Named errors - running BIND in sandbox
From: Stacey Roberts (stacey_at_vickiandstacey.com)
Date: 11/29/03
- Previous message: Matthew Seaman: "Re: named (bind) in jail does not start"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 29 Nov 2003 16:18:13 +0000 To: freebsd-questions@FreeBSD.ORG
Hello,
I know that I've asked this in the past, but after a fresh reinstall of the machine on my local network that provided (amongst other services) DNS to all other machines (FreeBSD, Solaris, WIn2K & WinXP Pro), I find that I am not having much success setting up BIND in a sandbox.
The box is running FreeBSD-4.9Stable (after initially installing 4.8-Rel) after cvsup of sources.
Basically, the errors I get on start up is here:
/etc/namedb/etc # tail /var/log/messages
Nov 29 15:42:39 Demon named[226]: 'masters' statement present for master zone 'vickiandstacey.com'
Nov 29 15:42:39 Demon named[226]: zone 'vickiandstacey.com' did not validate, skipping
Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [192.168.1.8].53): Address already in use
Nov 29 15:42:39 Demon named[226]: deleting interface [192.168.1.8].53
Nov 29 15:42:39 Demon named[226]: bind(dfd=20, [127.0.0.1].53): Address already in use
Nov 29 15:42:39 Demon named[226]: deleting interface [127.0.0.1].53
Nov 29 15:42:39 Demon named[226]: not listening on any interfaces
Nov 29 15:42:39 Demon named[233]: Ready to answer queries.
Nov 29 15:42:39 Demon named[234]: can't exec /bin/named-xfer: No such file or directory
Nov 29 15:43:47 Demon named-xfer[240]: [192.168.1.8] not authoritative for 1.168.192.in-addr.arpa, SOA query got rcode 0, aa 0, ancount 0, aucount 13
/etc/namedb/etc #
Here's the layout for named as followed from the HandBook (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html#NETWORK-NAMED-SANDBOX):
$ ls -la /etc/namedb
total 22
drwxr-xr-x 8 root wheel 512 Nov 29 12:43 .
drwxr-xr-x 17 root wheel 2048 Nov 25 12:49 ..
-rw-r--r-- 1 root wheel 427 Apr 3 2003 PROTO.localhost-v6.rev
-rw-r--r-- 1 root wheel 423 Apr 3 2003 PROTO.localhost.rev
drwxr-xr-x 2 root wheel 512 Nov 29 11:33 bin
drwxr-xr-x 2 root wheel 512 Nov 29 15:33 dev
drwxr-xr-x 2 root wheel 512 Nov 29 11:39 etc
-rw-r--r-- 1 root wheel 1032 Apr 3 2003 make-localhost
drwxr-xr-x 2 root wheel 512 Nov 29 12:22 master
lrwxr-xr-x 1 root wheel 14 Nov 29 11:19 named.conf -> etc/named.conf
drwxr-xr-x 2 bind bind 512 Nov 29 16:03 slave
drwxr-xr-x 4 root wheel 512 Nov 29 12:43 var
stacey@Demon ~ $
$ ls -la /etc/namedb/etc
total 14
drwxr-xr-x 2 root wheel 512 Nov 29 11:39 .
drwxr-xr-x 8 root wheel 512 Nov 29 12:43 ..
-r--r--r-- 1 root wheel 1323 Nov 29 11:18 localtime
-rw-r--r-- 1 root wheel 3892 Nov 29 15:42 named.conf
-rw-r--r-- 1 root wheel 3478 Nov 29 11:39 named.conf-29112003
stacey@Demon ~ $
stacey@Demon ~ $ ls -la /etc/namedb/master/
total 16
drwxr-xr-x 2 root wheel 512 Nov 29 12:22 .
drwxr-xr-x 8 root wheel 512 Nov 29 12:43 ..
-rw-r--r-- 1 root wheel 493 Nov 29 11:20 localhost-v6.rev
-rw-r--r-- 1 root wheel 489 Nov 29 11:20 localhost.rev
-rw-r--r-- 1 root wheel 200 Nov 29 15:40 named.localhost
-rw-r--r-- 1 root wheel 2583 Apr 3 2003 named.root
-rw-r--r-- 1 root wheel 473 Nov 29 15:31 vickiandstacey.com.db
stacey@Demon ~ $
stacey@Demon ~ $ ls -la /etc/namedb/slave/
total 6
drwxr-xr-x 2 bind bind 512 Nov 29 16:03 .
drwxr-xr-x 8 root wheel 512 Nov 29 12:43 ..
-rw-r--r-- 1 root bind 460 Nov 29 13:15 1.168.192.in-addr.arpa
stacey@Demon ~ $
Here are the config files: -
named.conf:
stacey@Demon /etc/namedb/etc $ cat named.conf
// $FreeBSD: src/etc/namedb/named.conf,v 1.6.2.7 2003/02/13 13:16:51 keramida Exp $
//
// Refer to the named.conf(5) and named(8) man pages for details. If
// you are ever going to set up a primary server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.
options {
directory "/";
named-xfer "/bin/named-xfer";
version ""; // Don't reveal BIND version
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
forwarders {
212.23.8.6;
};
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
query-source address * port 53;
* If running in a sandbox, you may have to specify a different
* location for the dumpfile.
// dump-file "s/named_dump.db";
};
// ndc control socket
controls {
unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
// Note: the following will be supported in a future release.
/*
host { any; } {
topology {
127.0.0.0/8;
};
};
*/
// Setting up secondaries is way easier and a rough example for this
// is provided below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.
zone "." {
type hint;
file "master/named.root";
};
zone "localhost" IN {
type master;
file "master/named.localhost";
allow-transfer { localhost; };
notify no;
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
allow-transfer { localhost; };
notify no;
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
allow-transfer { localhost; };
notify no;
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "master/localhost-v6.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example secondary config entries. It can be convenient to become
// a secondary at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works. There are sometimes
// non-obvious pitfalls. Setting up a secondary is simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
//
// NOTE!!! FreeBSD can run bind in a sandbox (see named_flags in rc.conf).
// The directory containing the secondary zones must be write accessible
// to bind. The following sequence is suggested:
//
// mkdir /etc/namedb/s
// chown bind:bind /etc/namedb/s
// chmod 750 /etc/namedb/s
zone "vickiandstacey.com" {
type master;
file "master/vickiandstacey.com.db";
allow-transfer { 192.168.1.0/24; };
masters {
192.168.1.8;
};
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters {
192.168.1.8;
};
};
stacey@Demon /etc/namedb/etc $
vickiandstacey.com.db:
stacey@Demon /etc/namedb $ cat master/vickiandstacey.com.db
$TTL 3600
vickiandstacey.com. IN SOA Demon.vickiandstacey.com. stacey.vickiandstacey.com. (
6 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
; DNS Servers
@ IN NS Demon.vickiandstacey.com.
; Host Names
localhost IN A 127.0.0.1
snowball IN A 192.168.1.6
omni IN A 192.168.1.7
Demon IN A 192.168.1.8
crom IN A 192.168.1.10
conan IN A 192.168.1.12
ibm IN A 192.168.1.14
; Aliases
;www IN CNAME @
stacey@Demon /etc/namedb $
1.168.192.in-addr.arpa:
stacey@Demon /etc/namedb $ cat slave/1.168.192.in-addr.arpa
$TTL 3600
1.168.192.in-addr.arpa IN SOA Demon.vickiandstacey.com. stacey.vickiandstacey.com. (
6 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
3600 ) ; Minimum TTL
@ IN NS Demon.vickiandstacey.com.
6 IN PTR snowball.vickiandstacey.com.
7 IN PTR omni.vickiandstacey.com.
8 IN PTR Demon.vickiandstacey.com.
10 IN PTR crom.vickiandstacey.com.
12 IN PTR conan.vickiandstacey.com.
14 IN PTR ibm.vickiandstacey.com.
stacey@Demon /etc/namedb $
Here is the relevant entries in /etc/rc.conf:
stacey@Demon /etc/namedb $ grep -i named /etc/rc.conf
syslogd_flags="-ss -l /etc/namedb/dev/log"
named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"
stacey@Demon /etc/namedb $
Here's what I've got in resolv.conf:
root@Demon /etc/namedb # cat /etc/resolv.conf
domain vickiandstacey.com
nameserver 127.0.0.1
nameserver 192.168.1.8
root@Demon /etc/namedb #
An example of my problem follows:
root@Demon /etc/namedb # nslookup
Default Server: localhost.vickiandstacey.com
Address: 127.0.0.1
> server Demon.vickiandstacey.com
Default Server: Demon.vickiandstacey.com
Address: 82.68.31.177
>
What I had prior to installing, I would get "Demon.vickiandstacey.com" returned as the Default Server, not localhost as above.
Secondly, the address 82.68.31.177 is the real IP address of Demon (I have a block of 8) that is translated to 192.168.1.8, the internal IP address of Demon. So I'd have hoped that trying to set server to Demon, would have resulted in "Address: 192.168.1.8" instead of the machine's real IP address.
I'd gladly provide more information here if anyone thinks it would assist in helping me here. Thanks for the time.
Regards,
Stacey
-- Stacey Roberts B. Sc (HONS) Computer Science Web: www.vickiandstacey.com _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
- Previous message: Matthew Seaman: "Re: named (bind) in jail does not start"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
