine.

 

~$ host server1.sportshost.co.uk
server1.sportshost.co.uk has address 84.92.56.54

Your DNS is working, well, OK, it's kind of working, still lots of failures, including not listening on tcp.

 

 

 

On 07/04/2015 01:37, STEPHEN EYRE wrote:

My named.conf.options is as follows
 
Options {
          directory "/var/cache/bind";
 
          recursion no;
 
          allow transfer { none; };
 
          dnssec-validation auto;
 
          auth-nxdomain no;
 
          listen-on { any; };
 
};
 
By the way my A records are still not not showing up on mydns.net.
 
Thanks

Sent from Yahoo Mail on Android


From:"[hidden email]" <[hidden email]>
Date:Mon, 6 Apr, 2015 at 13:00
Subject:bind-users Digest, Vol 2084, Issue 1

Send bind-users mailing list submissions to
    [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
    https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
    [hidden email]

You can reach the person managing the list at
    [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

  1. Re: bind-users Digest, Vol 2083, Issue 1 (STEPHEN EYRE)
  2. Re: bind-users Digest, Vol 2083, Issue 1 (Reindl Harald)
  3. Re: bind-users Digest, Vol 2083, Issue 1 (Noel Butler)


----------------------------------------------------------------------

Message: 1
Date: Sun, 5 Apr 2015 16:52:07 +0100
From: STEPHEN EYRE <[hidden email]>
To: "[hidden email]" <[hidden email]>
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID:
    <[hidden email]>
Content-Type: text/plain; charset="iso-8859-1"

The aim is to make it authoritive as well as hosting my web sites.

Sent from Yahoo Mail on Android

From:"[hidden email]" <[hidden email]>
Date:Sun, 5 Apr, 2015 at 13:00
Subject:bind-users Digest, Vol 2083, Issue 1

Send bind-users mailing list submissions to
??? [hidden email]

To subscribe or unsubscribe via the World Wide Web, visit
??? https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
??? [hidden email]

You can reach the person managing the list at
??? [hidden email]

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

? 1. Dig, open servers and A records (Stephen Eyre)
? 2. Re: Dig, open servers and A records (Steven Carr)


----------------------------------------------------------------------

Message: 1
Date: Sun, 05 Apr 2015 09:32:36 +0100
From: Stephen Eyre <[hidden email]>
To: [hidden email]
Subject: Dig, open servers and A records
Message-ID: <[hidden email]>
Content-Type: text/plain; charset=utf-8; format=flowed

Dear All

The good news is that I have my server running. The not so good news is
that there are a few problems which could be interconnected.

My server is called server1.sportshost.co.uk and its ip address is
84.92.56.54.

Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
entries under the NS and SOA section. There are nothing but red crosses
under A records section - I was expecting my ip address.

Then when I dig a domain name like google.co.uk I get suitable replies
but when I dig an ip address like 8.8.8.8 the request gets the reply
REFUSED.

Further enquiries show that I dont have an open recursive site when the
errors above still apply.

When I change my /etc/bind/named.conf.local file from 'recursion no;' to
'recursion yes;' I get an inverse of the above. I get full replies from
all my dig enquiries but I get an open recursive warning - which I
obviously dont want.

whatsmydns.net replies remain the same.

So todays question is - what do I need to do to keep my server closed,
get proper dig replies and get my A records showing up on whatsmydns.net?

Or is everything working well and its not necessary to have dig
providing proper replies?

Thanks

Stephen Eyre


------------------------------

Message: 2
Date: Sun, 5 Apr 2015 09:57:08 +0100
From: Steven Carr <[hidden email]>
Cc: bind-users <[hidden email]>
Subject: Re: Dig, open servers and A records
Message-ID:
??? <[hidden email]>
Content-Type: text/plain; charset=UTF-8

On 5 April 2015 at 09:32, Stephen Eyre <[hidden email]> wrote:
> My server is called server1.sportshost.co.uk and its ip address is
> 84.92.56.54.
>
> Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
> entries under the NS and SOA section. There are nothing but red crosses
> under A records section - I was expecting my ip address.

Try again, you haven't given things enough time to propagate around
the internet, 24-72 hours is still the usual wait time.

> So todays question is - what do I need to do to keep my server closed, get
> proper dig replies and get my A records showing up on whatsmydns.net?

What is the purpose of the server? are you going to be hosting zones
that need to be accessible from other clients on the Internet
(authoritative) or is it just a DNS server that you can utilize to
handle your queries (recursive)? or are you doing both?

If you need recursion then you'll need an ACL to say which clients are
allowed to perform recursion to prevent it from being an open
recursor.

Steve


------------------------------

_______________________________________________
bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2083, Issue 1
*******************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150405/8beb543f/attachment-0001.html>

------------------------------

Message: 2
Date: Sun, 05 Apr 2015 18:07:59 +0200
From: Reindl Harald <[hidden email]>
To: [hidden email]
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"



Am 05.04.2015 um 17:52 schrieb STEPHEN EYRE:
> The aim is to make it authoritive as well as hosting my web sites

but a authoritive nameserver don't need nor should it do recursion for
foreign zones, it only should respond for the zones he is authoritative
for and so the behavior is correctly, make sure it answers for your
zones and the point your domains to your nameservers (at least TWO) and
you are done

> Message: 1
> Date: Sun, 05 Apr 2015 09:32:36 +0100
> From: Stephen Eyre <[hidden email] <javascript:return>>
> To: [hidden email] <javascript:return>
> Subject: Dig, open servers and A records
> Message-ID: <[hidden email] <javascript:return>>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> Dear All
>
> The good news is that I have my server running. The not so good news is
> that there are a few problems which could be interconnected.
>
> My server is called server1.sportshost.co.uk and its ip address is
> 84.92.56.54.
>
> Going on to whatsmydns.net I find that sportshost.co.uk returns suitable
> entries under the NS and SOA section. There are nothing but red crosses
> under A records section - I was expecting my ip address.
>
> Then when I dig a domain name like google.co.uk I get suitable replies
> but when I dig an ip address like 8.8.8.8 the request gets the reply
> REFUSED.
>
> Further enquiries show that I dont have an open recursive site when the
> errors above still apply.
>
> When I change my /etc/bind/named.conf.local file from 'recursion no;' to
> 'recursion yes;' I get an inverse of the above. I get full replies from
> all my dig enquiries but I get an open recursive warning - which I
> obviously dont want.
>
> whatsmydns.net replies remain the same.
>
> So todays question is - what do I need to do to keep my server closed,
> get proper dig replies and get my A records showing up on whatsmydns.net?
>
> Or is everything working well and its not necessary to have dig
> providing proper replies?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150405/860cd24d/attachment-0001.bin>

------------------------------

Message: 3
Date: Mon, 06 Apr 2015 15:19:53 +1000
From: Noel Butler <[hidden email]>
To: [hidden email], [hidden email]
Subject: Re: bind-users Digest, Vol 2083, Issue 1
Message-ID: <[hidden email]>
Content-Type: text/plain; charset="us-ascii"



you need an allow-query and ACL, eg:

Assuming for example your LAN ip range is 192.168.0.0/24, then you would
use

for simplicity, at top of named.conf:

acl "trust" { localhost; 192.168.0.0/24; };

then in...

options {

....

allow-query { trust; };
allow-query-cache { trust; };

....

};

That should do it, if you need further assistance you'll need to supply
a copy of named.conf - in particular the options , ACL's and at least
one of your zones, but if your named.conf isnt 5 miles long, just past
the whole thing.

On 06/04/2015 01:52, STEPHEN EYRE wrote:

> The aim is to make it authoritive as well as hosting my web sites.
>
> Sent from Yahoo Mail on Android [1]
> -------------------------
>
> When I change my /etc/bind/named.conf.local file from 'recursion no;' to
> 'recursion yes;' I get an inverse of the above. I get full replies from
> all my dig enquiries but I get an open recursive warning - which I
> obviously dont want.


Links:
------
[1] https://overview.mail.yahoo.com/mobile/?.src=Android
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150406/5b77aae4/attachment-0001.html>

------------------------------

_______________________________________________
bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 2084, Issue 1
*******************************************

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

 


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users