Perhaps I overlooked, but I miss one line.
About “query”
I have also:
allow-query { 0.0.0.0/0; ::1/128; 2001:470::/32; };
Perhaps allow-query { any; }; would be sufficient...
From: "Tim via users" <users@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Friday, 20 November 2020 at 05:31:31
To: "users@xxxxxxxxxxxxxxxxxxxxxxx" <users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: "Tim" <ignored_mailbox@xxxxxxxxxxxx>
Subject: Re: F32 bind9 split dns debug
On Thu, 2020-11-19 at 11:15 -0800, Jack Craig wrote:
> your below has resulted na god external.view, but my internal.db
> keeps giving out of zone errors.
> do you have input for the internal view as you did for external view?
> what am i missing?
I've done the following tests on my name server:
I've inserted some acls into the named.conf file, the middle two are
the hostnames and IPs of some PCs on the LAN, the last is the original
"everyone on my LAN" declaration:
acl "itself" {
127.0.0.1;
};
acl "rocky" {
192.168.1.1;
};
acl "fluffy" {
192.168.1.12;
};
acl lan {
192.168/16;
127.0.0.1;
};
And inserted some views into the named.conf file before all the other
zone files:
view itself {
match-clients { itself; };
zone "viewtest" {
type master;
file "viewtest.itself.zone";
};
};
view rocky {
match-clients { rocky; };
zone "viewtest" {
type master;
file "viewtest.rocky.zone";
};
};
view fluffy {
match-clients { fluffy; };
zone "viewtest" {
type master;
file "viewtest.fluffy.zone";
};
};
view lan {
match-clients { any; };
zone "viewtest" {
type master;
file "viewtest.lan.zone";
};
// the rest of my original zone files are here
};
With the last entry being a fall-back with my pre-existing zone records.
And created those zone files thus:
viewtest.itself.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 127.0.0.1
viewtest.rocky.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.1
the viewtest.fluffy.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.12
the viewtest.lan.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.112
In those zone files, I've set the www record to different IPs for each
record, but left everything else the same.
When I do a "dig www.viewtest" command on the rocky PC (so called for
being a wobbly case), I get the expected result of 127.0.0.1. The
nameserver is running on that machine, and the command line comes from
localhost rather than its network address.
When I do a "dig www.viewtest @192.168.1.1" command on the rocky PC, I
get the expected result of 192.168.1.1. This time I've told dig to
query a specific address, and it's bypassing localhost.
When I do a "dig www.viewtest" command on the fluffy PC (so called for
the box being full of fluff when I acquired it - yes I like obvious
names), I get the expected result of 192.168.1.12.
When I do a "dig www.viewtest" command on another PC that doesn't have
a specific ACL, I get the expected fallback 192.168.1.112 address.
So, ACL and VIEW declarations work as expected here (specific matches
get their special answers, everyone else gets the fallback). I'll
admit that the server is running CentOS 7, and the client is Fedora 32,
but the installation of BIND is bind-9.11.4-26.P2.el7_9.2.x86_64, and
I'd expect Fedora's to work the same.
Things to watch out for:
Overlaps of identities: In my case, I did the test on the nameserver
PC (rocky) and two separate ones. The server PC has two IPs that could
be used in its communications (127.0.0.1 and 192.168.1.1), the
localhost address was what it used as that's how the machines work by
default (localtraffic on the localhost).
Typing errors: The names used in ACLs must exactly match the names
inside the MATCH-CLIENTS used inside the VIEWs. I've also used the
same name for the VIEW, and inside the zone filename, just for my own
convenience of not making mistakes. Check you've written match-clients
and not match-client. Check you've got braces and semi-colons in the
right places. Check you've written the correct filenames inside the
zone declarations. Check you've typed IP addresses correctly.
When testing your external IP, how are you testing it? Are you
actually doing a query from an outside machine? Are you using the IP
you think you are?
--
uname -rsvp
Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
> your below has resulted na god external.view, but my internal.db
> keeps giving out of zone errors.
> do you have input for the internal view as you did for external view?
> what am i missing?
I've done the following tests on my name server:
I've inserted some acls into the named.conf file, the middle two are
the hostnames and IPs of some PCs on the LAN, the last is the original
"everyone on my LAN" declaration:
acl "itself" {
127.0.0.1;
};
acl "rocky" {
192.168.1.1;
};
acl "fluffy" {
192.168.1.12;
};
acl lan {
192.168/16;
127.0.0.1;
};
And inserted some views into the named.conf file before all the other
zone files:
view itself {
match-clients { itself; };
zone "viewtest" {
type master;
file "viewtest.itself.zone";
};
};
view rocky {
match-clients { rocky; };
zone "viewtest" {
type master;
file "viewtest.rocky.zone";
};
};
view fluffy {
match-clients { fluffy; };
zone "viewtest" {
type master;
file "viewtest.fluffy.zone";
};
};
view lan {
match-clients { any; };
zone "viewtest" {
type master;
file "viewtest.lan.zone";
};
// the rest of my original zone files are here
};
With the last entry being a fall-back with my pre-existing zone records.
And created those zone files thus:
viewtest.itself.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 127.0.0.1
viewtest.rocky.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.1
the viewtest.fluffy.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.12
the viewtest.lan.zone file:
$ORIGIN .
$TTL 86400 ; 1 day
viewtest IN SOA viewtest. hostmaster.viewtest (
42 ; serial
300 ; refresh (5 minutes)
900 ; retry (15 minutes)
3600 ; expire (1 hour)
1800 ; minimum (30 minutes)
)
NS ns.viewtest.
A 192.168.1.1
MX 1 mail.viewtest.
$ORIGIN viewtest.
ns A 192.168.1.1
www A 192.168.1.112
In those zone files, I've set the www record to different IPs for each
record, but left everything else the same.
When I do a "dig www.viewtest" command on the rocky PC (so called for
being a wobbly case), I get the expected result of 127.0.0.1. The
nameserver is running on that machine, and the command line comes from
localhost rather than its network address.
When I do a "dig www.viewtest @192.168.1.1" command on the rocky PC, I
get the expected result of 192.168.1.1. This time I've told dig to
query a specific address, and it's bypassing localhost.
When I do a "dig www.viewtest" command on the fluffy PC (so called for
the box being full of fluff when I acquired it - yes I like obvious
names), I get the expected result of 192.168.1.12.
When I do a "dig www.viewtest" command on another PC that doesn't have
a specific ACL, I get the expected fallback 192.168.1.112 address.
So, ACL and VIEW declarations work as expected here (specific matches
get their special answers, everyone else gets the fallback). I'll
admit that the server is running CentOS 7, and the client is Fedora 32,
but the installation of BIND is bind-9.11.4-26.P2.el7_9.2.x86_64, and
I'd expect Fedora's to work the same.
Things to watch out for:
Overlaps of identities: In my case, I did the test on the nameserver
PC (rocky) and two separate ones. The server PC has two IPs that could
be used in its communications (127.0.0.1 and 192.168.1.1), the
localhost address was what it used as that's how the machines work by
default (localtraffic on the localhost).
Typing errors: The names used in ACLs must exactly match the names
inside the MATCH-CLIENTS used inside the VIEWs. I've also used the
same name for the VIEW, and inside the zone filename, just for my own
convenience of not making mistakes. Check you've written match-clients
and not match-client. Check you've got braces and semi-colons in the
right places. Check you've written the correct filenames inside the
zone declarations. Check you've typed IP addresses correctly.
When testing your external IP, how are you testing it? Are you
actually doing a query from an outside machine? Are you using the IP
you think you are?
--
uname -rsvp
Linux 3.10.0-1160.6.1.el7.x86_64 #1 SMP Tue Nov 17 13:59:11 UTC 2020 x86_64
Boilerplate: All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx