bind refusing update

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

bind refusing update

Dan Egli
I'm really stumped as to what's going on. I'm trying to get dhcpd to
automatically update name records for my internal network. This is NOT
going to the public internet by any means. It's just an internal
network. But every time either I or dhcpd try to add a record, named
refuses to allow it. I'm getting a message in the log that says refused
due to allow-query:

19-Dec-2020 06:49:19.299 update-security: error: client @0x7fa610000cd0
10.0.2.15#49948: update 'eglifamily.name/IN' denied due to allow-query

What's causing this, and how do I fix it? I'm including my named.conf
and dhcpd.con files below. Can anyone help me?

dhcpd.conf:
default-lease-time 300;
max-lease-time 43200;

ddns-update-style interim;

authoritative;
log-facility local1;


allow booting;

subnet 10.0.2.0 netmask 255.255.255.0 {
# no services at all! That's the llnk from the ISP. Don't touch it!
}


subnet 192.168.10.0 netmask 255.255.255.0 {
         range 192.168.10.128 192.168.10.254;
         if exists user-class and option user-class = "iPXE" {
         filename "pxelinux.efi";
         } else {
         filename "pxelinux.0";
         }
         next-server 192.168.10.3;
         option domain-name-servers 192.168.10.2, 8.8.8.8;
         option domain-name "eglifamily.name";
         option routers 192.168.10.1;

}

host fixed-1 {
         hardware ethernet 08:00:27:D5:AA:3C;
         fixed-address 192.168.10.64;
         option host-name "ethereum-1";
         ddns-hostname "ethereum-1.eglifamily.name";
}

named.conf:
/*
  * Refer to the named.conf(5) and named(8) man pages, and the documentation
  * in /usr/share/doc/bind-* for more details.
  * Online versions of the documentation can be found here:
  * https://kb.isc.org/article/AA-01031
  *
  * If you are going to set up an authoritative server, make sure you
  * understand the hairy details of how DNS works. Even with simple
mistakes,
  * you can break connectivity for affected parties, or cause huge
amounts of
  * useless Internet traffic.
  */

acl "xfer" {
         /* Deny transfers by default except for the listed hosts.
          * If we have other name servers, place them here.
          */
         none;
};

/*
  * You might put in here some ips which are allowed to use the cache or
  * recursive queries
  */
acl "trusted" {
         192.168.10.0/24;
         127.0.0.0/8;
         ::1/128;
};

acl "myself" {
         127.0.0.0/24;
         ::1/128;
};

options {
         directory "/var/bind";
         pid-file "/run/named/named.pid";

         /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
         //bindkeys-file "/etc/bind/bind.keys";
         tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
         minimal-responses yes;


         listen-on-v6 { none; };  // for now
         listen-on { 192.168.10.2; 127.0.0.1; };

         allow-query {
                 /*
                  * Accept queries from our "trusted" ACL.  We will
                  * allow anyone to query our master zones below.
                  * This prevents us from becoming a free DNS server
                  * to the masses.
                  */
                 trusted;
         };

         allow-query-cache {
                 /* Use the cache for the "trusted" ACL. */
                 trusted;
         };

         allow-recursion {
                 /* Only trusted addresses are allowed to use recursion. */
                 trusted;
         };

         allow-transfer {
                 /* Zone tranfers are denied by default. */
                 none;
         };

         allow-update {
                 myself;
         };

         /*
         * If you've got a DNS server around at your upstream provider,
enter its
         * IP address here, and enable the line below. This will make
you benefit
         * from its cache, thus reduce overall DNS traffic in the Internet.
         *
         * Uncomment the following lines to turn on DNS forwarding, and
change
         *  and/or update the forwarding ip address(es):
         */
/*
         forward first;
         forwarders {
         //      123.123.123.123;        // Your ISP NS
         //      124.124.124.124;        // Your ISP NS
         //      4.2.2.1;                // Level3 Public DNS
         //      4.2.2.2;                // Level3 Public DNS
                 8.8.8.8;                // Google Open DNS
                 8.8.4.4;                // Google Open DNS
         };

*/

//      dnssec-enable yes;
//      named-checkconf says above line is bad
         //dnssec-validation yes;

         /*
          * As of bind 9.8.0:
          * "If the root key provided has expired,
          * named will log the expiration and validation will not work."
          */
         dnssec-validation auto;

         /* if you have problems and are behind a firewall: */
         //query-source address * port 53;
};


logging {
         channel default_log {
                 file "/var/log/named/named.log" versions 5 size 50M;
                 print-time yes;
                 print-severity yes;
                 print-category yes;
         };

         category default { default_log; };
         category general { default_log; };
};


include "/etc/bind/rndc.key";
controls {
         inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys {
"rndc-key"; };
};

#zone "." in {
#       type hint;
#       file "/var/bind/named.cache";
#};

zone "localhost" IN {
         type master;
         file "pri/localhost.zone";
         notify no;
};

zone "eglifamily.name" {
         type master;
         file "pri/eglifamily.zone";
         notify yes;
};


zone "10.168.192.in-addr.arpa" {
         type master;
         file "pri/10.168.192.arpa.zone";
         notify yes;
};

include "/var/lib/samba/bind-dns/named.conf";


The samba file only contains the lines needed to load the dynamically
loaded zone modules (bind9_dlz).

--
Dan Egli
 From my Test Server

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: bind refusing update [never mind]

Dan Egli
I guess sometimes you just need to look at it in a differnet way. I
never noticed it was using the 10.0.2.15 IP to try to update. That's
going to be blocked because I don't have the outside world enabled for
this server. So let me go ask on the DHCP list why it's insisting on
using that interface.

On 12/18/2020 11:59 PM, Dan Egli wrote:

> I'm really stumped as to what's going on. I'm trying to get dhcpd to
> automatically update name records for my internal network. This is NOT
> going to the public internet by any means. It's just an internal
> network. But every time either I or dhcpd try to add a record, named
> refuses to allow it. I'm getting a message in the log that says
> refused due to allow-query:
>
> 19-Dec-2020 06:49:19.299 update-security: error: client
> @0x7fa610000cd0 10.0.2.15#49948: update 'eglifamily.name/IN' denied
> due to allow-query
>
> What's causing this, and how do I fix it? I'm including my named.conf
> and dhcpd.con files below. Can anyone help me?
>
> dhcpd.conf:
> default-lease-time 300;
> max-lease-time 43200;
>
> ddns-update-style interim;
>
> authoritative;
> log-facility local1;
>
>
> allow booting;
>
> subnet 10.0.2.0 netmask 255.255.255.0 {
> # no services at all! That's the llnk from the ISP. Don't touch it!
> }
>
>
> subnet 192.168.10.0 netmask 255.255.255.0 {
>         range 192.168.10.128 192.168.10.254;
>         if exists user-class and option user-class = "iPXE" {
>         filename "pxelinux.efi";
>         } else {
>         filename "pxelinux.0";
>         }
>         next-server 192.168.10.3;
>         option domain-name-servers 192.168.10.2, 8.8.8.8;
>         option domain-name "eglifamily.name";
>         option routers 192.168.10.1;
>
> }
>
> host fixed-1 {
>         hardware ethernet 08:00:27:D5:AA:3C;
>         fixed-address 192.168.10.64;
>         option host-name "ethereum-1";
>         ddns-hostname "ethereum-1.eglifamily.name";
> }
>
> named.conf:
> /*
>  * Refer to the named.conf(5) and named(8) man pages, and the
> documentation
>  * in /usr/share/doc/bind-* for more details.
>  * Online versions of the documentation can be found here:
>  * https://kb.isc.org/article/AA-01031
>  *
>  * If you are going to set up an authoritative server, make sure you
>  * understand the hairy details of how DNS works. Even with simple
> mistakes,
>  * you can break connectivity for affected parties, or cause huge
> amounts of
>  * useless Internet traffic.
>  */
>
> acl "xfer" {
>         /* Deny transfers by default except for the listed hosts.
>          * If we have other name servers, place them here.
>          */
>         none;
> };
>
> /*
>  * You might put in here some ips which are allowed to use the cache or
>  * recursive queries
>  */
> acl "trusted" {
>         192.168.10.0/24;
>         127.0.0.0/8;
>         ::1/128;
> };
>
> acl "myself" {
>         127.0.0.0/24;
>         ::1/128;
> };
>
> options {
>         directory "/var/bind";
>         pid-file "/run/named/named.pid";
>
>         /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
>         //bindkeys-file "/etc/bind/bind.keys";
>         tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>         minimal-responses yes;
>
>
>         listen-on-v6 { none; };  // for now
>         listen-on { 192.168.10.2; 127.0.0.1; };
>
>         allow-query {
>                 /*
>                  * Accept queries from our "trusted" ACL.  We will
>                  * allow anyone to query our master zones below.
>                  * This prevents us from becoming a free DNS server
>                  * to the masses.
>                  */
>                 trusted;
>         };
>
>         allow-query-cache {
>                 /* Use the cache for the "trusted" ACL. */
>                 trusted;
>         };
>
>         allow-recursion {
>                 /* Only trusted addresses are allowed to use
> recursion. */
>                 trusted;
>         };
>
>         allow-transfer {
>                 /* Zone tranfers are denied by default. */
>                 none;
>         };
>
>         allow-update {
>                 myself;
>         };
>
>         /*
>         * If you've got a DNS server around at your upstream provider,
> enter its
>         * IP address here, and enable the line below. This will make
> you benefit
>         * from its cache, thus reduce overall DNS traffic in the
> Internet.
>         *
>         * Uncomment the following lines to turn on DNS forwarding, and
> change
>         *  and/or update the forwarding ip address(es):
>         */
> /*
>         forward first;
>         forwarders {
>         //      123.123.123.123;        // Your ISP NS
>         //      124.124.124.124;        // Your ISP NS
>         //      4.2.2.1;                // Level3 Public DNS
>         //      4.2.2.2;                // Level3 Public DNS
>                 8.8.8.8;                // Google Open DNS
>                 8.8.4.4;                // Google Open DNS
>         };
>
> */
>
> //      dnssec-enable yes;
> //      named-checkconf says above line is bad
>         //dnssec-validation yes;
>
>         /*
>          * As of bind 9.8.0:
>          * "If the root key provided has expired,
>          * named will log the expiration and validation will not work."
>          */
>         dnssec-validation auto;
>
>         /* if you have problems and are behind a firewall: */
>         //query-source address * port 53;
> };
>
>
> logging {
>         channel default_log {
>                 file "/var/log/named/named.log" versions 5 size 50M;
>                 print-time yes;
>                 print-severity yes;
>                 print-category yes;
>         };
>
>         category default { default_log; };
>         category general { default_log; };
> };
>
>
> include "/etc/bind/rndc.key";
> controls {
>         inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys
> { "rndc-key"; };
> };
>
> #zone "." in {
> #       type hint;
> #       file "/var/bind/named.cache";
> #};
>
> zone "localhost" IN {
>         type master;
>         file "pri/localhost.zone";
>         notify no;
> };
>
> zone "eglifamily.name" {
>         type master;
>         file "pri/eglifamily.zone";
>         notify yes;
> };
>
>
> zone "10.168.192.in-addr.arpa" {
>         type master;
>         file "pri/10.168.192.arpa.zone";
>         notify yes;
> };
>
> include "/var/lib/samba/bind-dns/named.conf";
>
>
> The samba file only contains the lines needed to load the dynamically
> loaded zone modules (bind9_dlz).
>
--
Dan Egli
 From my Test Server

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: bind refusing update [never mind]

Mark Andrews
Stop using IP addresses for UPDATE authentication. Use TSIG instead between the DHCP server and named.

--
Mark Andrews

> On 19 Dec 2020, at 18:25, Dan Egli <[hidden email]> wrote:
>
> I guess sometimes you just need to look at it in a differnet way. I never noticed it was using the 10.0.2.15 IP to try to update. That's going to be blocked because I don't have the outside world enabled for this server. So let me go ask on the DHCP list why it's insisting on using that interface.
>
>> On 12/18/2020 11:59 PM, Dan Egli wrote:
>> I'm really stumped as to what's going on. I'm trying to get dhcpd to automatically update name records for my internal network. This is NOT going to the public internet by any means. It's just an internal network. But every time either I or dhcpd try to add a record, named refuses to allow it. I'm getting a message in the log that says refused due to allow-query:
>>
>> 19-Dec-2020 06:49:19.299 update-security: error: client @0x7fa610000cd0 10.0.2.15#49948: update 'eglifamily.name/IN' denied due to allow-query
>>
>> What's causing this, and how do I fix it? I'm including my named.conf and dhcpd.con files below. Can anyone help me?
>>
>> dhcpd.conf:
>> default-lease-time 300;
>> max-lease-time 43200;
>>
>> ddns-update-style interim;
>>
>> authoritative;
>> log-facility local1;
>>
>>
>> allow booting;
>>
>> subnet 10.0.2.0 netmask 255.255.255.0 {
>> # no services at all! That's the llnk from the ISP. Don't touch it!
>> }
>>
>>
>> subnet 192.168.10.0 netmask 255.255.255.0 {
>>         range 192.168.10.128 192.168.10.254;
>>         if exists user-class and option user-class = "iPXE" {
>>         filename "pxelinux.efi";
>>         } else {
>>         filename "pxelinux.0";
>>         }
>>         next-server 192.168.10.3;
>>         option domain-name-servers 192.168.10.2, 8.8.8.8;
>>         option domain-name "eglifamily.name";
>>         option routers 192.168.10.1;
>>
>> }
>>
>> host fixed-1 {
>>         hardware ethernet 08:00:27:D5:AA:3C;
>>         fixed-address 192.168.10.64;
>>         option host-name "ethereum-1";
>>         ddns-hostname "ethereum-1.eglifamily.name";
>> }
>>
>> named.conf:
>> /*
>>  * Refer to the named.conf(5) and named(8) man pages, and the documentation
>>  * in /usr/share/doc/bind-* for more details.
>>  * Online versions of the documentation can be found here:
>>  * https://kb.isc.org/article/AA-01031
>>  *
>>  * If you are going to set up an authoritative server, make sure you
>>  * understand the hairy details of how DNS works. Even with simple mistakes,
>>  * you can break connectivity for affected parties, or cause huge amounts of
>>  * useless Internet traffic.
>>  */
>>
>> acl "xfer" {
>>         /* Deny transfers by default except for the listed hosts.
>>          * If we have other name servers, place them here.
>>          */
>>         none;
>> };
>>
>> /*
>>  * You might put in here some ips which are allowed to use the cache or
>>  * recursive queries
>>  */
>> acl "trusted" {
>>         192.168.10.0/24;
>>         127.0.0.0/8;
>>         ::1/128;
>> };
>>
>> acl "myself" {
>>         127.0.0.0/24;
>>         ::1/128;
>> };
>>
>> options {
>>         directory "/var/bind";
>>         pid-file "/run/named/named.pid";
>>
>>         /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
>>         //bindkeys-file "/etc/bind/bind.keys";
>>         tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>>         minimal-responses yes;
>>
>>
>>         listen-on-v6 { none; };  // for now
>>         listen-on { 192.168.10.2; 127.0.0.1; };
>>
>>         allow-query {
>>                 /*
>>                  * Accept queries from our "trusted" ACL.  We will
>>                  * allow anyone to query our master zones below.
>>                  * This prevents us from becoming a free DNS server
>>                  * to the masses.
>>                  */
>>                 trusted;
>>         };
>>
>>         allow-query-cache {
>>                 /* Use the cache for the "trusted" ACL. */
>>                 trusted;
>>         };
>>
>>         allow-recursion {
>>                 /* Only trusted addresses are allowed to use recursion. */
>>                 trusted;
>>         };
>>
>>         allow-transfer {
>>                 /* Zone tranfers are denied by default. */
>>                 none;
>>         };
>>
>>         allow-update {
>>                 myself;
>>         };
>>
>>         /*
>>         * If you've got a DNS server around at your upstream provider, enter its
>>         * IP address here, and enable the line below. This will make you benefit
>>         * from its cache, thus reduce overall DNS traffic in the Internet.
>>         *
>>         * Uncomment the following lines to turn on DNS forwarding, and change
>>         *  and/or update the forwarding ip address(es):
>>         */
>> /*
>>         forward first;
>>         forwarders {
>>         //      123.123.123.123;        // Your ISP NS
>>         //      124.124.124.124;        // Your ISP NS
>>         //      4.2.2.1;                // Level3 Public DNS
>>         //      4.2.2.2;                // Level3 Public DNS
>>                 8.8.8.8;                // Google Open DNS
>>                 8.8.4.4;                // Google Open DNS
>>         };
>>
>> */
>>
>> //      dnssec-enable yes;
>> //      named-checkconf says above line is bad
>>         //dnssec-validation yes;
>>
>>         /*
>>          * As of bind 9.8.0:
>>          * "If the root key provided has expired,
>>          * named will log the expiration and validation will not work."
>>          */
>>         dnssec-validation auto;
>>
>>         /* if you have problems and are behind a firewall: */
>>         //query-source address * port 53;
>> };
>>
>>
>> logging {
>>         channel default_log {
>>                 file "/var/log/named/named.log" versions 5 size 50M;
>>                 print-time yes;
>>                 print-severity yes;
>>                 print-category yes;
>>         };
>>
>>         category default { default_log; };
>>         category general { default_log; };
>> };
>>
>>
>> include "/etc/bind/rndc.key";
>> controls {
>>         inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
>> };
>>
>> #zone "." in {
>> #       type hint;
>> #       file "/var/bind/named.cache";
>> #};
>>
>> zone "localhost" IN {
>>         type master;
>>         file "pri/localhost.zone";
>>         notify no;
>> };
>>
>> zone "eglifamily.name" {
>>         type master;
>>         file "pri/eglifamily.zone";
>>         notify yes;
>> };
>>
>>
>> zone "10.168.192.in-addr.arpa" {
>>         type master;
>>         file "pri/10.168.192.arpa.zone";
>>         notify yes;
>> };
>>
>> include "/var/lib/samba/bind-dns/named.conf";
>>
>>
>> The samba file only contains the lines needed to load the dynamically loaded zone modules (bind9_dlz).
>>
> --
> Dan Egli
> From my Test Server
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users