Hi,
ich kümmere mich um einen Server für den ein PTR-Record für Bind auf einem anderen Server eingetragen werden muss. Es ist in dem Fall so, dass der Internetprovider (Vodafone) nicht willens oder in der Lage ist ReverseDNS einträge zu Domains ohne Subdomain zu machen. Daher ist es so, dass der PTR-Record von Vodafone den Lookup an einen Nameserver deligiert. Ich hab jetzt auch von meinem Vorgänger die zone und die Konfiguration vom alten DNS bekommen. Das Problem ist, dass sich BIND weigert die Anfrage aufzulösen. nslookup für unseren PTR spuckt folgendes aus:
nslookup -q=NS 166.254.23.XXX.in-addr.arpa ns2.arcor-ip.de Server: ns2.arcor-ip.de Address: 145.253.2.80#53 166.254.23.XXX.in-addr.arpa canonical name = 166.sub166.254.23.XXX.in-addr.arpa.
Also braucht 166.sub166.254.23.XXX.in-addr.arpa. einen Eintrag für PTR zu unserer Domain domain.de
Hier der schnipsel für die named.conf den ich bekommen habe:
zone "sub166.254.23.XXX.in-addr.arpa" { type master;
file "/etc/bind/sub166.254.23.XXX.in-addr.arpa";
allow-transfer {127.0.0.1;145.253.2.19;145.253.2.80;145.253.3.171;145.253.180.17; };
notify true;
also-notify {145.253.2.19;145.253.2.80;145.253.3.171; };
};Hier noch die zone die ich habe:
sub166.254.23.XXX.in-addr.arpa. 12H IN SOA extern.YYY.net. AAA.YYY.net. (
2007110701 ; serial
8H ; refresh
4H ; retry
4w2d ; expire
7H ) ; minimum
12H IN NS extern.YYY.net.
166.sub166.254.23.XXX.in-addr.arpa. 12H IN PTR domain.de.Ich bin bisher nur soweit gekommen, dass BIND entweder die Anfrage sowohl von intern als auch extern verweigert bzw. SERVFAIL meldet. named-checkconf als auch named-checkzone melden keine Fehler. Alle anderen resolvs laufen auch soweit.
Vielleicht hat jemand noch eine Idee.
Besten Dank
ig-88
named.conf
// advice from Rob Thomas noc@cymru.com
// Set up our ACLs
acl "xfer" {
81.14.224.155; 81.14.160.183; 84.38.64.134; 80.153.110.208; 145.253.2.19; 145.253.2.80; 145.253.3.171;
// Allow no transfers only to our other
// name servers, place them here.
};
acl "trusted" {
// Place our internal and DMZ subnets in here so that
// intranet and DMZ clients may send DNS queries. This
// also prevents outside hosts from using our name server
// as a resolver for other domains.
10.0.0.0/8;
194.231.187.77;
127.0.0.0/8;
145.253.2.19;
145.253.2.80;
145.253.3.171;
};
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list o
[...laaaange liste ...]
logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity debug;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/bind/named.log";
severity debug 1;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
// interface-interval 0;
allow-transfer {
// Zone tranfers limited to members of the
// "xfer" ACL.
xfer;
};
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
tk;
};
allow-query-cache {
// Accept queries of our cache from our "trusted" ACL.
trusted;
tk;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { trusted; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
allow-query {
any;
};
allow-transfer {
none;
};
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/10.zone";
notify false;
allow-transfer { 127.0.0.1;10.8.1.1;};
};
zone "ZZZ" IN {
type master;
file "/etc/bind/kufa";
notify false;
};
zone "ZZZ.info" IN {
type master;
file "/etc/bind/kufa.info";
notify false;
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion yes;
additional-from-auth no;
additional-from-cache no;
// Link in our zones
zone "." in {
type hint;
file "/etc/bind/db.root";
};
// DO WE HAVE TO COPY THIS FOR THE INTERNAL_IN VIEW ABOVE!?!
zone "kufa.info" IN {
type master;
file "/net/exe/dns/ZZZ.info";
notify true;
allow-transfer {81.14.224.155; 81.14.160.183; 84.38.64.134; 80.153.110.208; };
allow-query {
any;
};
};
zone "belanglos.de" IN {
type master;
file "/net/exe/dns/belanglos.de";
notify true;
allow-transfer {81.14.224.155; 81.14.160.183; 84.38.64.134; 80.153.110.208; };
allow-query {
any;
};
};
zone "unineteressant.de" IN {
type master;
file "/net/exe/dns/unineteressant.de";
notify true;
allow-transfer {81.14.224.155; 81.14.160.183; 84.38.64.134; 80.153.110.208; };
allow-query {
any;
};
};
zone "kram.de" {
type master;
file "/net/exe/dns/kram.de";
notify true;
allow-transfer {84.38.64.134; 80.153.110.208; };
allow-query {
any;
};
};
zone "sub166.254.23.213.in-addr.arpa" IN {
type master;
file "/etc/bind/sub166.254.23.213.in-addr.arpa";
allow-transfer {127.0.0.1;145.253.2.19;145.253.2.80;145.253.3.171;145.253.180.17; };
notify true;
also-notify {145.253.2.19;145.253.2.80;145.253.3.171; };
allow-query {
any;
};
};
};
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
view "external-chaos" chaos {
match-clients { any; };
recursion yes;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.chaos";
allow-query {
trusted;
};
allow-transfer {
none;
};
};
};
2004 – 2013 ubuntuusers.de • Einige Rechte vorbehalten