[PLUG] clinic from dec. 15 named.conf question

tomas.kuchta.lists at gmail.com tomas.kuchta.lists at gmail.com
Fri Dec 20 00:46:46 UTC 2019 

Hi Vince,

There seems to be quite a bit of copy paste artifacts, so it is hard to see
possible typo issues.

I would take this step by step:
1. start without DNS sec first
2. setup and verify caching and authoritative DNS server config first
3. add DNS sec to your standalone DNS and test.
4. always test both directions name as well as reverse lookups
5. combine both setups last

If there is any chance to reach your recursive/forwarding server from the nets -
make sure to setup authentication, so that you do not end up participating in
DNS amplification attacks.

Starting BIND with -d 1 will enable debugging - this can be helpful with
catching syntax errors, missing files, etc..

You probably googled this to death, so you might have already seen these.

Here are two nice and simple guides:
https://opensource.com/article/17/4/build-your-own-name-server
similar example/guide:
http://dant.net.ru/calomel/dns_bind.html

Hope this helps somewhat,
Tomas

On Thu, 2019-12-19 at 13:09 -0800, Vince Winter wrote:
> Just learned that the list doesn't allow attachments.
> 
> named.conf
> -----
> 
> //
> // named.conf
> //
> // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
> // server as a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
> // See the BIND Administrator's Reference Manual (ARM) for details about the
> // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
> options {
> listen-on port 53 { 127.0.0.1; 192.168.150.1; };
> //listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> recursing-file  "/var/named/data/named.recursing";
> secroots-file   "/var/named/data/named.secroots";
> allow-query     { localhost; 192.168.150.0/24; any; };
> /*
> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
> - If you are building a RECURSIVE (caching) DNS server, you need to enable
>   recursion.
> - If your recursive DNS server has a public IP address, you MUST enable
> access
>   control to limit queries to your legitimate users. Failing to do so will
>   cause your server to become part of large scale DNS amplification
>   attacks. Implementing BCP38 within your network would greatly
>   reduce such attack surface
> */
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
> logging {
>         channel default_debug {
>                 file "data/named.run";
>                 severity dynamic;
>         };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
> 
> zone "vmnetwork.local" IN {
> type master;
> file "forward.vmnetwork.local";
> allow-update { none; };
> };
> zone "150.168.192.in-addr.arpa" IN {
> type master;
> file "reverse.vmnetwork.local";
> allow-update { none; };
> };
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
> 
> 
> 
> forward.vmnetwork.local
> ----
> 
> $TTL 1D
> @ IN SOA dhcp-server.vmnetwork.local. root.vmnetwork.local. (
> 0 ; serial
> 1D ; refresh
> 1H ; retry
> 1W ; expire
> 3H ) ; minimum
> @ IN NS dhcp-server.vmnetwork.local.
> @ IN A 192.168.150.1
> dhcp-server IN A 192.168.150.1
> dhcp IN A 192.168.150.1
> pxe-server IN A 192.168.150.2
> pxe IN A 192.168.150.2
> 
> 
> 
> reverse.vmnetwork.local
> ---
> 
> $TTL 1D
> @ IN SOA dhcp-server.vmnetwork.local. root.vmnetwork.local. (
> 0 ; serial
> 1D ; refresh
> 1H ; retry
> 1W ; expire
> 3H ) ; minimum
> @ IN NS dhcp-server.vmnetwork.local.
> @ IN PTR vmnetwork.local.
> dhcp-server IN A 192.168.150.1
> 1 IN PTR dhcp-server.vmnetwork.local.
> dhcp IN A 192.168.150.1
> 1 IN PTR dhcp.vmnetwork.local.
> pxe-server IN A 192.168.150.2
> 2 IN PTR pxe-server.vmetwork.local.
> pxe IN A 192.168.150.2
> 2 IN PTR pxe.vmnetwork.local.
> 
> 
> On Tue, Dec 17, 2019 at 1:56 PM Vince Winter <vince.winter at freegeek.org>
> wrote:
> 
> > Hello,
> > 
> > dig didn't work.
> > 
> > Context:
> > I am running 3 virtual machines on my laptop;there is DHCP/DNS Bind
> > server, Pxe/NFS server, and test workstation. There is 2 virtual networks;
> > Network External is just a connection Host(My Laptop) and DHCP server,
> > Network Internal is just a connection between DHCP server, Pxe server, and
> > the workstation. The DHCP/DNS server is running iptables, DNS Bind, and
> > dhcp.
> > 
> > Goal:
> > Have the DNS running for internal computers and be able to pass DNS
> > internally, this setup as a test and learning environment, and being able
> > to get internet access to the internal network.
> > 
> > Problem:
> > I can't get the DNS names to resolve. The DNS server can get resolve
> > external DNS names but not internal one. The pxe server and workstation
> > can't resolve DNS internally or externally, but can ping external IP
> > addresses. Pxe boot is working. Have tested with iptables running and
> > stopped.
> > 
> > Named.conf and zone files will be attached.
> > 
> > On Tue, Dec 17, 2019 at 10:52 AM OR Linux Jobs <oregonlinuxjobs at gmail.com>
> > wrote:
> > 
> > > Hi PLUG
> > > 
> > > Someone at the clinic had a question about configuring a private
> > > nameserver
> > > that was not responding to requests.
> > > The basic troubleshooting step, if you have access to the dig utility, is
> > > to use the dig utility as shown below.
> > > 
> > > dig @8.8.8.8 google.com
> > > 
> > > replace IP address with the IP address of your private nameserver
> > > replace google.com with a host that you have configured in named.conf
> > > 
> > > If you still don't get the answer you expected, there could be a problem
> > > with the named.conf
> > > One way that I did not consider at the time was to use another working
> > > nameserver to get a conf file to compare to.
> > > If you have access to a web hosting service that uses the Plesk control
> > > panel for example,
> > > configure the private namserver using their interface, then copy the
> > > resulting conf file after you've made the changes.
> > > 
> > > Make a comparison between the Plesk-generated conf file and the one that
> > > you are troubleshooting using diff or manually.
> > > 
> > > Caveats that I can think of....
> > > 
> > > Plesk might not be using the same nameserver that you are using, i.e. BIND
> > > etc.
> > > Plesk only works with routeable IP's if I understand correctly
> > > 
> > > Sincerely
> > > Neil
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > > 
> > 
> > 
> > --
> > 
> > ---
> > Vince Winter
> > Free Geek, Tech Support Staff
> > He | His | They
> > 503.232.9350 x6
> > 10:00 am to 5:45 pm Tuesday to Saturday
> > 
> 
>

More information about the PLUG mailing list