Re: F32 bind9 split dns debug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Nov 13, 2020 at 10:12 PM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Fri, 2020-11-13 at 13:38 -0800, Jack Craig wrote:
> current named.conf
>
> options
> {
>         // Put files that named is allowed to write in the data/ directory:
>         directory               "/var/named";           // "Working" directory
>         dump-file               "data/cache_dump.db";
>         statistics-file         "data/named_stats.txt";
>         memstatistics-file      "data/named_mem_stats.txt";
>         secroots-file           "data/named.secroots";
>         recursing-file          "data/named.recursing";
>
>         listen-on port 53       { any; };
>         listen-on-v6 port 53    { any; };
>
>         allow-transfer    { 108.220.213.120/29; }; 
>
>         forwarders {
>                 8.8.8.8;
>                 8.8.4.4;
>         };

I found when I tried using forwarders, that all queries went to them,
not just the ones that the server couldn't answer for itself.



> controls {
>
>       inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
> };
>
> view "internal-lan-view"
> {
>         match-clients   { internals; };
>
>         allow-recursion { internals; };
>         allow-recursion-on { internals; };
>
>         zone "linuxlighthouse.com" {
>            type master;
>            file "/var/named/internal.db";
>            allow-query    { internals; };
>         };
> };

Above, you've used "match-clients," but haven't defined what
"internals" means (and I can't see "internals" listed as a predefined
term in the BIND docs).

e.g. acl "internals" { localhost; 192.168/16; 10.0/16; };

NB:  "acl" needs to be defined outside of the views clause.

I believe "localhost" and/or "localnets" are predefined terms that
could be useful to you.

see:  https://bind9.readthedocs.io/en/v9_16_6/reference.html

4.2.2. acl Statement Definition and Usage

The acl statement assigns a symbolic name to an address match list.
It gets its name from a primary use of address match lists: Access
Control Lists (ACLs).

The following ACLs are built-in:

"any" Matches all hosts.

"none" Matches no hosts.

"localhost" Matches the IPv4 and IPv6 addresses of all network
interfaces on the system. When addresses are added or removed, the
localhost ACL element is updated to reflect the changes.

"localnets" Matches any host on an IPv4 or IPv6 network for which the
system has an interface. When addresses are added or removed, the
localnets  ACL element is updated to reflect the changes. Some systems
do not provide a way to determine the prefix lengths of local
IPv6 addresses; in such a case, localnets only matches the local IPv6
addresses, just like localhost.

(Their definition of localhost goes beyond the "localhost simply means
127.0.0.1" that we're used to with hostnames.)

> view "external-wan-view"
> {
>         match-clients   { any; };
>         recursion no;
>
>         allow-query     { any; };
>         allow-transfer  { 108.220.213.120/29; };
>
>         zone "linuxlighthouse.com" {
>             type master;
>             file "/var/named/linuxlighthouse.com.db";
>         };
>
>         zone "213.220.108.in-addr.arpa" {
>             type master;
>             file "/var/named/213.220.108.in-addr.arpa";
>         };
> };
>

Since you've used "any" as a match, here, something else has to match
it before this clause, else this clause will always match it.

i.e. Your internal rules have to be first.

apologiese for cllipping the file,...

/* LinuxLightHouse
 named.conf BIND DNS server 'named' configuration file
 for the Red Hat BIND distribution.  */

acl internals {
    10.0.0.0/24;
    127.0.0.0/8;
};


options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";

listen-on port 53 { any; };
listen-on-v6 port 53 { any; };

        allow-transfer    { 108.220.213.120/29; };  

        allow-recursion { 10.0.0.0/24; };

/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
    and recursive servers DNSSEC aware servers */
dnssec-enable yes;

/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;

/* In Fedora we use /run/named instead of default /var/run/named
  so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";

        /* In Fedora we use system-wide Crypto Policy */
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

        /* use querylog all the time rndc */
        querylog yes;
};

include "/etc/rndc.key";

controls {
      inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

view "internal-lan-view"
{
match-clients { internals; };

        allow-recursion    { internals; };
        allow-recursion-on { internals; };
        allow-query   { internals; };

zone "linuxlighthouse.com" {
           type master;
           file "/var/named/internal.db";
};
};

view "external-wan-view"
{
match-clients   { any; };
match-destinations { any; };
recursion no;

        allow-query { any; };
        allow-transfer  { 108.220.213.120/29; };

zone "linuxlighthouse.com" {
            type master;
            file "/var/named/linuxlighthouse.com.db";
};

        zone "213.220.108.in-addr.arpa" {
            type master;
            file "/var/named/213.220.108.in-addr.arpa";
        };14-Nov-2020 05:04:11.931 query-errors: info: client @0x7f52380dc520 ::1#47114 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/NS at ../../../bin/named/query.c:7270
14-Nov-2020 05:06:54.149 query-errors: info: client @0x7f52381c9760 137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/ANY at ../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.323 query-errors: info: client @0x7f52381c9760 184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.354 query-errors: info: client @0x7f52381c9760 184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
14-Nov-2020 05:07:16.520 query-errors: info: client @0x7f52381c9760 184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at ../../../bin/named/query.c:7270
14-Nov-2020 05:07:25.119 query-errors: info: client @0x7f52381c9760 184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for www.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
14-Nov-2020 05:03:32.658 general: info: managed-keys-zone/internal-lan-view: loaded serial 0
14-Nov-2020 05:03:32.658 general: info: managed-keys-zone/external-wan-view: loaded serial 0
14-Nov-2020 05:03:32.658 general: info: zone linuxlighthouse.com/IN/internal-lan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: info: zone 213.220.108.in-addr.arpa/IN/external-wan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: info: zone linuxlighthouse.com/IN/external-wan-view: loaded serial 2020101601
14-Nov-2020 05:03:32.658 general: notice: all zones loaded
14-Nov-2020 05:03:32.658 general: notice: running
14-Nov-2020 05:04:11.931 queries: info: client @0x7f52380dc520 ::1#47114 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN NS +E(0)K (::1)
14-Nov-2020 05:06:54.149 queries: info: client @0x7f52381c9760 137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN ANY -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.323 queries: info: client @0x7f52381c9760 184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.354 queries: info: client @0x7f52381c9760 184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query: linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:07:16.520 queries: info: client @0x7f52381c9760 184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
14-Nov-2020 05:07:25.119 queries: info: client @0x7f52381c9760 184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view: query: www.linuxlighthouse.com IN A -E(0)D (10.0.0.101)
14-Nov-2020 05:04:11.931 client @0x7f52380dc520 ::1#47114 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/NS/IN' denied
14-Nov-2020 05:06:54.149 client @0x7f52381c9760 137.226.113.35#18392 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/ANY/IN' denied
14-Nov-2020 05:07:16.323 client @0x7f52381c9760 184.94.241.121#52528 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied
14-Nov-2020 05:07:16.354 client @0x7f52381c9760 184.94.241.121#10468 (linuxlighthouse.com): view external-wan-view: query 'linuxlighthouse.com/A/IN' denied
14-Nov-2020 05:07:16.520 client @0x7f52381c9760 184.94.241.121#33732 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/AAAA/IN' denied
14-Nov-2020 05:07:25.119 client @0x7f52381c9760 184.94.241.121#11455 (www.linuxlighthouse.com): view external-wan-view: query 'www.linuxlighthouse.com/A/IN' denied

???

logging {
    channel default_debug {
        file "/var/log/named/named.run" versions 3 size 5m;
           ...

bind.x86_64                                        :9.11.23-1.fc32                        

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux