Mageia forum

[hviaene]

Every time I want to setup a dns-server (bind) I run into problems trying to configure the zones. My problem is that there are too many ways of attacking this and too many similar files and folders.
I can use MCC to define a dns server and add records, but I have no idea which config files it writes to. The sam goes for webmin.
I find the following locations where the named.conf and the zone files might be located: /etc/named /var/named and /var/lib/named.
Webmin configures the zone files OK, but the link named.conf to those files is inconsistent.
I got that far that the named service runs OK, no errors when it starts, but when I do as normal user on the same machine an nslookup, it reports the server but throws the error "cann't find XXXX: NXDOMAIN.
The most annoying is that I have the DNS-server working correctly on my M8 desktop for daily use, but I fail on my M9 testing laptop. I've been trying to get the difference between the two machines by comparing files and folders, but I get nowhere as I find the similar mess of files and folders in the M8, and I won't touch that one as it works OK and I have no idea why or how I got that far.
Is there somwhere a clear explanation on this subject????

[doktor5000]

You may want to provide some actual details (anonymised) what zone you configured, what you actually query with nslookup and what your /etc/resolv.conf contains and /etc/nsswitch.conf for the hosts database.
Also the output of

Code: Select all

named-checkzone

for your zone, if it returns any errors or warnings.

Apart from that, for some hints maybe look at https://wiki.mageia.org/en/Virtual_Machine_networking for some examples how to configure bind.
And keep in mind that it runs chrooted by default on Mageia, check e.g. /usr/lib/systemd/system/named.service and /usr/sbin/setup-named-chroot.sh

[doktor5000]

Code: Select all

# named-checkzone <domain>

Just hangs, no feedback, does not terminate

Code: Select all

# more /etc/resolv.conf
# $Id: resolv.conf 105891 2006-06-02 23:25:57Z othauvin $
# Basic resolv.conf

# search domain

# nameserver 127.0.0.1
# nameserver 127.0.0.1
# nameserver 127.0.0.1
search <domain>
nameserver <localIP>
nameserver <internetprovider>

Code: Select all

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid databases are: aliases, ethers, group, gshadow, hosts,
# initgroups, netgroup, networks, passwd, protocols, publickey,
# rpc, services, and shadow.
#
# Valid service provider entries include (in alphabetical order):
#
#       compat                  Use /etc files plus *_compat pseudo-db
#       db                      Use the pre-processed /var/db files
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files in /etc
#       hesiod                  Use Hesiod (DNS) for user lookups
#
# For more information, please read the nsswitch.conf.5 manual page.
#
# Commonly used alternative service providers (may need installation):
#
#       ldap                    Use LDAP directory server
#       myhostname              Use systemd host names
#       mymachines              Use systemd machine names
#       mdns*, mdns*_minimal    Use Avahi mDNS/DNS-SD
#       resolve                 Use systemd resolved resolver
#       sss                     Use System Security Services Daemon (sssd)
#       systemd                 Use systemd for dynamic user option
#       winbind                 Use Samba winbind support
#       wins                    Use Samba wins support
#       wrapper                 Use wrapper module for testing
#       [NOTFOUND=return]       Stop searching if not found so far
#
# Notes:
#
# 'sssd' performs its own 'files'-based caching, so it should generally
# come before 'files'.
#
# WARNING: Running nscd with a secondary caching service like sssd may
#          lead to unexpected behaviour, especially with how long
#          entries are cached.
#
# Installation instructions:
#
# To use 'db', install the appropriate package(s) (provide 'makedb' and
# libnss_db.so.*), and place the 'db' in front of 'files' for entries
# you want to be looked up first in the databases, like this:
#
# passwd:    db files
# shadow:    db files
# group:     db files

passwd:      files
shadow:      files
group:      files

hosts:      mdns4_minimal files nis dns mdns4 myhostname
networks:   files dns

services:   files
protocols:   files
rpc:      files
ethers:      files
netmasks:   files
netgroup:   files
publickey:   files

bootparams:   files
automount:   files
aliases:   files

Code: Select all

$ nslookup <FQDN>
Server:      <localIP>
Address:   <localIP>#53

** server can't find <FQDN>: NXDOMAIN

I'll do the advized reading.

[doktor5000]

Please use code-Tags next time, thanks in advance.

How did you actually start named and is it currently listening on <localIP> ?
Also, for <FQDN> that you query with nslookup, as you didn't show anything from the zone, are you really sure that this is actually contained in your zone as A entry and would it match shortname.<domain> from your example ?

[doktor5000]

Code: Select all

[root@mach7 ~]# systemctl start named
[root@mach7 ~]# systemctl -l status named
● named.service - Berkeley Internet Name Domain (DNS)
     Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: disabled)
     Active: active (running) since Tue 2023-10-10 10:01:15 CEST; 4min 51s ago
    Process: 1347 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Che>
    Process: 1445 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
   Main PID: 1520 (named)
      Tasks: 6 (limit: 4317)
     Memory: 15.6M
        CPU: 1.963s
     CGroup: /system.slice/named.service
             └─1520 /usr/sbin/named -u named -c /etc/named.conf

Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/A/IN': 2600:1802:14::1:1f#53
Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/A/IN': 2600:1801:13::1:1f#53
Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/AAAA/IN': 2600:1801:13::1:1f#53
Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/A/IN': 2600:1802:12::1:1f#53
Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/AAAA/IN': 2600:1800:15::1:1f#53
Oct 10 10:03:29 mach7.hviaene.thuis named[1520]: network unreachable resolving 'ns23.digicertdns.net/AAAA/IN': 2600:1802:12::1:1f#53
Oct 10 10:03:30 mach7.hviaene.thuis named[1520]: network unreachable resolving '_.2be4.phicdn.net/A/IN': 2606:2800:1::5#53
Oct 10 10:03:30 mach7.hviaene.thuis named[1520]: network unreachable resolving '_.2be4.phicdn.net/A/IN': 2606:2800:e::5#53
Oct 10 10:03:30 mach7.hviaene.thuis named[1520]: network unreachable resolving '_.2be4.phicdn.net/A/IN': 2606:2800:e::6#53
Oct 10 10:03:30 mach7.hviaene.thuis named[1520]: network unreachable resolving '_.2be4.phicdn.net/A/IN': 2606:2800:1::6#53


Code: Select all

root@mach7 etc]# more hviaene.thuis.hosts
$ttl 3600
hviaene.thuis.   IN   SOA   mach7.hviaene.thuis. herman\.viaene.hotmail.be. (
         2023100601
         3600
         600
         1209600
         3600 )
hviaene.thuis.   IN   NS   mach7.hviaene.thuis.
mach2   IN   A   192.168.2.2
mach3   IN   A   192.168.2.3
mach7   IN   A   192.168.2.7


Code: Select all

root@mach7 etc]# more 192.168.2.rev
$ttl 3600
2.168.192.in-addr.arpa.   IN   SOA   mach7.hviaene.thuis. herman\.viaene.hotmail.be. (
         2023100904
         3600
         600
         1209600
         3600 )
2.168.192.in-addr.arpa.   IN   NS   mach7.hviaene.thuis.
2.2.168.192   IN   PTR   mach2.hviaene.thuis
3.2.168.193   IN   PTR   mach3.hviaene.thuis
7.2.168.197   IN   PTR   mach7.hviaene.thuis


Code: Select all

tester9@mach7 ~]$ nslookup mach2
Server:      192.168.2.7
Address:   192.168.2.7#53

Name:   mach2.hviaene.thuis
Address: 192.168.2.2

[tester9@mach7 ~]$ nslookup 192.168.2.2
** server can't find 2.2.168.192.in-addr.arpa: NXDOMAIN


As you can see, I made some progress, but still not completely.

and the /etc/named.conf

Code: Select all

//
// named.conf
//
// Provided by Mageia bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
   listen-on port 53 { 127.0.0.1; };
   listen-on port 53 { 192.168.2.7; };
//   listen-on-v6 port 53 { ::1; };
   directory    "/var/named";
   dump-file    "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
   secroots-file   "/var/named/data/named.secroots";
   recursing-file   "/var/named/data/named.recursing";
   allow-query     { localhost; 192.168.2.0/24; };
   
   /*
    - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    - If you are building a RECURSIVE (caching) DNS server, you need to enable
      recursion.
    - If your recursive DNS server has a public IP address, you MUST enable access
      control to limit queries to your legitimate users. Failing to do so will
      cause your server to become part of large scale DNS amplification
      attacks. Implementing BCP38 within your network would greatly
      reduce such attack surface
   */
   recursion yes;

   dnssec-validation yes;

   managed-keys-directory "/var/named/dynamic";
   geoip-directory "/usr/share/GeoIP";

   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";

   /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
   include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
   type hint;
   file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "hviaene.thuis" {
   type master;
   file "/etc/hviaene.thuis.hosts";
   };

zone "2.168.192.in-addr.arpa" {
   type master;
   file "/etc/192.168.2.rev";
   };


[doktor5000]

Well your zone files seem slightly mixed. For the A entries you do not provide the FQDN, for the PTR entries you refer the FQDN for the A entries which do not actually exist in your zone, strictly speaking.

Also the zone name seems to be wrong, it should be 2.168.192.in-addr.arpa and you should probably also use that as filename, and then you only need to provide the last octect of the IP adresses for the PTR records.

See e.g. https://access.redhat.com/documentation ... ne-reverse for some examples or maybe https://bind9.readthedocs.io/en/v9.18.1 ... ng-in-ipv4

[hviaene]

Looking at the redhat page you suggested, I changed 3 things
in the zone file I deleted the line reading "hviaene.thuis. IN NS mach7.hviaene.thuis." just above the list of A records
In the reverse file I deleted the line "2.168.192.in-addr.arpa. IN NS mach7.hviaene.thuis." just above the IN records
In the reverse file I changed the full IP4 addresses by the <last-IP-digit>
Restarted named and all nslookup's work OK.
Tx a lot, I'll bookmark that redhat page