Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Bind refusing requests
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Bind refusing requests

nexusrainnexusrain Member
edited February 2015 in Help

Hi there,

I just implemented GeoDNS using this method: http://phix.me/geodns/ into my DNS servers. The primary server is running Debian 7, Bind 9.8.4, the other one's Ubuntu 14.04, Bind 9.9.5

I want to use GeoDNS to run my own CDN servers - worked fine so far. But today I extended the defined countrys (which countrys use which zone) and now my primary DNS refuses any querys on any domain. I got "allow-query { any; };" in all zone definitions, no idea whats wrong.

The named.conf just includes .options and .local, everything else is commented.

named.conf.local:
Non-GeoDNS zone definitions are like this:

view "xxxx" { match-clients { any; }; // recursion no; zone "xxxx.xx" { type master; file "/etc/bind/zones/xxxx.xx.zone"; allow-query { any; }; // allow-transfer { xfer; }; }; };

GeoDNS zone definitions like this:

view "bf_eu" { match-clients { FR; GB; IE; IS; }; // recursion no; zone "xxxx.xx" { type master; file "/etc/bind/zones/xxxx/eu.zone"; allow-query { any; }; }; };
And yes, the acl file which contains the IP ranges is being imported in the .local

named.conf.options:

`/* * Deny transfers by default except for the listed hosts. * If we have other name
servers, place them here. / acl "xfer" {
x.x.x.x;
x.x.x.x;
};
/
* You might put in here some ips which are allowed to use the cache or * recursive
queries / acl "trusted" {
127.0.0.0/8;
};
options {
directory "/var/cache/bind";
pid-file "/var/run/named/named.pid";
listen-on-v6 { none; };
listen-on { any; };
/

* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/

    /* Use the cache for the "trusted" ACL. */
    allow-query-cache {
            trusted;
    };
    /* Only trusted addresses are allowed to use recursion. */
    allow-recursion {
            trusted;
    };
    /* Zone tranfers are denied by default. */
    allow-transfer {
            none;
    };
    /* Don't allow updates, e.g. via nsupdate. */
    allow-update {
            none;
    };
    /* if you have problems and are behind a firewall: */
    //query-source address * port 53;
    dnssec-validation auto;
    auth-nxdomain no; # conform to RFC1035
    // forwarders {
    // 0.0.0.0;
    // };

    statistics-file "/var/cache/bind/bind.stats";
    zone-statistics yes;

};
`

named-checkconf doesnt return any error. When letting named-checkzone run over some zones which are not working (which are all excluding one, no idea whats different with the working one) - just returns, that its "ignoring out of zone data" and some ns records (of my other ns).

But when running a "dig @[the refusing ns] [domain]", status is always refused and for sure no IPs returned.

Maybe you got an idea?
Thank you

Cheers
nexusrain

Comments

  • Make sure each of your domain zone records have "$ORIGIN domainname.com." at the top. If you don't put the "." at the end it will give you the "ignoring out of zone data" error and not load the zone. If it just says "$ORIGIN ." you will get the same error.

  • nexusrainnexusrain Member
    edited February 2015

    @FrankZ Thanks for your answer. Not completely sure what you mean, so here's a zone file of a not working zone:

    `

    @ 100 IN SOA ns1.xdns.xx. admin.xdns.xx. (
    2014011503 ; serial, todays date+todays
    2880 ; refresh, seconds
    7200 ; retry, seconds
    3600 ; expire, seconds
    8640 ) ; minimum, seconds

    ns1.xdns.xx. 100 IN A 104.224.xxx.xxx
    ns2.xdns.xx. 100 IN A 198.52.xxx.xxx
    xxx.xxx. 100 IN NS ns1.xdns.xx.
    xxx.xxx. 100 IN NS ns2.xdns.xx.

    xxx.xxx. 100 IN A 23.227.xxx.xxx
    www.xxx.xxx. 100 IN A 23.227.xxx.xxx

    mail.xxx.xxx. 100 IN A 23.227.xxx.xxx

    xxx.xxx. 100 IN MX 0 mail.xxx.xxx.

    `
    (Sorry for the bad formatting, Vanilla doesnt want to show these lines as a code)

    But there cant really be an error (the "ignoring out of zone data" will be for sure, but that error / info never made bind to not to work..) because I didnt change that file since some time. And some hours ago it worked fine but after ANY change I made - this one doesnt work as well. So the error must be in the .local or .options :/

  • nexusrainnexusrain Member
    edited February 2015

    Haha, good job I did there. I set "allow-recursion" to none and "allow-query" to any in the .options and removed all "allow-transfer" in zone definitions (I always synced bind manually across the NS's, that option was by a bind howto) - works again. No idea what was the problem (and especially why one zone still worked which had the same configuration like all other zones), but most importantly - its working again!

    Have a good day guys

Sign In or Register to comment.