Re: Selective forwarding from an internal only name server
Hi
To clarify a bit.
The server that runs ns1 has named listening on two addresses.
One is an external facing address providing resolution to the queries coming
from the internet.
Lets call this ns.org.domain.name.au
The other one internal facing and which is what ns1 is pointing to.
There are certain zones that ns.org.domain.name.au is hosting authoritatively
to the internet
example we have ns.org.domain.name.au as authoritative for
application.org.domain.name.au on the internet.
I have confirmed that ns1 has recursion enabled for all ip ranges within the
organization.
I have also now added the below options to the named.conf on dns1 as well .
recursion yes;
allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
allow-recursion-on { any; };
After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from
dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig
+trace microsoft.com"
On the internal clients talking to dns1, I get an NXDOMAIN response.
--Anup
From: anup albal
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Kevin
Does that mean I setup another forwarding zone called microsoft.com or
sharepoint.microsoft.com or both?
And then do i need to add NS record entries similar to sharepoint.com in the
fake root file?
Regards
Anup
From: anup albal
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Chris
Below is without "+trace" option. Also there is a firewall between internal
(dns1) and external (ns1) name servers and
we have opened up TCP/UDP port 53 from dns1 to ns1.
; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sharepoint.com.IN A
;; AUTHORITY SECTION:
sharepoint.com. 86400 IN NS ns1.org.domain.name.au
;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400 IN A ip.of.ns1
;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE rcvd: 84
Regards
Anup
From: Chris Buxton
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Try it without "+trace".
Regards,
Chris
On Aug 17, 2016, at 2:59 AM, anup albal
mailto:anupal...@hotmail.com>> wrote:
Hi
First up apologies if this is not the right list to email and for a long email.
I am hoping you can give me a clue as to what I am doing wrong here? Or may be
this is not supposed to work at all.
We have an internal only DNS server (dns1) with fake root zone. i.e a fake file
for the zone "." This serves all internal clients.
We are running 9.6-ESV-R11-P2 for this.
And we also have an external only DNS (ns1) which can talk to the internet for
DNS queries and serves external clients.
Now we have a requirement to have certain domains (e.g
sharepoint.com
Re: Selective forwarding from an internal only name server
On 19 August 2016 at 07:25, anup albal wrote: > After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from > dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or > "dig +trace microsoft.com" Can you post your full configs and the full dig outputs? Don't use +trace it won't work as you think it does, you're using internal roots and forwarding which messes +trace. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
creating IPv6 interface eth0 failed; interface ignored
Hi Folks, not sure if this is a bug or a feature but had been scratching my head for months now running BIND on Fedora22-24 and all the time I did a reboot BIND didn’t came up and I needed to restart the process to get it running. After some googling around I realized that I am not alone with this but there has never been a clear solution beside some proposals to change the sequence of IPv4/IPv6 entries within ifcfg which didn’t work for me. Finally I found a dependency but I am still not sure where the root course is related to, as it depends on if empty-zones-enable is set to yes/no? named -v BIND 9.10.4-P2-RedHat-9.10.4-1.P2.fc24 ### bootup with: empty-zones-enable no; [root@ns1 ~]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2016-08-06 11:08:22 CEST; 16s ago Process: 1084 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 1080 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (c Main PID: 1086 (named) Tasks: 5 (limit: 512) CGroup: /system.slice/named-chroot.service └─1086 /usr/sbin/named -u named -t /var/named/chroot Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface lo, ::1#53 Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface eth0, 2001:67c:21b0:4029:193:34:29:244#53 Aug 06 11:08:22 ns1.f1-online.net named[1086]: could not listen on UDP socket: address not available Aug 06 11:08:22 ns1.f1-online.net named[1086]: creating IPv6 interface eth0 failed; interface ignored Aug 06 11:08:22 ns1.f1-online.net named[1086]: generating session key for dynamic DNS Aug 06 11:08:22 ns1.f1-online.net named[1086]: sizing zone task pool based on 62 zones Aug 06 11:08:22 ns1.f1-online.net named[1086]: using built-in root key for view _default Aug 06 11:08:22 ns1.f1-online.net named[1086]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Aug 06 11:08:22 ns1.f1-online.net named[1086]: command channel listening on 127.0.0.1#953 Aug 06 11:08:22 ns1.f1-online.net systemd[1]: Started Berkeley Internet Name Domain (DNS). [root@ns1 ~]# systemctl stop named-chroot.service [root@ns1 ~]# systemctl start named-chroot.service [root@ns1 ~]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2016-08-06 11:08:42 CEST; 803ms ago Process: 1197 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 1287 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 1284 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (c Main PID: 1289 (named) Tasks: 5 (limit: 512) CGroup: /system.slice/named-chroot.service └─1289 /usr/sbin/named -u named -t /var/named/chroot Aug 06 11:08:42 ns1.f1-online.net named[1289]: listening on IPv4 interface lo, 127.0.0.1#53 Aug 06 11:08:42 ns1.f1-online.net named[1289]: listening on IPv4 interface eth0, 193.34.29.244#53 Aug 06 11:08:42 ns1.f1-online.net named[1289]: listening on IPv6 interface lo, ::1#53 Aug 06 11:08:42 ns1.f1-online.net named[1289]: listening on IPv6 interface eth0, 2001:67c:21b0:4029:193:34:29:244#53 Aug 06 11:08:42 ns1.f1-online.net named[1289]: generating session key for dynamic DNS Aug 06 11:08:42 ns1.f1-online.net named[1289]: sizing zone task pool based on 62 zones Aug 06 11:08:42 ns1.f1-online.net named[1289]: using built-in root key for view _default Aug 06 11:08:42 ns1.f1-online.net named[1289]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Aug 06 11:08:42 ns1.f1-online.net named[1289]: command channel listening on 127.0.0.1#953 Aug 06 11:08:42 ns1.f1-online.net systemd[1]: Started Berkeley Internet Name Domain (DNS). ### bootup with: empty-zones-enable yes; [root@ns0 ~]# systemctl status named-chroot.service ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Sat 2016-08-06 11:10:58 CEST; 7s ago Process: 1083 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 1080 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/s
Re: creating IPv6 interface eth0 failed; interface ignored
On Fri, Aug 19, 2016 at 11:32:43AM +0200, Wolfgang Riedel wrote: > ### bootup with: empty-zones-enable no; > > [root@ns1 ~]# systemctl status named-chroot.service > ● named-chroot.service - Berkeley Internet Name Domain (DNS) >Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; > vendor preset: disabled) >Active: active (running) since Sat 2016-08-06 11:08:22 CEST; 16s ago > Process: 1084 ExecStart=/usr/sbin/named -u named -t /var/named/chroot > $OPTIONS (code=exited, status=0/SUCCESS) > Process: 1080 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == > "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z > /etc/named.conf; else echo "Checking of zone files is disabled"; fi (c > Main PID: 1086 (named) > Tasks: 5 (limit: 512) >CGroup: /system.slice/named-chroot.service >└─1086 /usr/sbin/named -u named -t /var/named/chroot > > Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface > lo, ::1#53 > Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface > eth0, 2001:67c:21b0:4029:193:34:29:244#53 > Aug 06 11:08:22 ns1.f1-online.net named[1086]: could not listen on UDP > socket: address not available > Aug 06 11:08:22 ns1.f1-online.net named[1086]: creating IPv6 interface eth0 > failed; interface ignored Assuming this the broken state you're describing (as you've attached before and after log copies), from the log messages above it seems the interface is not available when named is being started. I have seen this behavior with several other services on Fedora that need manual restart after boot (e.g., postfix, nginx and sshd) to make them listen on all configured interfaces because the interface was not configured when the service was being started. Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: creating IPv6 interface eth0 failed; interface ignored
Hi Mukund, yes this had been my fist assumption also but WHY should/would the statement "empty-zones-enable” within named.conf change the bring process of the network interface process? It’s courios, right? Wolfgang > On 19 Aug 2016, at 11:38AM, Mukund Sivaraman wrote: > > On Fri, Aug 19, 2016 at 11:32:43AM +0200, Wolfgang Riedel wrote: >> ### bootup with: empty-zones-enable no; >> >> [root@ns1 ~]# systemctl status named-chroot.service >> ● named-chroot.service - Berkeley Internet Name Domain (DNS) >> Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; >> vendor preset: disabled) >> Active: active (running) since Sat 2016-08-06 11:08:22 CEST; 16s ago >> Process: 1084 ExecStart=/usr/sbin/named -u named -t /var/named/chroot >> $OPTIONS (code=exited, status=0/SUCCESS) >> Process: 1080 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == >> "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z >> /etc/named.conf; else echo "Checking of zone files is disabled"; fi (c >> Main PID: 1086 (named) >>Tasks: 5 (limit: 512) >> CGroup: /system.slice/named-chroot.service >> └─1086 /usr/sbin/named -u named -t /var/named/chroot >> >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface >> lo, ::1#53 >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface >> eth0, 2001:67c:21b0:4029:193:34:29:244#53 >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: could not listen on UDP >> socket: address not available >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: creating IPv6 interface eth0 >> failed; interface ignored > > Assuming this the broken state you're describing (as you've attached > before and after log copies), from the log messages above it seems the > interface is not available when named is being started. > > I have seen this behavior with several other services on Fedora that > need manual restart after boot (e.g., postfix, nginx and sshd) to make > them listen on all configured interfaces because the interface was not > configured when the service was being started. > > Mukund > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: creating IPv6 interface eth0 failed; interface ignored
On Fri, Aug 19, 2016 at 11:46:36AM +0200, Wolfgang Riedel wrote: > Hi Mukund, > > yes this had been my fist assumption also but WHY should/would the > statement "empty-zones-enable” within named.conf change the bring > process of the network interface process? > > It’s courios, right? I suspect there's no relation. This behavior is likely non-deterministic. Mukund signature.asc Description: PGP signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Selective forwarding from an internal only name server
Hi
Below are the options on the external name server.
options {
directory "/var/named";
pid-file "/var/named/tmp/named.pid";
forwarders { list.external.isp.forwarders; 127.0.0.1; };
query-sourceaddress externalLooking.ip.of.ns ;
notify-source externalLooking.ip.of.ns;
transfer-source externalLooking.ip.of.ns;
allow-query { any; };
allow-recursion { full.range.org.ips ; 127.0.0.1; localhost; };
allow-transfer { full.range.org.ips;
external.isp.ip.1;
external.isp.ip.2;
};
notify yes;
listen-on {
127.0.0.1;
externalLooking.ip.of.ns;
internalLooking.ip.of.ns; //ns1
};
version "unknown";
};
Below is output from dig run on dns1 (internal)
dig sharepoint.com
; <<>> DiG 9.6-ESV-R11-P2 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
; <<>> DiG 9.6-ESV-R11-P2 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached
And from dig from a client being served by dns1
dig sharepoint.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> sharepoint.com
;; global options: +cmd
;; connection timed out; no servers could be reached
dig microsoft.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30044
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;microsoft.com. IN A
;; Query time: 915 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Fri Aug 19 17:47:46 AEST 2016
;; MSG SIZE rcvd: 31
and when done again
dig microsoft.com
; <<>> DiG 9.6-ESV-R11-P6 <<>> microsoft.com
;; global options: +cmd
;; connection timed out; no servers could be reached
At this stage I am at a complete loss as to why this is not working.
There is a firewall between the internal and external name servers. Other than
ensuring that port53 is open between the two name servers for TCP and UDP
traffic, is there anything else i need to check?
Thanks
Anup
From: anup albal
Sent: Friday, 19 August 2016 4:25 PM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi
To clarify a bit.
The server that runs ns1 has named listening on two addresses.
One is an external facing address providing resolution to the queries coming
from the internet.
Lets call this ns.org.domain.name.au
The other one internal facing and which is what ns1 is pointing to.
There are certain zones that ns.org.domain.name.au is hosting authoritatively
to the internet
example we have ns.org.domain.name.au as authoritative for
application.org.domain.name.au on the internet.
I have confirmed that ns1 has recursion enabled for all ip ranges within the
organization.
I have also now added the below options to the named.conf on dns1 as well .
recursion yes;
allow-recursion { ip.range.internal.clients; 127.0.0.1; localhost; };
allow-recursion-on { any; };
After that I cannot run a "dig sharepoint.com" or "dig microsoft.com" from
dns1. However it can resolve it if i run a "dig +trace sharepoint.com" or "dig
+trace microsoft.com"
On the internal clients talking to dns1, I get an NXDOMAIN response.
--Anup
From: anup albal
Sent: Thursday, 18 August 2016 10:04 AM
To: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Kevin
Does that mean I setup another forwarding zone called microsoft.com or
sharepoint.microsoft.com or both?
And then do i need to add NS record entries similar to sharepoint.com in the
fake root file?
Regards
Anup
From: anup albal
Sent: Thursday, 18 August 2016 9:47 AM
To: Chris Buxton
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Hi Chris
Below is without "+trace" option. Also there is a firewall between internal
(dns1) and external (ns1) name servers and
we have opened up TCP/UDP port 53 from dns1 to ns1.
; <<>> DiG 9.3.4-P1 <<>> sharepoint.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1030
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;sharepoint.com.IN A
;; AUTHORITY SECTION:
sharepoint.com. 86400 IN NS ns1.org.domain.name.au
;; ADDITIONAL SECTION:
ns1.org.domain.name.au. 86400 IN A ip.of.ns1
;; Query time: 26 msec
;; SERVER: ip.of.dns1#53(ip.of.dns1)
;; WHEN: Thu Aug 18 09:38:09 2016
;; MSG SIZE rcvd: 84
Regards
Anup
From: Chris Buxton
Sent: Thursday, 18 August 2016 2:26 AM
To: anup albal
Cc: BIND Users
Subject: Re: Selective forwarding from an internal only name server
Try it without "+trace".
Regards,
Chris
On Aug 17, 2
Re: Selective forwarding from an internal only name server
On 19 August 2016 at 09:02, anup albal wrote: > Below are the options on the external name server. That's not the full configs, and from both DNS servers. I get you don't want to expose some of the information but you're asking for help, we can't do that if you keep things back and obfuscate details. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: creating IPv6 interface eth0 failed; interface ignored
On 19/8/16 12:38, Mukund Sivaraman wrote: > On Fri, Aug 19, 2016 at 11:32:43AM +0200, Wolfgang Riedel wrote: >> ### bootup with: empty-zones-enable no; >> >> [root@ns1 ~]# systemctl status named-chroot.service >> ● named-chroot.service - Berkeley Internet Name Domain (DNS) >>Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; >> vendor preset: disabled) >>Active: active (running) since Sat 2016-08-06 11:08:22 CEST; 16s ago >> Process: 1084 ExecStart=/usr/sbin/named -u named -t /var/named/chroot >> $OPTIONS (code=exited, status=0/SUCCESS) >> Process: 1080 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == >> "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z >> /etc/named.conf; else echo "Checking of zone files is disabled"; fi (c >> Main PID: 1086 (named) >> Tasks: 5 (limit: 512) >>CGroup: /system.slice/named-chroot.service >>└─1086 /usr/sbin/named -u named -t /var/named/chroot >> >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface >> lo, ::1#53 >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: listening on IPv6 interface >> eth0, 2001:67c:21b0:4029:193:34:29:244#53 >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: could not listen on UDP >> socket: address not available >> Aug 06 11:08:22 ns1.f1-online.net named[1086]: creating IPv6 interface eth0 >> failed; interface ignored > > Assuming this the broken state you're describing (as you've attached > before and after log copies), from the log messages above it seems the > interface is not available when named is being started. > > I have seen this behavior with several other services on Fedora that > need manual restart after boot (e.g., postfix, nginx and sshd) to make > them listen on all configured interfaces because the interface was not > configured when the service was being started. > A workaround for this behavior on linux systems is echo "net/ipv4/ip_nonlocal_bind=1" >> /etc/sysctl.conf Then daemons won't fail when systemd starts them and will listen to the configured ip address when it becomes available (tested with nginx on rhel7). Kind regards, Sotiris. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind used as resolver: matching the source ip
Or just check the RFCs. https://www.ietf.org/rfc/rfc5452.txt - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mukund Sivaraman Sent: Friday, August 19, 2016 2:27 AM To: pm8...@t-online.de Cc: bind-users@lists.isc.org Subject: Re: bind used as resolver: matching the source ip On Thu, Aug 18, 2016 at 11:27:01AM +0200, pm8...@t-online.de wrote: > Dear all, > > As far as I understand, BIND is not only used for authoritative name > servers, but is also often used as a (recursive) resolver. > When receiving a response to a DNS query, does BIND match the source > ip of the response to the destination ip of the query and discard the > response if they do not match? Does it match the ports? > I.e. apart from checking > query.transactionID == response.transactionID does BIND check for > query.destinationIP == response.sourceIP and query.destinationPort == > response.sourcePort? > Can you point me to the function in the source code where this check > does or does not happen? Yes, otherwise offpath cache poisoning would be possible. BIND as resolver not only matches source port, but also the question and DNS cookie among other things. You should be able to find the address and port matching code somewhere within lib/dns/dispatch.c. Question and cookie matching code should be found in lib/dns/resolver.c. Mukund ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS views setup help
> where would I place it in the context of my views on the master?
Inside of the view
> Do I only need that one stanza on the master?
I believe it is needed on the slave as well, to tell the slave to use the
correct key when communicating with the master. That is how we are doing it…
> Why in the linked doc does it show it listed under the internal view?
Because in the linked doc they are hosting the same zone on the internal and
external view; in the context of showing how to use tsig keys, you are right,
that aspect of the example is confusing. They have it that way because they are
doing a zone transfer from the internal view to the external view, which is
different than what I think you want to do.
> If that's the designated external key should that be placed in the external
> view and not the internal?
If I understand what you want to do correctly, yes…
> And why does the internal view in the linked doc show both the external key
> and a "mykey" in the internal view
“mykey” has nothing to do with zone transfers and is probably meant for
management, although the example doesn’t specify.
> Exactly how many keys do I need here?
I think two … but it depends on your architecture. We have one key for admin of
each view, and another key for each master/slave/view triplet. Managing the
keys that way is more difficult (a lot of keys!), but less likely to
accidentally put the wrong data in the wrong place.
> Using my config from my first email … can you provide a modified view?
Here’s a possible way to set up your internal view. Try and get this working by
itself without your external view, then go back and see if adding the external
view makes more sense.
### master:
view "insideview" {
match-clients {
internal-key;
!external-key;
internal;
};
server 26.26.26.26 {
keys { internal-key };
};
also-notify {
26.26.26.26 key internal-key;
};
zone"example.com" IN {
type master;
file "/var/named/db.exampleinside.com";
allow-transfer {
key internal-key;
};
};
};
### slave:
view "insideview" {
match-clients {
internal-key;
!external-key;
internal;
};
server 25.25.25.25 {
keys { internal-key };
};
zone"example.com" IN {
type slave;
file "/var/named/db.exampleinside.com";
masters { 25.25.25.25; };
};
};
Mathew Eis
Northern Arizona University
Information Technology Services
From: project722
Date: Thursday, August 18, 2016 at 8:17 PM
To: Mathew Eis
Cc: "bind-users@lists.isc.org"
Subject: Re: DNS views setup help
That is correct, as I have not setup the TSIG keys yet.
Also, I am still a bit confused on how this code should be implemented in my
conf file. In the example you posted that refers back to the link, where would
I place it in the context of my views on the master? Do I only need that one
stanza on the master and why in the linked doc does it show it listed under the
internal view? If that's the designated external key should that be placed in
the external view and not the internal? And why does the internal view in the
linked doc show both the external key and a "mykey" in the internal view while
only showing one for the external view? Exactly how many keys do I need here?
Lets say my master server IP is 25.25.25.25 and my slave is 26.26.26.26. Using
my config from my first email and your code from your reply (lets use only the
part from the linked doc you wrote) can you provide a modified view for
internal and external for both the master and slave server?
Sorry for all the questions, its just that I'm very new to this view thing, as
you might have guessed:)
On Thu, Aug 18, 2016 at 9:50 PM, Mathew Ian Eis
mailto:mathew@nau.edu>> wrote:
I think you are pretty close. One detail that you appear to be missing are is
in the linked document:
server 10.0.1.1 {
/* Deliver notify messages to external view. */
keys { external-key; };
};
Your slaves should have a similar statement in each view with the IP of the
master and the relevant key for that view.
Two other things we have learned in deploying this:
* It is helpful to change your allow-transfer section to be key-based per-view
instead of IP based to save you from accidental zone transfers when other
configuration errors are made.
* The match-clients rule can be prepended with a key/!key set to prevent
accidental communication on that view when using keys; e.g.
match-clients {
# key matching rules
key admin-internal;
!key admin-external;
key slave-internal;
!key slave-external;
# ip/acl matching rules
internal-ips;
};
Regards,
Mathew Eis
Northern Arizona University
Information Technology Services
