Wait, what is BIND version you are trying to use? http://linuxlighthouse.com should never show in a DNS, or I did not ever seen it in bind logs. What is exactly command used for the query? URL should not be there, only most recent development version should have support for DNS over HTTPS. I admit I have not tried it yet. For any current Fedora packages or COPR package, no URL with http should ever appear. It can do DNS only, 9.16 might be able to do DNS over TLS. But not HTTPS. It should work with this: dig @localhost -t A linuxlighthouse.com # For external view, use correct external IP for outside interface. dig @40.69.104.72 -b 40.69.104.72 -t A linuxlighthouse.com Remember, only hostnames without URL prefix must be used in DNS queries. Cheers, Petr On 11/13/20 10:38 PM, Jack Craig wrote: > first, a hearty Thanks for your responses to date. > > I have tried to apply the suggested changes, but it's not changed the > initial behaviour. > so i am still missing something... > > additional suggestions. i am going to look at host, who,w hois, nslookup > for more info, thx, jackc... > > > *default.log:13-Nov-2020 13:30:43.484 query-errors: info: client > @0x7f98541abfc0 40.69.104.72#54502 (linuxlighthouse.com > <http://linuxlighthouse.com>): view external-wan-view: query failed > (REFUSED) for linuxlighthouse.com/IN/A <http://linuxlighthouse.com/IN/A> at > ../../../bin/named/query.c:7270default.log:13-Nov-2020 13:30:49.778 > query-errors: info: client @0x7f98541abfc0 40.69.104.77#49493 > (linuxlighthouse.com <http://linuxlighthouse.com>): view external-wan-view: > query failed (REFUSED) for linuxlighthouse.com/IN/A > <http://linuxlighthouse.com/IN/A> at ../../../bin/named/query.c:7270* > > > *queries.log:13-Nov-2020 13:30:43.484 queries: info: client @0x7f98541abfc0 > 40.69.104.72#54502 (linuxlighthouse.com <http://linuxlighthouse.com>): view > external-wan-view: query: linuxlighthouse.com <http://linuxlighthouse.com> > IN A -E(0)D (10.0.0.101)queries.log:13-Nov-2020 13:30:49.778 queries: info: > client @0x7f98541abfc0 40.69.104.77#49493 (linuxlighthouse.com > <http://linuxlighthouse.com>): view external-wan-view: query: > linuxlighthouse.com <http://linuxlighthouse.com> IN A -E(0)D (10.0.0.101)* > > *security.log:13-Nov-2020 13:30:43.484 client @0x7f98541abfc0 > 40.69.104.72#54502 (linuxlighthouse.com <http://linuxlighthouse.com>): view > external-wan-view: query 'linuxlighthouse.com/A/IN > <http://linuxlighthouse.com/A/IN>' denied* > > *security.log:13-Nov-2020 13:30:49.778 client @0x7f98541abfc0 > 40.69.104.77#49493 (linuxlighthouse.com <http://linuxlighthouse.com>): view > external-wan-view: query 'linuxlighthouse.com/A/IN > <http://linuxlighthouse.com/A/IN>' denied* > > current named.conf > > options > { > // Put files that named is allowed to write in the data/ directory: > directory "/var/named"; // "Working" > directory > dump-file "data/cache_dump.db"; > statistics-file "data/named_stats.txt"; > memstatistics-file "data/named_mem_stats.txt"; > secroots-file "data/named.secroots"; > recursing-file "data/named.recursing"; > > listen-on port 53 { any; }; > listen-on-v6 port 53 { any; }; > > allow-transfer { 108.220.213.120/29; }; > > forwarders { > 8.8.8.8; > 8.8.4.4; > }; > > /* DNSSEC related options. See information about keys ("Trusted > keys", bellow) */ > /* Enable serving of DNSSEC related data - enable on both > authoritative > and recursive servers DNSSEC aware servers */ > dnssec-enable yes; > > /* Enable DNSSEC validation on recursive servers */ > dnssec-validation yes; > > /* In Fedora we use /run/named instead of default /var/run/named > so we have to configure paths properly. */ > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > managed-keys-directory "/var/named/dynamic"; > > /* In Fedora we use system-wide Crypto Policy */ > /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ > include "/etc/crypto-policies/back-ends/bind.config"; > > /* use querylog all the time rndc */ > querylog yes; > }; > > > controls { > inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; > }; > > view "internal-lan-view" > { > match-clients { internals; }; > > allow-recursion { internals; }; > allow-recursion-on { internals; }; > > zone "linuxlighthouse.com" { > type master; > file "/var/named/internal.db"; > allow-query { internals; }; > }; > }; > > view "external-wan-view" > { > match-clients { any; }; > recursion no; > > allow-query { any; }; > allow-transfer { 108.220.213.120/29; }; > > zone "linuxlighthouse.com" { > type master; > file "/var/named/linuxlighthouse.com.db"; > }; > > zone "213.220.108.in-addr.arpa" { > type master; > file "/var/named/213.220.108.in-addr.arpa"; > }; > }; > > > > > > > > On Fri, Nov 13, 2020 at 6:10 AM Petr Menšík <pemensik@xxxxxxxxxx> wrote: > >> Hi Jack, >> >> On 11/13/20 8:02 AM, Jack Craig wrote: >>> hi all, >>> any dns pros in the house?? >>> >>> i am trying to debug a split view dns. >>> i am using F32 & bind9 where i have internal & external views. >>> >>> internal network 10.0.0.0/24, external 108.220.213.120/29 >>> >>> what i think i am seeing is a refusal of query, but Why?? >>> >>> where can i find a query_log print-severity definition? >>> >>> dig shows, ... >>> >>> dig ws.linuxlighthouse.com ns >>> >>> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484 >>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ;; QUESTION SECTION: >>> ;ws.linuxlighthouse.com. IN NS >>> >>> ;; Query time: 355 msec >>> ;; SERVER: 10.0.0.1#53(10.0.0.1) >>> ;; WHEN: Thu Nov 12 22:53:45 PST 2020 >>> ;; MSG SIZE rcvd: 51 >>> >>> dig 108.220.213.121 >>> >>> ; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121 >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338 >>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 >>> >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags:; udp: 4096 >>> ;; QUESTION SECTION: >>> ;108.220.213.121. IN A >>> >>> ;; ANSWER SECTION: >>> 108.220.213.121. 0 IN A 108.220.213.121 >>> >>> ;; Query time: 1 msec >>> ;; SERVER: 10.0.0.1#53(10.0.0.1) >>> ;; WHEN: Thu Nov 12 22:54:52 PST 2020 >>> ;; MSG SIZE rcvd: 60 >>> >>> suggestions? >>> >>> tia, jackc... >>> >>> >>> my named.conf >>> >>> /* top of file */ >>> >>> acl slaves { >>> 108.220.213.122; >>> }; >>> >>> acl internals { >>> 10.0.0.0/24; >>> 127.0.0.0/8; >>> }; >>> >>> /* >>> 108.220.213.120/29; >>> */ >>> >>> options >>> { >>> // Put files that named is allowed to write in the data/ directory: >>> directory "/var/named"; // "Working" directory >>> dump-file "data/cache_dump.db"; >>> statistics-file "data/named_stats.txt"; >>> memstatistics-file "data/named_mem_stats.txt"; >>> secroots-file "data/named.secroots"; >>> recursing-file "data/named.recursing"; >>> >>> listen-on port 53 { localhost; }; >> Localhost usually has only 127.0.0.0/8 and ::1 addresses. Without both >> internal address and external or any; Outside IPv4 packet would never >> reach bind. >>> listen-on-v6 port 53 { any; }; >>> >>> allow-query { internals; }; >> Move this to views. allow-query includes recursive and non-recursive >> queries. Kind of firewall equivalent. Just let it inside or not. >>> allow-query-cache { any; }; >> Unless you override this in view, this would make your (internal) cache >> open to outside world. It it would act authoritative for outside and >> recursive for inside clients, I would recommend removing these two and >> using just allow-recursion { internals; }; >> allow-recursion-on { internals }; >> >> in specific view. >>> allow-transfer { 108.220.213.120/29; }; >> It is better to use keys to authenticate. Check tsig-keygen(8) manual page. >>> >>> recursion yes; >> Remove this one ^^. Instead, configure it only per view >>> >>> forwarders { >>> 8.8.8.8; >>> 8.8.4.4; >>> }; >>> >>> /* DNSSEC related options. See information about keys ("Trusted keys", >>> bellow) */ >>> >>> /* Enable serving of DNSSEC related data - enable on both authoritative >>> and recursive servers DNSSEC aware servers */ >>> dnssec-enable yes; >>> >>> /* Enable DNSSEC validation on recursive servers */ >>> dnssec-validation yes; >>> >>> /* In Fedora we use /run/named instead of default /var/run/named >>> so we have to configure paths properly. */ >>> pid-file "/run/named/named.pid"; >>> session-keyfile "/run/named/session.key"; >>> >>> managed-keys-directory "/var/named/dynamic"; >>> >>> /* In Fedora we use system-wide Crypto Policy */ >>> /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ >>> include "/etc/crypto-policies/back-ends/bind.config"; >>> >>> /* use querylog all the time rndc */ >>> querylog yes; >>> }; >>> >>> logging { >>> channel default_file { >>> file "/var/log/named/default.log" versions 3 size 5m; >>> severity dynamic; >>> print-time yes; >>> print-category yes; >>> print-severity yes; >>> }; >>> default.log:12-Nov-2020 22:16:58.021 query-errors: info: client >>> @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view >>> external-wan-view: query failed (REFUSED) for >> ws.linuxlighthouse.com/IN/AAAA >>> at ../../../bin/named/query.c:7270 >>> default.log:12-Nov-2020 22:16:58.503 query-errors: info: client >>> @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view >>> external-wan-view: query failed (REFUSED) for >> ws.linuxlighthouse.com/IN/A >>> at ../../../bin/named/query.c:7270 >>> default.log:12-Nov-2020 22:16:59.036 query-errors: info: client >>> @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view >>> external-wan-view: query failed (REFUSED) for >> ws.linuxlighthouse.com/IN/A >>> at ../../../bin/named/query.c:7270 >> >> Client 60.215.138.163 does not match allow-query, so it is refused. >>> >>> channel security_file { >>> severity debug 2; >>> file "/var/log/named/security.log" versions 3 size 5m; >>> print-time yes; >>> print-category yes; >>> print-severity yes; >>> }; >>> security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90 >>> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: >>> query 'ws.linuxlighthouse.com/AAAA/IN' denied >>> security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90 >>> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: >>> query 'ws.linuxlighthouse.com/A/IN' denied >>> security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90 >>> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: >>> query 'ws.linuxlighthouse.com/A/IN' denied >>> >>> channel queries_file { >>> file "/var/log/named/queries.log" versions 3 size 5m; >>> severity debug 3; >>> print-time yes; >>> print-category yes; >>> print-severity yes; >>> }; >>> queries.log:12-Nov-2020 22:16:58.021 queries: info: client >> @0x7f99e01bab90 >>> 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: >>> query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101) >>> queries.log:12-Nov-2020 22:16:58.503 queries: info: client >> @0x7f99e01bab90 >>> 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: >>> query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101) >>> queries.log:12-Nov-2020 22:16:59.036 queries: info: client >> @0x7f99e01bab90 >>> 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: >> *query: >>> ws.linuxlighthouse.com <http://ws.linuxlighthouse.com> IN A -E(0)DC >>> (10.0.0.101)* >>> >>> >>> >>> >>> category default { default_file; }; >>> category general { general_file; }; >>> category database { database_file; }; >>> category security { security_file; }; >>> category config { config_file; }; >>> category resolver { resolver_file; }; >>> category xfer-in { xfer-in_file; }; >>> category xfer-out { xfer-out_file; }; >>> category notify { notify_file; }; >>> category client { client_file; }; >>> category unmatched { unmatched_file; }; >>> category queries { queries_file; }; >>> category network { network_file; }; >>> category update { update_file; }; >>> category dispatch { dispatch_file; }; >>> category dnssec { dnssec_file; }; >>> category lame-servers { lame-servers_file; }; >>> }; >>> >>> include "/etc/rndc.key"; >>> >>> controls { >>> inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; >>> }; >>> >>> /* This view will contain zones you want to serve only to "internal" >> clients >>> that connect via your directly attached LAN interfaces - "localnets" . >>> */ >>> >>> view "internal-lan-view" >>> { >>> match-clients { internals; }; >>> recursion yes; >>> >>> zone "linuxlighthouse.com" { >>> type master; >>> file "/var/named/internal.db"; >>> }; >>> }; >>> >>> /* This view will contain zones you want to serve only to "external" >> clients >>> that have addresses that are not match any above view: */ >>> >>> view "external-wan-view" >>> { >>> match-clients { any; }; >>> recursion no; >>> >>> zone "linuxlighthouse.com" { >>> type master; >>> file "/var/named/linuxlighthouse.com.db"; >>> allow-query { any; }; >>> /* >>> allow-transfer { slaves; }; >>> */ >>> }; >>> >>> zone "213.220.108.in-addr.arpa" { >>> type master; >>> file "/var/named/213.220.108.in-addr.arpa"; >>> allow-query { any; }; >>> }; >>> }; >>> >>> >>> ; Authoritative data for linuxlighthouse.com zone >>> ; >>> ; $ORIGIN linuxlighthouse.com. >>> $TTL 86400 >>> @ IN SOA ws.linuxlighthouse.com. >>> root.linuxlighthouse.com. ( >>> 2020101601 ; serial >>> 1D ; refresh >>> 1H ; retry >>> 1W ; expire >>> 86400 ) ; minimum >>> ; >>> ;jack.craig.aptos@xxxxxxxxx >>> ; >>> @ IN NS ws >>> IN MX 10 mail >>> IN A 108.220.213.121 >>> >>> ws IN A 108.220.213.121 >>> www IN A 108.220.213.121 >>> mail IN A 108.220.213.121 >>> >>> ; cname later >>> ;ws2 IN A 68.94.157.1 >>> ;dns157r8.sbcglobal.net. IN A 68.94.157.8 >>> >>> ; >>> ; DNSSEC/CAA setup >>> ; example.org. CAA 128 issue "letsencrypt.org" >>> >>> ; linuxlighthouse.com. CAA 128 issue "letsencrypt.org" >>> >>> >>> ; >>> $include "/var/named/linuxlighthouse.com.db" >>> >>> @ IN A 10.0.0.1 >>> ws IN A 10.0.0.101 >>> www IN A 10.0.0.101 >>> ws2 IN A 10.0.0.102 >>> >>> [jackc@ws ~$ >>> >>> >> >> -- >> Petr Menšík >> Software Engineer >> Red Hat, http://www.redhat.com/ >> email: pemensik@xxxxxxxxxx >> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB >> > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemensik@xxxxxxxxxx PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
Attachment:
OpenPGP_0x4931CA5B6C9FC5CB_and_old_rev.asc
Description: application/pgp-keys
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
