first, a hearty Thanks for your responses to date.
I have tried to apply the suggested changes, but it's not changed the initial behaviour.
so i am still missing something...
additional suggestions. i am going to look at host, who,w hois, nslookup for more info, thx, jackc...
default.log:13-Nov-2020 13:30:43.484 query-errors: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:13-Nov-2020 13:30:49.778 query-errors: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:13-Nov-2020 13:30:49.778 query-errors: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
queries.log:13-Nov-2020 13:30:43.484 queries: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
queries.log:13-Nov-2020 13:30:49.778 queries: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
queries.log:13-Nov-2020 13:30:49.778 queries: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
security.log:13-Nov-2020 13:30:43.484 client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied
security.log:13-Nov-2020 13:30:49.778 client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied
current named.conf
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-transfer { 108.220.213.120/29; };
forwarders {
8.8.8.8;
8.8.4.4;
};
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-transfer { 108.220.213.120/29; };
forwarders {
8.8.8.8;
8.8.4.4;
};
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In Fedora we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
/* In Fedora we use system-wide Crypto Policy */
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
/* use querylog all the time rndc */
querylog yes;
};
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
view "internal-lan-view"
{
match-clients { internals; };
allow-recursion { internals; };
allow-recursion-on { internals; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
allow-query { internals; };
};
};
view "external-wan-view"
{
match-clients { any; };
recursion no;
allow-query { any; };
allow-transfer { 108.220.213.120/29; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
};
};
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
view "internal-lan-view"
{
match-clients { internals; };
allow-recursion { internals; };
allow-recursion-on { internals; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/internal.db";
allow-query { internals; };
};
};
view "external-wan-view"
{
match-clients { any; };
recursion no;
allow-query { any; };
allow-transfer { 108.220.213.120/29; };
zone "linuxlighthouse.com" {
type master;
file "/var/named/linuxlighthouse.com.db";
};
zone "213.220.108.in-addr.arpa" {
type master;
file "/var/named/213.220.108.in-addr.arpa";
};
};
On Fri, Nov 13, 2020 at 6:10 AM Petr Menšík <pemensik@xxxxxxxxxx> wrote:
Hi Jack,
On 11/13/20 8:02 AM, Jack Craig wrote:
> hi all,
> any dns pros in the house??
>
> i am trying to debug a split view dns.
> i am using F32 & bind9 where i have internal & external views.
>
> internal network 10.0.0.0/24, external 108.220.213.120/29
>
> what i think i am seeing is a refusal of query, but Why??
>
> where can i find a query_log print-severity definition?
>
> dig shows, ...
>
> dig ws.linuxlighthouse.com ns
>
> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ws.linuxlighthouse.com. IN NS
>
> ;; Query time: 355 msec
> ;; SERVER: 10.0.0.1#53(10.0.0.1)
> ;; WHEN: Thu Nov 12 22:53:45 PST 2020
> ;; MSG SIZE rcvd: 51
>
> dig 108.220.213.121
>
> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;108.220.213.121. IN A
>
> ;; ANSWER SECTION:
> 108.220.213.121. 0 IN A 108.220.213.121
>
> ;; Query time: 1 msec
> ;; SERVER: 10.0.0.1#53(10.0.0.1)
> ;; WHEN: Thu Nov 12 22:54:52 PST 2020
> ;; MSG SIZE rcvd: 60
>
> suggestions?
>
> tia, jackc...
>
>
> my named.conf
>
> /* top of file */
>
> acl slaves {
> 108.220.213.122;
> };
>
> acl internals {
> 10.0.0.0/24;
> 127.0.0.0/8;
> };
>
> /*
> 108.220.213.120/29;
> */
>
> options
> {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // "Working" directory
> dump-file "data/cache_dump.db";
> statistics-file "data/named_stats.txt";
> memstatistics-file "data/named_mem_stats.txt";
> secroots-file "data/named.secroots";
> recursing-file "data/named.recursing";
>
> listen-on port 53 { localhost; };
Localhost usually has only 127.0.0.0/8 and ::1 addresses. Without both
internal address and external or any; Outside IPv4 packet would never
reach bind.
> listen-on-v6 port 53 { any; };
>
> allow-query { internals; };
Move this to views. allow-query includes recursive and non-recursive
queries. Kind of firewall equivalent. Just let it inside or not.
> allow-query-cache { any; };
Unless you override this in view, this would make your (internal) cache
open to outside world. It it would act authoritative for outside and
recursive for inside clients, I would recommend removing these two and
using just allow-recursion { internals; };
allow-recursion-on { internals };
in specific view.
> allow-transfer { 108.220.213.120/29; };
It is better to use keys to authenticate. Check tsig-keygen(8) manual page.
>
> recursion yes;
Remove this one ^^. Instead, configure it only per view
>
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };
>
> /* DNSSEC related options. See information about keys ("Trusted keys",
> bellow) */
>
> /* Enable serving of DNSSEC related data - enable on both authoritative
> and recursive servers DNSSEC aware servers */
> dnssec-enable yes;
>
> /* Enable DNSSEC validation on recursive servers */
> dnssec-validation yes;
>
> /* In Fedora we use /run/named instead of default /var/run/named
> so we have to configure paths properly. */
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
>
> managed-keys-directory "/var/named/dynamic";
>
> /* In Fedora we use system-wide Crypto Policy */
> /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
> include "/etc/crypto-policies/back-ends/bind.config";
>
> /* use querylog all the time rndc */
> querylog yes;
> };
>
> logging {
> channel default_file {
> file "/var/log/named/default.log" versions 3 size 5m;
> severity dynamic;
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> default.log:12-Nov-2020 22:16:58.021 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA
> at ../../../bin/named/query.c:7270
> default.log:12-Nov-2020 22:16:58.503 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
> at ../../../bin/named/query.c:7270
> default.log:12-Nov-2020 22:16:59.036 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
> at ../../../bin/named/query.c:7270
Client 60.215.138.163 does not match allow-query, so it is refused.
>
> channel security_file {
> severity debug 2;
> file "/var/log/named/security.log" versions 3 size 5m;
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90
> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/AAAA/IN' denied
> security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90
> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/A/IN' denied
> security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90
> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/A/IN' denied
>
> channel queries_file {
> file "/var/log/named/queries.log" versions 3 size 5m;
> severity debug 3;
> print-time yes;
> print-category yes;
> print-severity yes;
> };
> queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90
> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
> query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
> queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90
> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
> query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
> queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90
> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: *query:
> ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> IN A -E(0)DC
> (10.0.0.101)*
>
>
>
>
> category default { default_file; };
> category general { general_file; };
> category database { database_file; };
> category security { security_file; };
> category config { config_file; };
> category resolver { resolver_file; };
> category xfer-in { xfer-in_file; };
> category xfer-out { xfer-out_file; };
> category notify { notify_file; };
> category client { client_file; };
> category unmatched { unmatched_file; };
> category queries { queries_file; };
> category network { network_file; };
> category update { update_file; };
> category dispatch { dispatch_file; };
> category dnssec { dnssec_file; };
> category lame-servers { lame-servers_file; };
> };
>
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> };
>
> /* This view will contain zones you want to serve only to "internal" clients
> that connect via your directly attached LAN interfaces - "localnets" .
> */
>
> view "internal-lan-view"
> {
> match-clients { internals; };
> recursion yes;
>
> zone "linuxlighthouse.com" {
> type master;
> file "/var/named/internal.db";
> };
> };
>
> /* This view will contain zones you want to serve only to "external" clients
> that have addresses that are not match any above view: */
>
> view "external-wan-view"
> {
> match-clients { any; };
> recursion no;
>
> zone "linuxlighthouse.com" {
> type master;
> file "/var/named/linuxlighthouse.com.db";
> allow-query { any; };
> /*
> allow-transfer { slaves; };
> */
> };
>
> zone "213.220.108.in-addr.arpa" {
> type master;
> file "/var/named/213.220.108.in-addr.arpa";
> allow-query { any; };
> };
> };
>
>
> ; Authoritative data for linuxlighthouse.com zone
> ;
> ; $ORIGIN linuxlighthouse.com.
> $TTL 86400
> @ IN SOA ws.linuxlighthouse.com.
> root.linuxlighthouse.com. (
> 2020101601 ; serial
> 1D ; refresh
> 1H ; retry
> 1W ; expire
> 86400 ) ; minimum
> ;
> ;jack.craig.aptos@xxxxxxxxx
> ;
> @ IN NS ws
> IN MX 10 mail
> IN A 108.220.213.121
>
> ws IN A 108.220.213.121
> www IN A 108.220.213.121
> mail IN A 108.220.213.121
>
> ; cname later
> ;ws2 IN A 68.94.157.1
> ;dns157r8.sbcglobal.net. IN A 68.94.157.8
>
> ;
> ; DNSSEC/CAA setup
> ; example.org. CAA 128 issue "letsencrypt.org"
>
> ; linuxlighthouse.com. CAA 128 issue "letsencrypt.org"
>
>
> ;
> $include "/var/named/linuxlighthouse.com.db"
>
> @ IN A 10.0.0.1
> ws IN A 10.0.0.101
> www IN A 10.0.0.101
> ws2 IN A 10.0.0.102
>
> [jackc@ws ~$
>
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@xxxxxxxxxx
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
