I guess sometimes you just need to look at it in a differnet way. I
never noticed it was using the 10.0.2.15 IP to try to update. That's
going to be blocked because I don't have the outside world enabled for
this server. So let me go ask on the DHCP list why it's insisting on
using that interface.
On 12/18/2020 11:59 PM, Dan Egli wrote:
I'm really stumped as to what's going on. I'm trying to get dhcpd to
automatically update name records for my internal network. This is NOT
going to the public internet by any means. It's just an internal
network. But every time either I or dhcpd try to add a record, named
refuses to allow it. I'm getting a message in the log that says
refused due to allow-query:
19-Dec-2020 06:49:19.299 update-security: error: client
@0x7fa610000cd0 10.0.2.15#49948: update 'eglifamily.name/IN' denied
due to allow-query
What's causing this, and how do I fix it? I'm including my named.conf
and dhcpd.con files below. Can anyone help me?
dhcpd.conf:
default-lease-time 300;
max-lease-time 43200;
ddns-update-style interim;
authoritative;
log-facility local1;
allow booting;
subnet 10.0.2.0 netmask 255.255.255.0 {
# no services at all! That's the llnk from the ISP. Don't touch it!
}
subnet 192.168.10.0 netmask 255.255.255.0 {
range 192.168.10.128 192.168.10.254;
if exists user-class and option user-class = "iPXE" {
filename "pxelinux.efi";
} else {
filename "pxelinux.0";
}
next-server 192.168.10.3;
option domain-name-servers 192.168.10.2, 8.8.8.8;
option domain-name "eglifamily.name";
option routers 192.168.10.1;
}
host fixed-1 {
hardware ethernet 08:00:27:D5:AA:3C;
fixed-address 192.168.10.64;
option host-name "ethereum-1";
ddns-hostname "ethereum-1.eglifamily.name";
}
named.conf:
/*
* Refer to the named.conf(5) and named(8) man pages, and the
documentation
* in /usr/share/doc/bind-* for more details.
* Online versions of the documentation can be found here:
* https://kb.isc.org/article/AA-01031
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple
mistakes,
* you can break connectivity for affected parties, or cause huge
amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
192.168.10.0/24;
127.0.0.0/8;
::1/128;
};
acl "myself" {
127.0.0.0/24;
::1/128;
};
options {
directory "/var/bind";
pid-file "/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
listen-on-v6 { none; }; // for now
listen-on { 192.168.10.2; 127.0.0.1; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use
recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
myself;
};
/*
* If you've got a DNS server around at your upstream provider,
enter its
* IP address here, and enable the line below. This will make
you benefit
* from its cache, thus reduce overall DNS traffic in the
Internet.
*
* Uncomment the following lines to turn on DNS forwarding, and
change
* and/or update the forwarding ip address(es):
*/
/*
forward first;
forwarders {
// 123.123.123.123; // Your ISP NS
// 124.124.124.124; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
*/
// dnssec-enable yes;
// named-checkconf says above line is bad
//dnssec-validation yes;
/*
* As of bind 9.8.0:
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
};
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys
{ "rndc-key"; };
};
#zone "." in {
# type hint;
# file "/var/bind/named.cache";
#};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "eglifamily.name" {
type master;
file "pri/eglifamily.zone";
notify yes;
};
zone "10.168.192.in-addr.arpa" {
type master;
file "pri/10.168.192.arpa.zone";
notify yes;
};
include "/var/lib/samba/bind-dns/named.conf";
The samba file only contains the lines needed to load the dynamically
loaded zone modules (bind9_dlz).
--
Dan Egli
From my Test Server
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
