hi all,
any dns pros in the house??
i am trying to debug a split view dns.
i am using F32 & bind9 where i have internal & external views.
internal network 10.0.0.0/24, external 108.220.213.120/29
what i think i am seeing is a refusal of query, but Why??
where can i find a query_log print-severity definition?
dig shows, ...
dig ws.linuxlighthouse.com ns
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ws.linuxlighthouse.com. IN NS
;; Query time: 355 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:53:45 PST 2020
;; MSG SIZE rcvd: 51
dig 108.220.213.121
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;108.220.213.121. IN A
;; ANSWER SECTION:
108.220.213.121. 0 IN A 108.220.213.121
;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:54:52 PST 2020
;; MSG SIZE rcvd: 60
suggestions?
tia, jackc...
my named.conf
/* top of file */
acl slaves {
108.220.213.122;
};
acl internals {
10.0.0.0/24;
127.0.0.0/8;
};
/*
108.220.213.120/29;
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { localhost; };
listen-on-v6 port 53 { any; };
allow-query { internals; };
allow-query-cache { any; };
allow-transfer { 108.220.213.120/29; };
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
/* DNSSEC related options. See information about keys ("Trusted keys",
bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
default.log:12-Nov-2020 22:16:58.021 query-errors: info: client
@0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view
external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA
at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:58.503 query-errors: info: client
@0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view
external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:59.036 query-errors: info: client
@0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view
external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
at ../../../bin/named/query.c:7270
channel security_file {
severity debug 2;
file "/var/log/named/security.log" versions 3 size 5m;
print-time yes;
print-category yes;
print-severity yes;
};
security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90
60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
query 'ws.linuxlighthouse.com/AAAA/IN' denied
security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90
60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
query 'ws.linuxlighthouse.com/A/IN' denied
security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90
60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view:
query 'ws.linuxlighthouse.com/A/IN' denied
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity debug 3;
print-time yes;
print-category yes;
print-severity yes;
};
queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90
60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90
60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90
60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: *query:
ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> IN A -E(0)DC
(10.0.0.101)*
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
view "internal-lan-view"
{
match-clients { internals; };
recursion yes;
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
};
};
/* This view will contain zones you want to serve only to "external" clients
that have addresses that are not match any above view: */
view "external-wan-view"
{
match-clients { any; };
recursion no;
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
allow-query { any; };
/*
allow-transfer { slaves; };
*/
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
allow-query { any; };
};
};
; Authoritative data for linuxlighthouse.com zone
;
; $ORIGIN linuxlighthouse.com.
$TTL 86400
@ IN SOA ws.linuxlighthouse.com.
root.linuxlighthouse.com. (
2020101601 ; serial
1D ; refresh
1H ; retry
1W ; expire
86400 ) ; minimum
;
;jack.craig.ap...@gmail.com
;
@ IN NS ws
IN MX 10 mail
IN A 108.220.213.121
ws IN A 108.220.213.121
www IN A 108.220.213.121
mail IN A 108.220.213.121
; cname later
;ws2 IN A 68.94.157.1
;dns157r8.sbcglobal.net. IN A 68.94.157.8
;
; DNSSEC/CAA setup
; example.org. CAA 128 issue "letsencrypt.org"
; linuxlighthouse.com. CAA 128 issue "letsencrypt.org"
;
$include "/var/named/linuxlighthouse.com.db"
@ IN A 10.0.0.1
ws IN A 10.0.0.101
www IN A 10.0.0.101
ws2 IN A 10.0.0.102
[jackc@ws ~$
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
