Re: named not answer on external query

Thu, 17 Jan 2013 01:28:52 -0800 

17.01.2013 12:31 пользователь "lilit-aibolit"
<lilit-aibo...@mail.ru>
написал:
>
> This is weird trouble. Years ago I did authoritative server on openbsd
4.x and it's just works
> for both - local network and queries from Internet.
> But now it doesn't. I know - this is my issue, please help to resolve.
> ###named.conf###
> // $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $
> acl tlk {
>     192.168.5.0/24;
>     192.168.55.0/24;
>     192.168.66.0/24;
>     192.168.99.0/24;
>     127.0.0.1; };
> options {
>     version "";    // remove this to allow version queries
>     listen-on { 127.0.0.1; 192.168.5.254; 192.168.55.254; ext_if; };
>     listen-on-v6 { none; };
>     allow-transfer { none; };
>     empty-zones-enable yes;
> //    forward first;
>     forwarders { provider's dns; };
>     allow-recursion { tlk; };
>     allow-query { any; };
> };
> view "allow-recursion" {
>     match-clients { tlk; };
> //    recursion yes;
>
> zone "." {
>     type hint;
>     file "etc/root.hint"; };
>
> zone "localhost" {
>     type master;
>     file "standard/localhost";
> //    allow-transfer { localhost; };
> };
>
> zone "127.in-addr.arpa" {
>     type master;
>     file "standard/loopback";
> //    allow-transfer { localhost; };
> };
>
> zone "zone.1" {
>     type master;
>     file "/master/zone.1"; };
>
> zone "zone.2" {
>     type master;
>     file "/master/zone.3"; };
>
> zone "zone.4" {
>     type master;
>     file "/master/zone.4"; };
>
> zone "168.192.in-addr.arpa" {
>     type master;
>     file "/master/168.192.in-addr.arpa"; };
>
> include "/master/forbidden.conf";
> };
>
> view "deny-recursion" {
>     recursion no;
>     additional-from-cache no;
>     additional-from-auth no;
> zone "zone.5" {
>     type master;
>     file "/master/zone.5"; };
> };
>
> key "rndc-key" {
>     algorithm hmac-md5;
>     secret "**";
> };
>
> controls {
>     inet 127.0.0.1 port 953
>     allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> logging {
>     channel security_channel {
>         # Send log messages to the specified file
>         file            "log/security.log";
>         # Log all messages
>         severity        debug;
>         # Log the date and time of the message
>         print-time      yes;
>         # Log the category of the message
>         print-category  yes;
>         # Log the severity level of the message
>         print-severity  yes;
>     };
>
>     channel default {
>         # Send logs to the 'local0' syslog facility
>         syslog          local0;
>         # Log messages of severity 'info' or higher
>         severity        info;
>         print-category  yes;
>         print-severity  yes;
>     };
>
>     # Logs about approval and denial of requests
>     category security {
>         security_channel;
>         default;
>     };
>
>     # Ignore logs about misconfigured remote servers
>     category lame-servers { null; };
>
>     # Default logging options
>     category default { default; };
> };
>
> ###zone.5###
> ; $OpenBSD: db.localhost,v 1.2 2005/02/07 06:08:10 david Exp $
> $ORIGIN zone.5.
> $TTL 24h
> @    IN    SOA    ns1.zone.5. admin.zone.com. (
>             10    ; serial
>             1h    ; refresh
>             30m    ; retry
>             7d    ; expiration
>             1h )    ; minimum
>         NS    ns1.zone.5.
>         NS    ns2.zone.5.
> @    IN    A    right.IP
> www    IN    A    right.IP
> ns1    IN    A    right.IP
> ns2    IN    A    right.IP2
>
>
> ###pf.conf related rules###
> pass in on $ext_if inet proto { tcp, udp } from any to em1 port domain
> pass in on $int_if inet proto { udp, tcp } from <lan> to $int_if port {
ntp, domain }
> pass out on $ext_if inet proto udp from em1 to any
>
> I see a numbers of external queries to my server, but don't see the
answers:
> # tcpdump -i em1 -p udp 'port domain'
> 09:28:23.152111 smtp.eurocom.su.19716 > my.server.domain: 59597 [1au] A?
www.zone.5. (45)
> 09:28:24.136607 idbh.ru.47793 > my.server.domain: 26171% [1au] A?
www.zone.5. (45)
> 09:28:26.942971 smtp.eurocom.su.44341 > my.server.domain: 615 A?
www.zone.5. (34)
> 09:28:27.191067 smtp.eurocom.su.17302 > my.server.domain: 42979 [1au] A?
www.zone.5. (45)
> 09:28:29.417383 smtp.eurocom.su.34958 > my.server.domain: 53565 A?
www.zone.5. (34)
> 09:28:29.737934 idbh.ru.45564 > my.server.domain: 27837 A? www.zone.5.
(34)
>
> From local net:
> user@pc.local:~$ nslookup
> > zone.5
> Server:         192.168.5.254
> Address:        192.168.5.254#53
> Non-authoritative answer:
> Name:   zone.5
> Address: right.IP
> # tcpdump -i em0 -p udp 'port domain'
> 10:00:41.702484 pc.local.46571 > my.server.domain: 50830+ A? zone.5. (30)
> 10:00:41.702625 my.server.domain > pc.local.46571: 50830 1/2/0 A right.IP
(82)
>

At first, find where the flow gets stopped: enable debug logging on
resolver and add "match log (matches) to port 53" rule as first one in your
firewall. Then probably you'll see the problem yourself.

Oh, and please, if you get "no packets seen" problems, print all of your
firewall rules. Always. Don't pretend that you know better - if it was so,
why would you asking ever?

Reply via email to