Re: F32 bind9 split dns debug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



first, a hearty Thanks for your responses to date.

I have tried to apply the suggested changes, but it's not changed the initial behaviour.
so i am still missing something...

additional suggestions. i am going to look at host, who,w hois, nslookup for more info, thx, jackc...

default.log:13-Nov-2020 13:30:43.484 query-errors: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:13-Nov-2020 13:30:49.778 query-errors: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270

queries.log:13-Nov-2020 13:30:43.484 queries: info: client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
queries.log:13-Nov-2020 13:30:49.778 queries: info: client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)

security.log:13-Nov-2020 13:30:43.484 client @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied
security.log:13-Nov-2020 13:30:49.778 client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied

current named.conf

options
{
        // Put files that named is allowed to write in the data/ directory:
        directory               "/var/named";           // "Working" directory
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        secroots-file           "data/named.secroots";
        recursing-file          "data/named.recursing";

        listen-on port 53       { any; };
        listen-on-v6 port 53    { any; };

        allow-transfer    { 108.220.213.120/29; };  

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

        /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
        /* Enable serving of DNSSEC related data - enable on both authoritative
           and recursive servers DNSSEC aware servers */
        dnssec-enable yes;

        /* Enable DNSSEC validation on recursive servers */
        dnssec-validation yes;

        /* In Fedora we use /run/named instead of default /var/run/named
           so we have to configure paths properly. */
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        managed-keys-directory "/var/named/dynamic";

        /* In Fedora we use system-wide Crypto Policy */
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

        /* use querylog all the time rndc */
        querylog yes;
};


controls {
      inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

view "internal-lan-view"
{
        match-clients   { internals; };

        allow-recursion { internals; };
        allow-recursion-on { internals; };

        zone "linuxlighthouse.com" {
           type master;
           file "/var/named/internal.db";
           allow-query    { internals; };
        };
};

view "external-wan-view"
{
        match-clients   { any; };
        recursion no;

        allow-query     { any; };
        allow-transfer  { 108.220.213.120/29; };

        zone "linuxlighthouse.com" {
            type master;
            file "/var/named/linuxlighthouse.com.db";
        };

        zone "213.220.108.in-addr.arpa" {
            type master;
            file "/var/named/213.220.108.in-addr.arpa";
        };
};







On Fri, Nov 13, 2020 at 6:10 AM Petr Menšík <pemensik@xxxxxxxxxx> wrote:
Hi Jack,

On 11/13/20 8:02 AM, Jack Craig wrote:
> hi all,
> any dns pros in the house??
>
> i am trying to debug a split view dns.
> i am using F32 & bind9 where i have internal & external views.
>
> internal network 10.0.0.0/24, external 108.220.213.120/29
>
> what i think i am seeing is a refusal of query, but Why??
>
> where can i find a query_log print-severity definition?
>
> dig shows, ...
>
> dig ws.linuxlighthouse.com ns
>
> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;ws.linuxlighthouse.com. IN NS
>
> ;; Query time: 355 msec
> ;; SERVER: 10.0.0.1#53(10.0.0.1)
> ;; WHEN: Thu Nov 12 22:53:45 PST 2020
> ;; MSG SIZE  rcvd: 51
>
> dig 108.220.213.121
>
> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;108.220.213.121. IN A
>
> ;; ANSWER SECTION:
> 108.220.213.121. 0 IN A 108.220.213.121
>
> ;; Query time: 1 msec
> ;; SERVER: 10.0.0.1#53(10.0.0.1)
> ;; WHEN: Thu Nov 12 22:54:52 PST 2020
> ;; MSG SIZE  rcvd: 60
>
> suggestions?
>
> tia, jackc...
>
>
> my named.conf
>
> /* top of file */
>
> acl slaves {
>     108.220.213.122;
> };
>
> acl internals {
>     10.0.0.0/24;
>     127.0.0.0/8;
> };
>
> /*
>     108.220.213.120/29;
> */
>
> options
> {
> // Put files that named is allowed to write in the data/ directory:
> directory "/var/named"; // "Working" directory
> dump-file "data/cache_dump.db";
>         statistics-file "data/named_stats.txt";
>         memstatistics-file "data/named_mem_stats.txt";
> secroots-file "data/named.secroots";
> recursing-file "data/named.recursing";
>
> listen-on port 53 { localhost; };
Localhost usually has only 127.0.0.0/8 and ::1 addresses. Without both
internal address and external or any; Outside IPv4 packet would never
reach bind.
> listen-on-v6 port 53 { any; };
>
>         allow-query  { internals;  };
Move this to views. allow-query includes recursive and non-recursive
queries. Kind of firewall equivalent. Just let it inside or not.
> allow-query-cache { any; };
Unless you override this in view, this would make your (internal) cache
open to outside world. It it would act authoritative for outside and
recursive for inside clients, I would recommend removing these two and
using just allow-recursion { internals; };
allow-recursion-on { internals };

in specific view.
>         allow-transfer    { 108.220.213.120/29; };
It is better to use keys to authenticate. Check tsig-keygen(8) manual page.
>
> recursion yes;
Remove this one ^^. Instead, configure it only per view
>
>         forwarders {
>                 8.8.8.8;
>                 8.8.4.4;
>         };
>
> /* DNSSEC related options. See information about keys ("Trusted keys",
> bellow) */
>
> /* Enable serving of DNSSEC related data - enable on both authoritative
>     and recursive servers DNSSEC aware servers */
> dnssec-enable yes;
>
> /* Enable DNSSEC validation on recursive servers */
> dnssec-validation yes;
>
> /* In Fedora we use /run/named instead of default /var/run/named
>   so we have to configure paths properly. */
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
>
> managed-keys-directory "/var/named/dynamic";
>
>         /* In Fedora we use system-wide Crypto Policy */
>         /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
>         include "/etc/crypto-policies/back-ends/bind.config";
>
>         /* use querylog all the time rndc */
>         querylog yes;
> };
>
> logging {
>     channel default_file {
>         file "/var/log/named/default.log" versions 3 size 5m;
>         severity dynamic;
>         print-time yes;
>         print-category yes;
>         print-severity yes;
>     };
> default.log:12-Nov-2020 22:16:58.021 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA
> at ../../../bin/named/query.c:7270
> default.log:12-Nov-2020 22:16:58.503 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
> at ../../../bin/named/query.c:7270
> default.log:12-Nov-2020 22:16:59.036 query-errors: info: client
> @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view
> external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A
> at ../../../bin/named/query.c:7270

Client 60.215.138.163 does not match allow-query, so it is refused.
>
>     channel security_file {
>         severity debug 2;
>         file "/var/log/named/security.log" versions 3 size 5m;
>         print-time yes;
>         print-category yes;
>         print-severity yes;
>     };
> security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90
> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/AAAA/IN' denied
> security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90
> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/A/IN' denied
> security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90
> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view:
> query 'ws.linuxlighthouse.com/A/IN' denied
>
>     channel queries_file {
>         file "/var/log/named/queries.log" versions 3 size 5m;
>         severity debug 3;
>         print-time yes;
>         print-category yes;
>         print-severity yes;
>     };
> queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90
> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view:
> query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
> queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90
> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view:
> query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
> queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90
> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: *query:
> ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> IN A -E(0)DC
> (10.0.0.101)*
>
>
>
>
>     category default { default_file; };
>     category general { general_file; };
>     category database { database_file; };
>     category security { security_file; };
>     category config { config_file; };
>     category resolver { resolver_file; };
>     category xfer-in { xfer-in_file; };
>     category xfer-out { xfer-out_file; };
>     category notify { notify_file; };
>     category client { client_file; };
>     category unmatched { unmatched_file; };
>     category queries { queries_file; };
>     category network { network_file; };
>     category update { update_file; };
>     category dispatch { dispatch_file; };
>     category dnssec { dnssec_file; };
>     category lame-servers { lame-servers_file; };
> };
>
> include "/etc/rndc.key";
>
> controls {
>       inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> };
>
> /* This view will contain zones you want to serve only to "internal" clients
>    that connect via your directly attached LAN interfaces - "localnets" .
>  */
>
> view "internal-lan-view"
> {
> match-clients    { internals; };
> recursion yes;
>
> zone "linuxlighthouse.com" {
>            type master;
>            file "/var/named/internal.db";
> };
> };
>
> /* This view will contain zones you want to serve only to "external" clients
>    that have addresses that are not match any above view: */
>
> view "external-wan-view"
> {
> match-clients   { any; };
> recursion no;
>
> zone "linuxlighthouse.com" {
>             type master;
>             file "/var/named/linuxlighthouse.com.db";
>             allow-query     { any;  };
> /*
>             allow-transfer { slaves; };
> */
> };
>
>         zone "213.220.108.in-addr.arpa" {
>             type master;
>             file "/var/named/213.220.108.in-addr.arpa";
>             allow-query     { any;  };
>         };
> };
>
>
> ; Authoritative data for linuxlighthouse.com zone
> ;
> ; $ORIGIN linuxlighthouse.com.
> $TTL 86400
> @                        IN SOA  ws.linuxlighthouse.com.
> root.linuxlighthouse.com. (
>                                        2020101601      ; serial
>                                        1D              ; refresh
>                                        1H              ; retry
>                                        1W              ; expire
>                                        86400 )         ; minimum
> ;
> ;jack.craig.aptos@xxxxxxxxx
> ;
> @                         IN      NS     ws
>                           IN      MX  10 mail
>                           IN      A      108.220.213.121
>
> ws                        IN      A      108.220.213.121
> www                       IN      A      108.220.213.121
> mail                      IN      A      108.220.213.121
>
> ; cname later
> ;ws2                       IN      A      68.94.157.1
> ;dns157r8.sbcglobal.net.   IN      A      68.94.157.8
>
> ;
> ; DNSSEC/CAA setup
> ; example.org. CAA 128 issue "letsencrypt.org"
>
> ; linuxlighthouse.com.   CAA 128 issue "letsencrypt.org"
>
>
> ;
> $include "/var/named/linuxlighthouse.com.db"
>
> @                         IN     A     10.0.0.1
> ws                        IN     A     10.0.0.101
> www                       IN     A     10.0.0.101
> ws2                       IN     A     10.0.0.102
>
> [jackc@ws ~$
>
>

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik@xxxxxxxxxx
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux