"dig mx" or "ping" not working because of bind9?
Hi all,
I am running a Debian 3.1 server remotely and i have set up Bind9 successfully for my domains. But "dig mx hotmail.com" or "ping google" on my local server does not work. e.g. Code:
xyz:~# ping google.com not even using resolvconf.. if i do it by hand it changes itself back to original.. # vi /etc/resolv.conf (sym link to /etc/resolvconf/run/resolv.conf) Code:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) /etc/bind/named.conf.options and so i did.. bad with no luck (it just worked initially while my syntax was wrong and the bind server was broken .. so all works fine when bind9 is stopped) my config files follow Any help would be appreciated, Alex ----------------------------------------------------- /etc/bind/named.conf.options: Code:
options { /etc/bind/named.conf: Code:
include "/etc/bind/named.conf.options"; |
I posted this in your other thread as well, but I think the following might fix it:
If your netwrok interface is called eth0, then /etc/network/interfaces should have something like this: Code:
auto eth0 Code:
resolvconf -u |
/etc/network/interfaces files appears to be fine
it has all my nameservers and does not conatain the local address as a nameserver.. I managed to get the ping and dig mx working by setting "recursion yes;" in the options clauses i am not sure though if that is the right way to go since http://www.dnsreport.com when checking my server gives me: FAIL: Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are: and suggests to have recursion set to no ... so i think i need a different solution |
i added:
Code:
//recursion no; no need to edit resolv.conf Thanks saman007uk, Alex |
That solution will work, but the accepted way of doing it is to configure "views" within bind.
If your sever only gives answers for the domain(s) you are authoritative for, your method will work. If however, you have client machines using this DNS box as their DNS, they won't be able to reslove things like google.com and yahoo.com, as they aren't coming from the localhost address of 127.0.0.1. Basically, you make an ACL list based on IP of the machines that should be allowed to ask for any address, either one of yours, or one off the internet. If the client machine is within the ACL, it can ask for and get an answer to anything. If it isn't on the ACL, then it can only get answers for the sites your box is authoritative for. Here's an example - Code:
// This is the primary configuration file for the BIND DNS server named. This will allow your machine to pass the open DNS test on dnsreport.com. You should be warned however, that folks on the Bind mailing list blast that site often. They don't think it provides in depth accurate answers about the setup of your DNS box. Peace, JimBass |
All times are GMT -5. The time now is 09:44 AM. |