Secure Bind DNS server problem
Arthur Stephens
template
Secure BIND Template Version 4.8 12 APR 2005
By Rob Thomas, robt at cymru.com
After disabling these that complained at startup...
//pid-file "/var/named/named.pid";
//memstatistics-file "/var/named/named.memstats";
I got the server up and running. And successfully tested from inside.
But I noticed these in the logs right away.
Apr 18 13:46:11 daffy named[24498]: client 71.4.246.96#32770: query
'ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'mail.aiin.com/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'mail.aiin.com/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied
Apr 18 13:46:36 daffy named[24498]: client 67.19.0.13#53: query
'aiin.com/IN' denied
This was not good. I then tried using tools at http://www.dnsstuff.com/
It returned that the DNS server refused to resolve the names. This is
bad because it means that people legitimately trying to get to
mail.aiin.com etc. couldn't. Just in case here is the db file for aiin.com
$ORIGIN .
$TTL 86400 ; 1 day
aiin.com IN SOA aiin.com. hostmaster.aain.com. (
2004111602 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
IN NS dns.ptera.net.
IN NS dns2.ptera.net.
IN A 216.255.223.207
IN MX 10 mail.aiin.com.
$ORIGIN aiin.com.
mail IN A 69.28.41.3
www IN A 216.255.223.207
As you can see their web server is hosted outside of our network but
their mail server is inside of our network. This worked before.
Can anyone look at the named.conf file below and tell me where I missed?
--
Arthur Stephens
Senior Sales Technician
Ptera Wireless Internet
aste...@ptera.net
509-927-Ptera
// @(#)named.conf 02 OCT 2001 Rob Thomas ro...@cymru.com
// Set up our ACLs
// In BIND 8, ACL names with quotes were treated as different from
// the same name without quotes. In BIND 9, both are treated as
// the same.
acl "xfer" {
216.229.160.10;
216.229.168.10;
64.35.138.13;
64.35.144.4;
69.28.32.10;
69.28.32.11;
69.28.32.15;
69.28.32.17;
69.28.32.9;
69.28.32.6;
// Allow no transfers. If we have other
// name servers, place them here.
// Note that in the Netherlands, for example,
// the TLD servers 193.176.144.2, 194.53.253.100, and 193.176.144.128/28
// are allowed to perform zone tranfers from the domains under .nl. The
// RIPE NCC had requested in the past that reverse (in-addr.arpa) zones
// permit zone transfer requests from 193.0.0.0/23.
};
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
216.229.171.0/24;
69.28.32.0/20;
localhost;
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
74.0.0.0/8;
75.0.0.0/8;
76.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
186.0.0.0/8;
187.0.0.0/8;
189.0.0.0/8;
190.0.0.0/8;
192.0.2.0/24;
192.168.0.0/16;
197.0.0.0/8;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
channel "default_syslog" {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/named/bind/named.log";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/var/named";
//pid-file "/var/named/named.pid";
statistics-file "/var/named/named.stats";
//memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump";
zone-statistics yes;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
allow-transfer {
// Zone tranfers limited to members of the
// "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" in {
// Allow queries for the 127/8 network, but not zone transfers.
// Every name server, both slave and master, will be a master
// for this zone.
type master;
file "named.local";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "tylite.com" IN {
type master;
file "tylite.com.db";
};
zone "ptera.net" IN {
type master;
file "ptera.net.db";
};
zone "32.28.69.in-addr.arpa" IN {
type master;
file "69.28.32.db";
};
zone "33.28.69.in-addr.arpa" IN {
type master;
file "69.28.33.db";
};
zone "34.28.69.in-addr.arpa" IN {
type master;
file "69.28.34.db";
};
zone "35.28.69.in-addr.arpa" IN {
type master;
file "69.28.35.db";
};
zone "36.28.69.in-addr.arpa" IN {
type master;
file "69.28.36.db";
};
zone "37.28.69.in-addr.arpa" IN {
type master;
file "69.28.37.db";
};
zone "38.28.69.in-addr.arpa" IN {
type master;
file "69.28.38.db";
};
zone "39.28.69.in-addr.arpa" IN {
type master;
file "69.28.39.db";
};
zone "40.28.69.in-addr.arpa" IN {
type master;
file "69.28.40.db";
};
zone "41.28.69.in-addr.arpa" IN {
type master;
file "69.28.41.db";
};
zone "42.28.69.in-addr.arpa" IN {
type master;
file "69.28.42.db";
};
zone "43.28.69.in-addr.arpa" IN {
type master;
file "69.28.43.db";
};
zone "44.28.69.in-addr.arpa" IN {
type master;
file "69.28.44.db";
};
zone "45.28.69.in-addr.arpa" IN {
type master;
file "69.28.45.db";
};
zone "46.28.69.in-addr.arpa" IN {
type master;
file "69.28.46.db";
};
zone "47.28.69.in-addr.arpa" IN {
type master;
file "69.28.47.db";
};
zone "172.229.216.in-addr.arpa" IN {
type master;
file "216.229.172.db";
};
zone "birdshield.com" IN {
type master;
file "birdshield.com.db";
};
zone "priorityterabit.com" IN {
type master;
file "priorityterabit.com.db";
};
zone "arthurstephens.com" IN {
type master;
file "arthurstephens.com.db";
};
zone "cvafoundation.org" IN {
type master;
file "cvafoundation.org.db";
};
zone "guitarfranks.com" IN {
type master;
file "guitarfranks.com.db";
};
zone "lwccspokane.org" IN {
type master;
file "lwccspokane.org.db";
};
zone "impactspokane.com" IN {
type master;
file "impactspokane.com.db";
};
zone "tangleheart.com" IN {
type master;
file "tangleheart.com.db";
};
zone "ubergeekinc.com" IN {
type master;
file "ubergeekinc.com.db";
};
zone "aiin.com" IN {
type master;
file "aiin.com.db";
};
zone "spokanewines.com" IN {
type master;
file "spokanewines.com.db";
};
zone "skilltran.net" IN {
type master;
file "skilltran.net.hosts";
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
// Link in our zones
zone "." in {
type hint;
file "named.ca";
};
zone "tylite.com" IN {
type master;
file "tylite.com.db";
};
zone "ptera.net" IN {
type master;
file "ptera.net.db";
};
zone "32.28.69.in-addr.arpa" IN {
type master;
file "69.28.32.db";
};
zone "33.28.69.in-addr.arpa" IN {
type master;
file "69.28.33.db";
};
zone "34.28.69.in-addr.arpa" IN {
type master;
file "69.28.34.db";
};
zone "35.28.69.in-addr.arpa" IN {
type master;
file "69.28.35.db";
};
zone "36.28.69.in-addr.arpa" IN {
type master;
file "69.28.36.db";
};
zone "37.28.69.in-addr.arpa" IN {
type master;
file "69.28.37.db";
};
zone "38.28.69.in-addr.arpa" IN {
type master;
file "69.28.38.db";
};
zone "39.28.69.in-addr.arpa" IN {
type master;
file "69.28.39.db";
};
zone "40.28.69.in-addr.arpa" IN {
type master;
file "69.28.40.db";
};
zone "41.28.69.in-addr.arpa" IN {
type master;
file "69.28.41.db";
};
zone "42.28.69.in-addr.arpa" IN {
type master;
file "69.28.42.db";
};
zone "43.28.69.in-addr.arpa" IN {
type master;
file "69.28.43.db";
};
zone "44.28.69.in-addr.arpa" IN {
type master;
file "69.28.44.db";
};
zone "45.28.69.in-addr.arpa" IN {
type master;
file "69.28.45.db";
};
zone "46.28.69.in-addr.arpa" IN {
type master;
file "69.28.46.db";
};
zone "47.28.69.in-addr.arpa" IN {
type master;
file "69.28.47.db";
};
zone "172.229.216.in-addr.arpa" IN {
type master;
file "216.229.172.db";
};
zone "birdshield.com" IN {
type master;
file "birdshield.com.db";
};
zone "priorityterabit.com" IN {
type master;
file "priorityterabit.com.db";
};
zone "arthurstephens.com" IN {
type master;
file "arthurstephens.com.db";
};
zone "cvafoundation.org" IN {
type master;
file "cvafoundation.org.db";
};
zone "guitarfranks.com" IN {
type master;
file "guitarfranks.com.db";
};
zone "lwccspokane.org" IN {
type master;
file "lwccspokane.org.db";
};
zone "impactspokane.com" IN {
type master;
file "impactspokane.com.db";
};
zone "lindarosephoto.com" IN {
type master;
file "lindarosephoto.com.db";
};
zone "tangleheart.com" IN {
type master;
file "tangleheart.com.db";
};
zone "ubergeekinc.com" IN {
type master;
file "ubergeekinc.com.db";
};
zone "aiin.com" IN {
type master;
file "aiin.com.db";
};
zone "spokanewines.com" IN {
type master;
file "spokanewines.com.db";
};
zone "skilltran.net" IN {
type master;
file "skilltran.net.hosts";
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "db.bind";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
Sam
Sam
"Arthur Stephens" <aste...@ptera.net> wrote in message
news:d41kit$1pfg$1...@sf1.isc.org...
Tim Peiffer
'trusted'.
Tim Peiffer
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
216.229.171.0/24;
69.28.32.0/20;
localhost;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
Sam wrote:
>0.0.0.0/8; <- maybe this is hosing up BIND?
>
>Sam
>
>
>"Arthur Stephens" <aste...@ptera.net> wrote in message
>news:d41kit$1pfg$1...@sf1.isc.org...
>
>
joe
the complaint is 'trusted'. Tim Peiffer acl "trusted" { // Place our
internaland DMZ subnets in here so that // intranet and DMZ clients may send
DNS queries. This // also prevents outside hosts from using our name server
// as a resolver for other domains. 216.229.171.0/24; 69.28.32.0/20;
will// allow anyone to query our master zones below. // This prevents us
frombecoming a free DNS server // to the masses. trusted; }; Sam wrote:
0.0.0.0/8; <- maybe this is hosing up BIND? Sam "Arthur Stephens"
news:d41kit$1pfg$1...@sf1.isc.org[2]... I am trying to secure my DNS BIND
version 9.2.5 servers so I found this template Secure BIND Template Version
4.8 12 APR 2005 By Rob Thomas, robt at cymru.com After disabling these that
complained at startup... //pid-file "/var/named/named.pid";
//memstatistics-file "/var/named/named.memstats"; I got the server up and
running. And successfully tested from inside. But I noticed these in the
71.4.246.96#32770:query 'ptera.net/IN' denied Apr 18 13:46:16 daffy
named[24498]: client 195.49.141.22#32819: query 'mail.aiin.com/IN' denied
'mail.aiin.com/IN' denied Apr 18 13:46:16 daffy named[24498]: client
195.49.141.22#32819: query 'dns2.ptera.net/IN' denied Apr 18 13:46:16 daffy
named[24498]: client 195.49.141.22#32819: query 'dns2.ptera.net/IN' denied
Apr 18 13:46:16 daffy named[24498]: client 195.49.141.22#32819: query
'dns.ptera.net/IN' denied Apr 18 13:46:16 daffy named[24498]: client
195.49.141.22#32819: query 'dns.ptera.net/IN' denied Apr 18 13:46:36 daffy
named[24498]: client 67.19.0.13#53: query 'aiin.com/IN' denied This was not
that the DNS server refused to resolve the names. This is bad because it
means that people legitimately trying to get to mail.aiin.com etc. couldn't.
Just in case here is the db file for aiin.com $ORIGIN . $TTL 86400 ; 1 day
aiin.com IN SOA aiin.com. hostmaster.aain.com. ( 2004111602 ; serial 10800 ;
refresh (3 hours) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ;
minimum (1 day) ) IN NS dns.ptera.net. IN NS dns2.ptera.net. IN A
216.255.223.207 IN MX 10 mail.aiin.com. $ORIGIN aiin.com. mail IN A
69.28.41.3 www IN A 216.255.223.207 As you can see their web server is
This worked before. Can anyone look at the named.conf file below and tell me
where I missed? -- Arthur Stephens Senior Sales Technician Ptera Wireless
Rob Thomas ro...@cymru.com[5] // Set up our ACLs // In BIND 8, ACL names with
client { audit_log; }; category network { audit_log; }; category update {
audit_log; }; category queries { audit_log; }; category lame-servers {
audit_log; }; }; // Set options for security options { directory
"/var/named"; //pid-file "/var/named/named.pid"; statistics-file
"/var/named/named.stats"; //memstatistics-file "/var/named/named.memstats";
dump-file "/var/adm/named.dump"; zone-statistics yes; // Prevent DoS attacks
by generating bogus zone transfer // requests. This will result in slower
updates to the // slave servers (e.g. they will await the poll interval //
before checking for updates). notify no; // Generate more efficient zone
transfers. This will place // multiple DNS records in a DNS message, instead
of one per // DNS message. transfer-format many-answers; // Set the maximum
zone transfer time to something more // reasonable. In this case, we state
that any zone transfer // that takes longer than 60 minutes is unlikely to
ever // complete. WARNING: If you have very large zone files, // adjust this
to fit your requirements. max-transfer-time-in 60; // We have no dynamic
interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}.
interface-interval 0; allow-transfer { // Zone tranfers limited to members
// Accept queries from our "trusted" ACL. We will // allow anyone to query
our master zones below. // This prevents us from becoming a free DNS server
queries to the zones you host. Try the following: allow-query { any; }; ->
this way anyone can get the info they need (mx, a , www, etc...)
allow-transfer { xfer; }; xfer - >would be an acl for your subnets only to
pull the complete zone files (notifies for slaves, axfr, etc.) I try to keep
my ACL's and options really simple but secure. Hope this helps joe
--- Links ---
1 mailto:aste...@ptera.net
2 news:d41kit$1pfg$1...@sf1.isc.org
3 http://www.dnsstuff.com/
4 mailto:aste...@ptera.net
5 mailto:ro...@cymru.com
joe
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
The above will only let your subnets make queries to the zones you host.
Try the following:
allow-query { any; }; -> this way anyone can get the info they need (mx, a , www, etc...)
allow-transfer { xfer; };
xfer - > would be an acl for your subnets only to pull the complete zone files (notifies for slaves, axfr, etc.)
I try to keep my ACL's and options really simple but secure.
Hope this helps
joe
>Tim Peiffer wrote:
>
>>This is a simpler problem. None of the IP addresses in the complaint is
>>'trusted'.
>>
>>Tim Peiffer
>>
>>acl "trusted" {
>>
>>
>>// Place our internal and DMZ subnets in here so that
>>// intranet and DMZ clients may send DNS queries. This
>>// also prevents outside hosts from using our name server
>>// as a resolver for other domains.
>>216.229.171.0/24;
>>69.28.32.0/20;
>>localhost;
>>
>>
>>};
>>
>>
>>allow-query {
>>// Accept queries from our "trusted" ACL. We will
>>// allow anyone to query our master zones below.
>>// This prevents us from becoming a free DNS server
>>// to the masses.
>>trusted;
>>};
>>
>>Sam wrote:
>>
>>
>>
>>>0.0.0.0/8; <- maybe this is hosing up BIND?
>>>
>>>Sam
>>>
>>>
>>>"Arthur Stephens" <aste...@ptera.net> wrote in message
>>>news:d41kit$1pfg$1...@sf1.isc.org...
>>>
>>>
>>>
>>>
Guido Roeskens
First: please fix you setup (see ****) :
$ dig ns1.ptera.net @69.28.32.17
; <<>> DiG 9.2.3 <<>> ns1.ptera.net @69.28.32.17
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; QUESTION SECTION:
;ns1.ptera.net. IN A
;; ANSWER SECTION:
ns1.ptera.net. 86400 IN CNAME dns.ptera.net.
**** NS records MUST NOT be an Alias (CNAME) !!!
dns.ptera.net. 86400 IN A 69.28.32.16
;; AUTHORITY SECTION:
ptera.net. 86400 IN NS dns.ptera.net.
ptera.net. 86400 IN NS dns2.ptera.net.
;; ADDITIONAL SECTION:
dns2.ptera.net. 86400 IN A 69.28.32.17
;; Query time: 200 msec
;; SERVER: 69.28.32.17#53(69.28.32.17)
;; WHEN: Thu Apr 21 10:33:30 2005
;; MSG SIZE rcvd: 114
see RFC1912; Section 2.4
---
Don't use CNAMEs in combination with RRs which point to other names
like MX, CNAME, PTR and NS. (PTR is an exception if you want to
implement classless in-addr delegation.) For example, this is
strongly discouraged:
---
an last paragraph:
---
Having NS records pointing to a CNAME is bad and may conflict badly
with current BIND servers. In fact, current BIND implementations
will ignore such records, possibly leading to a lame delegation.
There is a certain amount of security checking done in BIND to
prevent spoofing DNS NS records. Also, older BIND servers reportedly
will get caught in an infinite query loop trying to figure out the
address for the aliased nameserver, causing a continuous stream of
DNS requests to be sent.
---
Right now you have "CNAME and other data" for ns1.ptera.net
(In the gTLD for net. there are glue A records for ns1.ptera.net
while in your zone its an alias (CNAME)
If you look at
http://www.dnsreport.com/tools/dnsreport.ch?domain=ptera.net
you see many problems with your domain.
Why does this not work:
0. we want to look up ns1.ptera.net
1. a nameserver queries the gTLD Servers for net. for the NS and A
Records for the domain ptera.net
---
ptera.net. 172800 IN NS ns1.ptera.net.
ptera.net. 172800 IN NS ns2.ptera.net.
ns1.ptera.net. 172800 IN A 69.28.32.16
ns2.ptera.net. 172800 IN A 69.28.32.17
---
2. Now the nameserver queries the servers authoritative for the domain
---
ns1.ptera.net. 86400 IN CNAME dns.ptera.net.
---
so forget anything (the IP address) about ns1.ptera.net and replace
ns1.ptera.net
with dns.ptera.net
3. Now the nameserver wants to follow the alias
- ns1.ptera.net is a nameserver for ptera.net
- ns1.ptera.net is really dns.ptera.net
- dns.ptera.net cannot be looked up (we don't have an IP address
of a nameserver to query)
(A glue record in the net. gTLD for dns.ptera.net wouldn't help either)
^^^ Your SOA record seems wrong to me
aiin.com. IN SOA dns.ptera.net. hostmaster.aain.com. (
^^^^ add a dot here. If someone deletes to "$ORIGN ." statement
above, yor SOA record will still work
^^^^ the MNAME field should contain a
hostname of a nameserver authoritative
for the domain (It should be the master
or primary for the domain.
See also http://www.dnsreport.com/tools/dnsreport.ch?domain=aiin.com
Check all you zone files for similar errors.
I don't use this explicit nameing in my zone files and
also avoid '$ORIGIN'
then you could use
@ IN SOA dns.ptera.net. hostmaster.aain.com. (
> 2004111602 ; serial
> 10800 ; refresh (3 hours)
> 3600 ; retry (1 hour)
> 604800 ; expire (1 week)
> 86400 ; minimum (1 day)
> )
> IN NS dns.ptera.net.
> IN NS dns2.ptera.net.
> IN A 216.255.223.207
> IN MX 10 mail.aiin.com.
> $ORIGIN aiin.com.
> mail IN A 69.28.41.3
> www IN A 216.255.223.207
>
> As you can see their web server is hosted outside of our network but
> their mail server is inside of our network. This worked before.
>
> Can anyone look at the named.conf file below and tell me where I missed?
>
When using such templates you need to read them carefully
http://www.cymru.com/Documents/secure-bind-template.html
If you use the bogon filter, you need to update it regularily
http://www.cymru.com/Documents/bogon-list.html
(It was changed
From the template (and also in your config)
--- SNIP ---
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
--- SNIP ---
Read the second sentence and look further down in the template:
--- SNIP ---
// Create a view for external DNS clients.
view "external-in" in {
// ...
zone "ournetwork.net" in {
type master;
file "master/db.ournetwork";
allow-query {
any;
};
// ^^^^ HERE the template allows anyone to query
// the zones for which the server is authoritative
};
So need to allow querying in the external view
--- SNIP ---
// ....
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
--- SNIP ---
Alternative 1:
generally (before any zone definition)
---
allow-query { any; };
---
Alternative 2: per domain
--- SNIP ---
// ....
zone "aiin.com" IN {
type master;
file "aiin.com.db";
// HERE: allow anybody to query the zone
allow-query { any; };
};
--- SNIP ---
You would need to add the allow-query to
every zone you are authoritative.
---
Now to another post regarding the question.
--- SNIP ---
0.0.0.0/8; <- maybe this is hosing up BIND?
--- SNIP ---
No, not at all...
0.0.0.0 is a valid IP address and 0.0.0.0/8 is
a normal A class (this is really a class A
However 0.0.0.0/8 was never issued and will probably never be
assigned to anyone (as 0.0.0.0 is the network address of the
whole IPv4 address space)
Guido
Arthur Stephens
This should be fixed now...
Thanks
Guido Roeskens wrote:
--
Arthur Stephens
Senior Sales Technician
PO Box 135
Liberty Lake, WA 99019
509-927-7837
www.ptera.net