The allow-query { internals; } might be something worth tinkering....
From: "Jack Craig" <jack.craig.aptos@xxxxxxxxx>
Date: Friday, 13 November 2020 at 08:03:43
To: "Community support for Fedora users" <users@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: F32 bind9 split dns debug
hi all,
any dns pros in the house??
any dns pros in the house??
i am trying to debug a split view dns.
i am using F32 & bind9 where i have internal & external views.
internal network 10.0.0.0/24, external 108.220.213.120/29
what i think i am seeing is a refusal of query, but Why??
where can i find a query_log print-severity definition?
dig shows, ...
i am using F32 & bind9 where i have internal & external views.
internal network 10.0.0.0/24, external 108.220.213.120/29
what i think i am seeing is a refusal of query, but Why??
where can i find a query_log print-severity definition?
dig shows, ...
dig ws.linuxlighthouse.com ns
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ws.linuxlighthouse.com. IN NS
;; Query time: 355 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:53:45 PST 2020
;; MSG SIZE rcvd: 51
dig 108.220.213.121
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;108.220.213.121. IN A
;; ANSWER SECTION:
108.220.213.121. 0 IN A 108.220.213.121
;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:54:52 PST 2020
;; MSG SIZE rcvd: 60
suggestions?
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ws.linuxlighthouse.com. IN NS
;; Query time: 355 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:53:45 PST 2020
;; MSG SIZE rcvd: 51
dig 108.220.213.121
; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;108.220.213.121. IN A
;; ANSWER SECTION:
108.220.213.121. 0 IN A 108.220.213.121
;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:54:52 PST 2020
;; MSG SIZE rcvd: 60
suggestions?
tia, jackc...
my named.conf
/* top of file */
acl slaves {
108.220.213.122;
};
acl internals {
10.0.0.0/24;
127.0.0.0/8;
};
/*
108.220.213.120/29;
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { localhost; };
listen-on-v6 port 53 { any; };
allow-query { internals; };
allow-query-cache { any; };
allow-transfer { 108.220.213.120/29; };
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
default.log:12-Nov-2020 22:16:58.021 query-errors: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:58.503 query-errors: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:59.036 query-errors: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
channel security_file {
severity debug 2;
file "/var/log/named/security.log" versions 3 size 5m;
print-time yes;
print-category yes;
print-severity yes;
};
security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/AAAA/IN' denied
security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied
security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity debug 3;
print-time yes;
print-category yes;
print-severity yes;
};
queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" . */
view "internal-lan-view"
{
match-clients { internals; };
recursion yes;
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
};
};
/* This view will contain zones you want to serve only to "external" clients
that have addresses that are not match any above view: */
view "external-wan-view"
{
match-clients { any; };
recursion no;
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
allow-query { any; };
/*
allow-transfer { slaves; };
*/
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
allow-query { any; };
};
};
; Authoritative data for linuxlighthouse.com zone
;
; $ORIGIN linuxlighthouse.com.
$TTL 86400
@ IN SOA ws.linuxlighthouse.com. root.linuxlighthouse.com. (
2020101601 ; serial
1D ; refresh
1H ; retry
1W ; expire
86400 ) ; minimum
;
;jack.craig.aptos@xxxxxxxxx
;
@ IN NS ws
IN MX 10 mail
IN A 108.220.213.121
ws IN A 108.220.213.121
www IN A 108.220.213.121
mail IN A 108.220.213.121
; cname later
;ws2 IN A 68.94.157.1
;dns157r8.sbcglobal.net. IN A 68.94.157.8
;
; DNSSEC/CAA setup
; example.org. CAA 128 issue "letsencrypt.org"
; linuxlighthouse.com. CAA 128 issue "letsencrypt.org"
;
$include "/var/named/linuxlighthouse.com.db"
@ IN A 10.0.0.1
ws IN A 10.0.0.101
www IN A 10.0.0.101
ws2 IN A 10.0.0.102
[jackc@ws ~$
my named.conf
/* top of file */
acl slaves {
108.220.213.122;
};
acl internals {
10.0.0.0/24;
127.0.0.0/8;
};
/*
108.220.213.120/29;
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { localhost; };
listen-on-v6 port 53 { any; };
allow-query { internals; };
allow-query-cache { any; };
allow-transfer { 108.220.213.120/29; };
recursion yes;
forwarders {
8.8.8.8;
8.8.4.4;
};
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
default.log:12-Nov-2020 22:16:58.021 query-errors: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:58.503 query-errors: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:59.036 query-errors: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
channel security_file {
severity debug 2;
file "/var/log/named/security.log" versions 3 size 5m;
print-time yes;
print-category yes;
print-severity yes;
};
security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/AAAA/IN' denied
security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied
security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity debug 3;
print-time yes;
print-category yes;
print-severity yes;
};
queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" . */
view "internal-lan-view"
{
match-clients { internals; };
recursion yes;
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
};
};
/* This view will contain zones you want to serve only to "external" clients
that have addresses that are not match any above view: */
view "external-wan-view"
{
match-clients { any; };
recursion no;
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
allow-query { any; };
/*
allow-transfer { slaves; };
*/
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
allow-query { any; };
};
};
; Authoritative data for linuxlighthouse.com zone
;
; $ORIGIN linuxlighthouse.com.
$TTL 86400
@ IN SOA ws.linuxlighthouse.com. root.linuxlighthouse.com. (
2020101601 ; serial
1D ; refresh
1H ; retry
1W ; expire
86400 ) ; minimum
;
;jack.craig.aptos@xxxxxxxxx
;
@ IN NS ws
IN MX 10 mail
IN A 108.220.213.121
ws IN A 108.220.213.121
www IN A 108.220.213.121
mail IN A 108.220.213.121
; cname later
;ws2 IN A 68.94.157.1
;dns157r8.sbcglobal.net. IN A 68.94.157.8
;
; DNSSEC/CAA setup
; example.org. CAA 128 issue "letsencrypt.org"
; linuxlighthouse.com. CAA 128 issue "letsencrypt.org"
;
$include "/var/named/linuxlighthouse.com.db"
@ IN A 10.0.0.1
ws IN A 10.0.0.101
www IN A 10.0.0.101
ws2 IN A 10.0.0.102
[jackc@ws ~$
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
