Hi, I have installed and configured ISPConfig 3 for the sole purpose of providing Bind DNS answers to my internal clients for internal zones. However, I need to add forwarding of DNS for non-authoritative zones/domains to the internet for resolution. I know I can manipulate bind to do this for me, but does this compromise the functionality of ISPConfig by doing this? I'm primarily using ISPConfig as a way to provide a GUI interface to Bind for non-CLI admins. If ISPConfig is not the 'kiddie' for the job, I'm open to suggestion... Thank you in advance. Gavin.
Hi Till, When I add the following to my /etc/bind/named.conf my Bind DNS stops answering any queries. any clues? options { forwarders { 8.8.8.8; 8.8.4.4; }; }; Cheers, Gavin.
With forwarders enabled, I get nothing, I don't see errors and DNS doesn't function, clients just get DNS request timeouts. Without forwarders, local DNS queries are fine, but internet bound queries are greeted with (in /var/log/syslog) client ip.add.re.ss. query (cache) 'bbc.co.uk/A/IN' denied Which I would expect as forwarders are not enabled.
Hi, This is the output I see when forwarders are enabled in my /etc/bind/named.conf file Extract from named.conf ----------------------------- include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; options { forwarders { 8.8.8.8; 8.8.4.4; }; }; Tail of log ------------------------------ Jul 1 12:11:01 s1-ns0-int named[4734]: adjusted limit on open files from 4096 to 1048576 Jul 1 12:11:01 s1-ns0-int named[4734]: found 1 CPU, using 1 worker thread Jul 1 12:11:01 s1-ns0-int named[4734]: using up to 4096 sockets Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration from '/etc/bind/named.conf' Jul 1 12:11:01 s1-ns0-int named[4734]: /etc/bind/named.conf:12: 'options' redefined near 'options' Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration: already exists Jul 1 12:11:01 s1-ns0-int named[4734]: exiting (due to fatal error)
The named otions are defined in the file /etc/bind/named.conf.options. So remove the options part that you added in named.conf file and edit the /etc/bind/named.conf.options instead, add or edit the forwarders line in that file inside the existing options part.
OK, with that done BIND loads cleanly again, however forwarded queries are dumped with /ispconfig/cron.log) Jul 1 12:41:03 s1-ns0-int named[3107]: client 10.1.20.1#49339: query (cache) 'google.com/A/IN' denied
/etc/bind/named.conf ------------------------- // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; //options { //forwarders { 8.8.8.8; 8.8.4.4; }; //}; /etc/bind/named.conf.options ---------------------------------- options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8;8.8.4.4; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
Hi Till, You have been very helpful so far, so much so that I took the time to invest in the ISPConfig manual in the hope that maybe I could glean my answers there. Unfortunately I cannot answer my outstanding query using the manual. I would be very appreciative if you could review my outstanding query regarding the forwarders. Thank you in advance, Gavin.
My guess is that there's already another options {} section somewhere else in your configuration, and that you should have defined forwarders {} there.
Thanks for the reply Falko, but I fail to see where this other options section that you refer to could be? I have purely followed the guide for building the perfect server on Ubuntu 11.04 and configured Bind for ISPConfig3, then tried to enable forwarders, nothing more. *Any* other clues or hints on where you think this might be would be very useful. Sadly I'm on the brink of ditching ISPConfig in favour of Bind & Webmin for my Admins, for the want of a small problem. Gavin.
Did you check all files that are included in /etc/bind/named.conf? If you use a chrooted BIND, there might be another named.conf that you have to look at (run Code: updatedb locate named.conf to find it).
Hi Falko, Sorry for the tardy response to your follow up, other things took over and I'm only now revisiting this one. I still have a problem here with this which I cannot resolve. I followed your advice regarding 'updatedb' and 'locate' to find other instance of named.conf and there are no other instances, also bind is not chrooted. So a little recap: My client machine (M$7) can query ISPConfig3 (Ubuntu 11.04, installed following the perfect server guide) for authoritative domains configured on the ISPConfig. If I query a non-authoritative domain, eg www.bbc.co.uk, my Win7 machine just gets Query Refused and a tail of the var/log/syslog shows Code: Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57759: query (cache) 'bbc.co.uk/A/IN' denied Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57760: query (cache) 'bbc.co.uk/AAAA/IN' denied This is example output from my desktop querying the ISPConfig, both an internal resource (my desktop) and then www.bbc.co.uk Code: C:\Users\GLowle>dig glowle.pageone.co.uk ; <<>> DiG 9.8.1b1 <<>> glowle.pageone.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: [COLOR="Red"]NOERROR[/COLOR], id: 26014 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;glowle.pageone.co.uk. IN A ;; ANSWER SECTION: glowle.pageone.co.uk. 86400 IN A 10.1.20.1 ;; AUTHORITY SECTION: pageone.co.uk. 86400 IN NS ns0-int.pageone.co.uk. pageone.co.uk. 86400 IN NS ns1-int.pageone.co.uk. ;; ADDITIONAL SECTION: ns0-int.pageone.co.uk. 86400 IN A 192.168.103.100 ns1-int.pageone.co.uk. 86400 IN A 192.168.103.101 ;; Query time: 4 msec ;; SERVER: 192.168.103.100#53(192.168.103.100) ;; WHEN: Thu Sep 22 18:33:10 2011 ;; MSG SIZE rcvd: 130 C:\Users\GLowle>dig www.bbc.co.uk ; <<>> DiG 9.8.1b1 <<>> www.bbc.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: [COLOR="Red"]REFUSED[/COLOR], id: 14178 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.bbc.co.uk. IN A ;; Query time: 3 msec ;; SERVER: 192.168.103.100#53(192.168.103.100) ;; WHEN: Thu Sep 22 18:33:21 2011 ;; MSG SIZE rcvd: 31 C:\Users\GLowle> This is my locate Code: toor@s1-ns0-int:~$ locate named.conf /etc/bind/named.conf /etc/bind/named.conf.default-zones /etc/bind/named.conf.local /etc/bind/named.conf.options /usr/share/man/man5/named.conf.5.gz This is my named.conf Code: toor@s1-ns0-int:~$ cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; //options { //forwarders { 8.8.8.8; 8.8.4.4; }; //}; This is my named.conf.local Code: toor@s1-ns0-int:~$ cat /etc/bind/named.conf.local zone "pageone.co.uk" { type master; allow-transfer {none;}; file "/etc/bind/pri.pageone.co.uk"; }; zone "103.168.192.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.103.168.192.in-addr.arpa"; }; zone "1.1.10.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.1.1.10.in-addr.arpa"; }; zone "20.1.10.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.20.1.10.in-addr.arpa"; }; zone "paging.org.uk" { type master; allow-transfer {none;}; file "/etc/bind/pri.paging.org.uk"; }; zone "203.168.192.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.203.168.192.in-addr.arpa"; }; zone "128.20.172.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.128.20.172.in-addr.arpa"; }; zone "129.20.172.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.129.20.172.in-addr.arpa"; }; zone "128.30.172.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.128.30.172.in-addr.arpa"; }; zone "98.1.10.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.98.1.10.in-addr.arpa"; }; zone "60.1.10.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.60.1.10.in-addr.arpa"; }; zone "200.168.192.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.200.168.192.in-addr.arpa"; }; zone "143.168.192.in-addr.arpa" { type master; allow-transfer {none;}; file "/etc/bind/pri.143.168.192.in-addr.arpa"; }; This is my named.conf.options Code: toor@s1-ns0-int:~$ cat /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8;8.8.4.4; }; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; }; I can quite happily perform non-authoritative lookups directly on the ISPConfig host though: Code: toor@s1-ns0-int:~$ dig www.bbc.co.uk ; <<>> DiG 9.7.3 <<>> www.bbc.co.uk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28664 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.bbc.co.uk. IN A ;; ANSWER SECTION: www.bbc.co.uk. 90 IN CNAME www.bbc.net.uk. www.bbc.net.uk. 89 IN A 212.58.246.94 ;; AUTHORITY SECTION: . 74919 IN NS m.root-servers.net. . 74919 IN NS k.root-servers.net. . 74919 IN NS c.root-servers.net. . 74919 IN NS d.root-servers.net. . 74919 IN NS f.root-servers.net. . 74919 IN NS e.root-servers.net. . 74919 IN NS b.root-servers.net. . 74919 IN NS j.root-servers.net. . 74919 IN NS l.root-servers.net. . 74919 IN NS g.root-servers.net. . 74919 IN NS a.root-servers.net. . 74919 IN NS i.root-servers.net. . 74919 IN NS h.root-servers.net. ;; Query time: 49 msec ;; SERVER: 192.168.103.100#53(192.168.103.100) ;; WHEN: Thu Sep 22 18:30:48 2011 ;; MSG SIZE rcvd: 284 So, it's just my inbound client queries that get refused. If you need any other information please let me know. Kind regards, Gavin.
Take a look at http://erikimh.com/disable-recursion-in-bind/ . If you want to allow recursion, set Code: recursion yes; in your named configuration.
I also have a question concerning DNS and editing the bind9 files. In my ISPconfig setup, I used my ISPs nameservers, (also listed in my interfaces) but I have my own nameservers. Is this correct? I'm also interested in securing my DNS from cache poisoning and things of that nature. Would I use my ISPs nameservers as forwarders here?
