[afnog] need a help on DNS CONFIG with view
Kossi TEPE
ktepester at gmail.com
Thu Jun 24 08:16:05 UTC 2010
my named.conf file is like
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.
See the BIND Administrator's Reference Manual (ARM) for details, in:
file:///usr/share/doc/bind-{version}/arm/Bv9ARM.html<file:///usr/share/doc/bind-%7Bversion%7D/arm/Bv9ARM.html>
Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
its manual.
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working"
directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
/*
Specify listenning interfaces. You can use list of addresses (';'
is
delimiter) or keywords "any"/"none"
*/
listen-on port 53 { any; };
//listen-on port 53 { 127.0.0.1; 41.207.188.27; };
// listen-on-v6 port 53 { any; };
//listen-on-v6 port 53 { ::1; };
/*
Access restrictions
There are two important options:
allow-query { argument; };
- allow queries for authoritative data
allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached
data)
You can use address, network address or keywords
"any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
"/var/named/chroot/etc/named.conf" 241L, 7736C
*/
// allow-query { localhost; };
// allow-query { any; };
// allow-query-cache { localhost; 41.207.188.27; 41.207.188.26;
};
// Enable/disable recursion - recursion yes/no;
recursion no;
/* DNSSEC related options. See information about keys ("Trusted
keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both
authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable no;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation no;
forwarders { 80.248.64.3; };
};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory
(/var/named).
* By default, SELinux policy does not allow named to modify the
/var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*
Views let a name server answer a DNS query differently depending on who is
asking.
By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.
Views are processed sequentially. The first match is used so the last view
should
match "any" - it's fallback and the most restricted view.
If named.conf contains any "view" clause, then all zones MUST be in a view.
*/
// #view "localhost_resolver"
//#{
/* This view sets up named to be a localhost resolver ( caching only
nameserver ).
* If all you want is a caching-only nameserver, then you need only define
this view:
*/
//# match-clients { localhost; };
//# recursion yes;
# all views must contain the root hints zone:
//# zone "." IN {
//# type hint;
//# file "/var/named/named.ca";
//# };
//#zone "univ-lome.tg"{
// # type master;
// # allow-update {none;};
// # file "data/ulhost";
//# };
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names
should
* not leak to the other nameservers:
*/
// include "/etc/named.rfc1912.zones";
//};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localhost; 41.207.188.24/29;
192.168.210.0/24; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names
should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
/*
NOTE for dynamic DNS zones and secondary zones:
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an
external
view at the same time?"
*/
zone "univ-lome.tg"{
type master;
allow-update {none;};
file "/var/named/data/ulhost";
};
zone "188.207.41.in-addr.arpa"{
type master;
allow-update {none;};
file "/var/named/data/ulrev";
};
};
view "external"
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };
allow-query {any; };
match-destinations { any; };
zone "." IN {
type hint;
file "/var/named/named.ca";
};
recursion no;
// you'd probably want to deny recursion to external clients, so you
don't
// end up providing free DNS service to all takers
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
zone "univ-lome.tg"{
type master;
allow-update {none;};
file "/var/named/data/ulhostext";
allow-transfer { 80.248.64.3;};
};
};
/* Trusted keys
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.
Note that no key written below is valid. Especially root key because root
zone
is not signed yet.
*/
/*
trusted-keys {trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/
fichier de zone externe
; Fichier Zone pour le domaine UNIV-LOME.TG
;
$TTL 10M
@ IN SOA ulns.univ-lome.tg. root.univ-lome.tg. (
2010030609 ;Serial
15M ;refresh
10M ;retry
1W ;expire
1D ) ;Minimum
IN NS localhost.
IN NS ulns.univ-lome.tg.
; IN NS toffa.cafe.tg.
IN NS ns1.cafe.tg.
IN MX 10 mail.univ-lome.tg.
;
localhost IN A 127.0.0.1
caf-gw IN A 41.207.188.25
ulns.univ-lome.tg. IN A 41.207.188.27
mail.univ-lome.tg. IN A 41.207.188.27
ulns2.univ-lome.tg. IN A 41.207.188.30
univ-lome.tg. IN A 41.207.188.27
; Virtual Hosting
;
; ordinateurs ulns
;
ns1 IN CNAME ulns
; ordinateur ulweb
;
www IN CNAME ulns.univ-lome.tg.
www1 IN CNAME ulns2.univ-lome.tg.
test de dig:
[root at ulns ~]# dig univ-lome.tg
; <<>> DiG 9.6.1-P1-RedHat-9.6.1-11.P1.fc12 <<>> univ-lome.tg
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5275
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;univ-lome.tg. IN A
;; ANSWER SECTION:
univ-lome.tg. 600 IN A 41.207.188.27
;; AUTHORITY SECTION:
univ-lome.tg. 600 IN NS localhost.
univ-lome.tg. 600 IN NS toffa.cafe.tg.
univ-lome.tg. 600 IN NS ulns.univ-lome.tg.
;; ADDITIONAL SECTION:
ulns.univ-lome.tg. 600 IN A 41.207.188.27
toffa.cafe.tg. 18218 IN A 80.248.64.3
localhost. 86400 IN A 127.0.0.1
localhost. 86400 IN AAAA ::1
;; Query time: 12 msec
;; SERVER: 41.207.188.27#53(41.207.188.27)
;; WHEN: Thu Jun 24 08:04:30 2010
;; MSG SIZE rcvd: 189
fichier de log
[root at ulns ~]# tail /var/log/messages
Jun 24 08:06:44 ulns named[3828]: zone 188.207.41.in-addr.arpa/IN/internal:
loaded serial 2010210404
Jun 24 08:06:44 ulns named[3828]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal:
NS
'1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa'
has no address records (A or AAAA)
Jun 24 08:06:44 ulns named[3828]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal:
loaded serial 0
Jun 24 08:06:44 ulns named[3828]: zone localhost.localdomain/IN/internal:
loaded serial 0
Jun 24 08:06:44 ulns named[3828]: zone localhost/IN/internal: loaded serial
0
Jun 24 08:06:44 ulns named[3828]: zone univ-lome.tg/IN/internal: loaded
serial 2010030512
Jun 24 08:06:44 ulns named[3828]: zone univ-lome.tg/IN/external: loaded
serial 2010030609
Jun 24 08:06:44 ulns named[3828]: running
Jun 24 08:06:44 ulns named[3828]: zone univ-lome.tg/IN/internal: sending
notifies (serial 2010030512)
Jun 24 08:06:44 ulns named[3828]: zone univ-lome.tg/IN/external: sending
notifies (serial 2010030609)
thanks for your help
2010/6/23 Noah Sematimba <ksemat at psg.com>
>
> On Jun 23, 2010, at 10:43 PM, Kossi TEPE wrote:
>
> I make my DNS config on fedora core 12 with view clauses but my external
>> zone is not working. all tests making with internet not find any records on
>> my zone. but my internal zone config is working very well let me reach
>> external websites. my website is not appear outside my network.
>>
>
> It would help if you posted your config, relevant portions of your log
> files for when named is starting up and some dig results perhaps?
>
> Noah.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20100624/c93345aa/attachment-0001.htm>
More information about the afnog
mailing list