Re: bind configuration help

Tue, 10 Nov 2009 14:49:48 -0800 

Laurent CARON wrote:

On 10/11/2009 23:07, Błażej Ślusarek wrote:

Hello,


Hi


I'd like to ask for help in setting up my DNS server. When I start the
server, everything is fine, but only for some time. After the "some
time" passes, my external domain name cannot be resolved from anywhere
on the Internet. When I restart the Named, everything is back to

normal after few seconds, again for the "some time". 


"Cannot be resolved" =
   timeout?
   SERVFAIL?
   referral?

What do your logs say?

Here are some
fragments of my DNS configuration:

***
options {
     directory "/var/bind";
     forward first;
     forwarders {
         some.ip;
     };
     allow-query { any; };
     allow-recursion { any; };


bad

Agreed.


Normally I'd tell the OP that they should provide a real domain name if 
they want help.



But in this case, it's probably best not to reveal that information 
until the open recursion is turned off.



     listen-on-v6 { none; };
     listen-on { 127.0.0.1; internal.ip; external.ip; };

zone "my.domain.name" IN {
     type master;
     file "pri/costam.zone";
     allow-update { none; };
     //allow-transfer { slaves; };
     allow-transfer { any; };


bad

Debatable. YMMV.





     notify yes;
};
***
I've got no clue what could be the cause of this behavior. The server
should provide service to internal and external networks and allow
zone transfers. I'd also like to ask for correct iptables
configuration for the above dns settings. I'm quite not sure that if I
have the "forwarders" option, I have to enable port 53 in FORWARD
chain, or maybe just INPUT and OUTPUT is enough. Also, what rules are
necessary for the zone transfer to work?

Regardless of whether zone transfers are allowed or not, you should have 
UDP/TCP destination port 53 allowed inbound (query), and TCP/UDP source 
port 53 allowed outbound (response). The source ports for inbound, and 
the destination ports for outbound, will be ephemeral or 53. If your 
firewall is "stateful", the destination port for a response should be 
the same as the source port of the original query (a stateful firewall 
should already understand this).


                                                                - Kevin
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





















					Reply via email to