Hello,
I'm have a question:
IF(Ignoring RFC 1035 #do not shoot the messenger)
I need to make an authoritative server that gives 'AA' flags to every
query, I would need to set only auth-nxdomain right?
I'm running this config:
#
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
options {
directory "/var/bind/";
check-names master ignore;
check-names slave ignore;
check-names response ignore;
auth-nxdomain yes;
minimal-responses yes;
version "Dont Do It";
allow-recursion { 127.0.0.1/8; my-query-ip/32; };
allow-new-zones yes;
lame-ttl 1800;
max-cache-ttl 43200;
max-cache-size 100M;
notify explicit;
cleaning-interval 900;
max-ncache-ttl 18000;
pid-file "/var/run/named/named.pid";
listen-on { any; };
listen-on-v6 { any; };
};
view "internet" IN {
match-clients { any; };
};
logging {
channel default_file { file "/var/bind/logs/default.log" versions 3
size 50m; severity info; print-time yes; };
channel general_file { file "/var/bind/logs/general.log" versions 3
size 50m; severity info; print-time yes; };
channel database_file { file "/var/bind/logs/database.log" versions 3
size 50m; severity error; print-time yes; };
channel security_file { file "/var/bind/logs/security.log" versions 3
size 50m; severity info; print-time yes; };
channel config_file { file "/var/bind/logs/config.log" versions 3
size 50m; severity critical; print-time yes; };
channel resolver_file { file "/var/bind/logs/resolver.log" versions 3
size 50m; severity critical; print-time yes; };
channel xfer-in_file { file "/var/bind/logs/xfer-in.log" versions 3
size 50m; severity critical; print-time yes; };
channel xfer-out_file { file "/var/bind/logs/xfer-out.log" versions 3
size 50m; severity critical; print-time yes; };
channel notify_file { file "/var/bind/logs/notify.log" versions 3
size 50m; severity critical; print-time yes; };
channel client_file { file "/var/bind/logs/client.log" versions 3
size 50m; severity critical; print-time yes; };
channel unmatched_file { file "/var/bind/logs/unmatched.log" versions
3 size 50m; severity critical; print-time yes; };
channel queries_file { file "/var/bind/logs/queries.log" versions 3
size 50m; severity info; print-time yes; };
channel network_file { file "/var/bind/logs/network.log" versions 3
size 50m; severity critical; print-time yes; };
channel update_file { file "/var/bind/logs/update.log" versions 3
size 50m; severity critical; print-time yes; };
channel dispatch_file { file "/var/bind/logs/dispatch.log" versions 3
size 50m; severity critical; print-time yes; };
channel dnssec_file { file "/var/bind/logs/dnssec.log" versions 3
size 50m; severity critical; print-time yes; };
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { null; };
};
key "rndckey" {
algorithm hmac-md5;
secret "my-little-key";
};
#
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
$ dig @my-local-ip typingsomerandomwords.doesntwork
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @my-local-ip
typingsomerandomwords.doesntwork
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26340
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;typingsomerandomwords.doesntwork. IN A
;; Query time: 199 msec
;; SERVER: my-local-ip#53(my-local-ip)
;; WHEN: Thu Nov 9 18:29:37 2017
;; MSG SIZE rcvd: 50
#
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
09-Nov-2017 16:29:22.392 client my-query-ip#39791
(typingsomerandomwords.doesntwork): view internet: query:
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:22.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:27.581 client my-query-ip#39791
(typingsomerandomwords.doesntwork): view internet: query:
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:27.581 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.392 client my-query-ip.19#39791
(typingsomerandomwords.doesntwork): view internet: query:
typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:32.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.393 client my-query-ip#39791
(typingsomerandomwords.doesntwork): view internet: query failed
(*SERVFAIL*) for typingsomerandomwords.doesntwork/IN/A *at query.c:7007*
#
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I'm stuck into this, the docs doesn't say auth-nxdomain is not available
to auth servers and I know it's a bad idea, but it's a bad idea that can
be achieved by DLZ drivers via queries and the config should behave in a
similar way (or the doc should be a bit more clear about who can use and
how it works).
--
...................................................................................................................................................................................................
<https://www.kinghost.com.br>
Filipe Cifali Stangler| ANALISTA DE INFRAESTRUTURA
cif...@kinghost.com.br <mailto:cif...@kinghost.com.br> |
www.kinghost.com.br <https://www.kinghost.com.br>
Tire suas dúvidas gratuitamente: *0800.881.5464*
Capitais e polos regionais: *4003.5464*
Atendimento fora do Brasil e Celulares: *(51) 3301.5464*
banner - email <http://kingho.st/assinatura>
Este e-mail e seus anexos são confidenciais e podem conter informações
privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado
acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.
This e-mail message or any attachment thereto are confidential and may
be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient,
please delete it from your system and
notify the sender immediately.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
