gpg: Signature made Tue Jul 23 21:28:07 2019 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Keith,
On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
> So you will need to see the conf files
> /etc/bind/named.conf.local
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
>
> zone "keiths-place.co.uk" {
> type master;
> file "/var/lib/bind/keiths-place.co.uk.hosts";
> allow-query {
> 85.119.84.35;
> 85.119.80.222;
> 2001:ba8:1f1:f085::53;
> 2600:3c01:e000:259::53;
> 45.33.107.124;
> 172.104.29.216;
> 2600:3c03::31:2153;
> 2001:ba8:1f1:f309::2;
> 127.0.0.1;
> };
> check-names warn;
> notify yes;
> };
I am confused as to why you are trying to limit who can query your
zone when you are running an authoritative server. I get that you
only have the BitFolk nameservers listed at the registry, but
blocking queries makes debugging harder.
> Named.conf
> acl slaves {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
Nothing appears to reference this acl as far as I can see.
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> and finally named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> forwarders {
> 8.8.8.8;
> };
Why are you forwarding queries anywhere? This is an authoritative
server; it should only be receiving queries for the zones you've put
in it, so no need for forwarders.
> allow-query {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
Down here again you are restricting queries. I am not sure whether
this global option overrides the one in the zone, as well - probably
not. But why is it even here?
> also-notify {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
> notify yes;
> forward first;
I am a bit concerned about the effect of "forward first" on an auth
DNS server…
And as Antony mentioned I don't see any allow-transfer. In my
named.conf.options I have an
allow-transfer {
a;
list;
of;
acl;
names;
};
which match all the servers I want to be allowed to do transfers.
Your previous config must have similar, right?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
