All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Bind refusing requests
Hi there,
I just implemented GeoDNS using this method: http://phix.me/geodns/ into my DNS servers. The primary server is running Debian 7, Bind 9.8.4, the other one's Ubuntu 14.04, Bind 9.9.5
I want to use GeoDNS to run my own CDN servers - worked fine so far. But today I extended the defined countrys (which countrys use which zone) and now my primary DNS refuses any querys on any domain. I got "allow-query { any; };" in all zone definitions, no idea whats wrong.
The named.conf just includes .options and .local, everything else is commented.
named.conf.local:
Non-GeoDNS zone definitions are like this:
view "xxxx" { match-clients { any; }; // recursion no; zone "xxxx.xx" { type master; file "/etc/bind/zones/xxxx.xx.zone"; allow-query { any; }; // allow-transfer { xfer; }; }; };
GeoDNS zone definitions like this:
view "bf_eu" { match-clients { FR; GB; IE; IS; }; // recursion no; zone "xxxx.xx" { type master; file "/etc/bind/zones/xxxx/eu.zone"; allow-query { any; }; }; };
And yes, the acl file which contains the IP ranges is being imported in the .local
named.conf.options:
`/* * Deny transfers by default except for the listed hosts. * If we have other name
servers, place them here. / acl "xfer" {
x.x.x.x;
x.x.x.x;
};
/ * You might put in here some ips which are allowed to use the cache or * recursive
queries / acl "trusted" {
127.0.0.0/8;
};
options {
directory "/var/cache/bind";
pid-file "/var/run/named/named.pid";
listen-on-v6 { none; };
listen-on { any; };
/
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
/* Use the cache for the "trusted" ACL. */
allow-query-cache {
trusted;
};
/* Only trusted addresses are allowed to use recursion. */
allow-recursion {
trusted;
};
/* Zone tranfers are denied by default. */
allow-transfer {
none;
};
/* Don't allow updates, e.g. via nsupdate. */
allow-update {
none;
};
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// forwarders {
// 0.0.0.0;
// };
statistics-file "/var/cache/bind/bind.stats";
zone-statistics yes;
};
`
named-checkconf doesnt return any error. When letting named-checkzone run over some zones which are not working (which are all excluding one, no idea whats different with the working one) - just returns, that its "ignoring out of zone data" and some ns records (of my other ns).
But when running a "dig @[the refusing ns] [domain]", status is always refused and for sure no IPs returned.
Maybe you got an idea?
Thank you
Cheers
nexusrain
Comments
Make sure each of your domain zone records have "$ORIGIN domainname.com." at the top. If you don't put the "." at the end it will give you the "ignoring out of zone data" error and not load the zone. If it just says "$ORIGIN ." you will get the same error.
@FrankZ Thanks for your answer. Not completely sure what you mean, so here's a zone file of a not working zone:
`
@ 100 IN SOA ns1.xdns.xx. admin.xdns.xx. (
2014011503 ; serial, todays date+todays
2880 ; refresh, seconds
7200 ; retry, seconds
3600 ; expire, seconds
8640 ) ; minimum, seconds
ns1.xdns.xx. 100 IN A 104.224.xxx.xxx
ns2.xdns.xx. 100 IN A 198.52.xxx.xxx
xxx.xxx. 100 IN NS ns1.xdns.xx.
xxx.xxx. 100 IN NS ns2.xdns.xx.
xxx.xxx. 100 IN A 23.227.xxx.xxx
www.xxx.xxx. 100 IN A 23.227.xxx.xxx
mail.xxx.xxx. 100 IN A 23.227.xxx.xxx
xxx.xxx. 100 IN MX 0 mail.xxx.xxx.
`
(Sorry for the bad formatting, Vanilla doesnt want to show these lines as a code)
But there cant really be an error (the "ignoring out of zone data" will be for sure, but that error / info never made bind to not to work..) because I didnt change that file since some time. And some hours ago it worked fine but after ANY change I made - this one doesnt work as well. So the error must be in the .local or .options
Haha, good job I did there. I set "allow-recursion" to none and "allow-query" to any in the .options and removed all "allow-transfer" in zone definitions (I always synced bind manually across the NS's, that option was by a bind howto) - works again. No idea what was the problem (and especially why one zone still worked which had the same configuration like all other zones), but most importantly - its working again!
Have a good day guys