"dig mx" or "ping" not working because of bind9?
 

Hi all,

I am running a Debian 3.1 server remotely and i have
set up Bind9 successfully for my domains.

But "dig mx hotmail.com" or "ping google" on my local server does not work. e.g.
I cannot edit the resolv.conf file
not even using resolvconf.. if i do it by hand
it changes itself back to original..

# vi /etc/resolv.conf (sym link to /etc/resolvconf/run/resolv.conf)
saman007uk has suggested adding forwarders in my
/etc/bind/named.conf.options and so i did.. bad
with no luck (it just worked initially while my
syntax was wrong and the bind server was broken
.. so all works fine when bind9 is stopped)

my config files follow
Any help would be appreciated,
Alex




-----------------------------------------------------



/etc/bind/named.conf.options:



/etc/bind/named.conf:

I posted this in your other thread as well, but I think the following might fix it:

If your netwrok interface is called eth0, then /etc/network/interfaces should have something like this:
Then, as root:When changing network options, make sure they are correct - if wrong, you could use access to your server from the net (unless you have soem sort of serial console ...).

/etc/network/interfaces files appears to be fine
it has all my nameservers and does not conatain the
local address as a nameserver..

I managed to get the ping and dig mx working
by setting "recursion yes;" in the options clauses

i am not sure though if that is the right
way to go since http://www.dnsreport.com
when checking my server gives me:

FAIL: Open DNS servers
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

and suggests to have recursion set to no

... so i think i need a different solution

i added:

and it works perfect
no need to edit resolv.conf

Thanks saman007uk,
Alex

That solution will work, but the accepted way of doing it is to configure "views" within bind.

If your sever only gives answers for the domain(s) you are authoritative for, your method will work. If however, you have client machines using this DNS box as their DNS, they won't be able to reslove things like google.com and yahoo.com, as they aren't coming from the localhost address of 127.0.0.1.

Basically, you make an ACL list based on IP of the machines that should be allowed to ask for any address, either one of yours, or one off the internet. If the client machine is within the ACL, it can ask for and get an answer to anything. If it isn't on the ACL, then it can only get answers for the sites your box is authoritative for. Here's an example -

That allows any machine coming from a the list of mydomain to get an answer to any question. That is accomplished with the allow-recursion { mydomain;}; line. The allow-query { any; }; line allows my server to give the IP addresses for mycompany.com and mail.mycompany as well as clientcompany1.org and clientcompany2.edu.

This will allow your machine to pass the open DNS test on dnsreport.com. You should be warned however, that folks on the Bind mailing list blast that site often. They don't think it provides in depth accurate answers about the setup of your DNS box.

Peace,
JimBass