I started to draw up an acl, with all those addresses in, as I had previously, but then put them in "bare" when trying to test what was happening. I couldn't see the point of the restricted queries on an authoritative server. Seemed daft. But it was suggested that specifically naming the slaves while trying it out would be a sensible move ????? The forwarding was something I have always had. That's easily removed. as with the allow queries.Let me try that nowOn Tue, 23 Jul 2019 at 22:28, Andy Smith <andy@bitfolk.com> wrote:Hi Keith,
On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
> So you will need to see the conf files
> /etc/bind/named.conf.local
>
> // Consider adding the 1918 zones here, if they are not used in your
> // organization
> include "/etc/bind/zones.rfc1918";
>
> zone "keiths-place.co.uk" {
> type master;
> file "/var/lib/bind/keiths-place.co.uk.hosts";
> allow-query {
> 85.119.84.35;
> 85.119.80.222;
> 2001:ba8:1f1:f085::53;
> 2600:3c01:e000:259::53;
> 45.33.107.124;
> 172.104.29.216;
> 2600:3c03::31:2153;
> 2001:ba8:1f1:f309::2;
> 127.0.0.1;
> };
> check-names warn;
> notify yes;
> };
I am confused as to why you are trying to limit who can query your
zone when you are running an authoritative server. I get that you
only have the BitFolk nameservers listed at the registry, but
blocking queries makes debugging harder.
> Named.conf
> acl slaves {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
Nothing appears to reference this acl as far as I can see.
> // This is the primary configuration file for the BIND DNS server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
> // structure of BIND configuration files in Debian, *BEFORE* you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in
> /etc/bind/named.conf.local
>
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
>
> and finally named.conf.options
>
> options {
> directory "/var/cache/bind";
>
> // If there is a firewall between you and nameservers you want
> // to talk to, you may need to fix the firewall to allow multiple
> // ports to talk. See http://www.kb.cert.org/vuls/id/800113
>
> // If your ISP provided one or more IP addresses for stable
> // nameservers, you probably want to use them as forwarders.
> // Uncomment the following block, and insert the addresses replacing
> // the all-0's placeholder.
>
> forwarders {
> 8.8.8.8;
> };
Why are you forwarding queries anywhere? This is an authoritative
server; it should only be receiving queries for the zones you've put
in it, so no need for forwarders.
> allow-query {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
Down here again you are restricting queries. I am not sure whether
this global option overrides the one in the zone, as well - probably
not. But why is it even here?
> also-notify {
> 85.119.84.35; 2001:ba8:1f1:f309::2;
> };
> notify yes;
> forward first;
I am a bit concerned about the effect of "forward first" on an auth
DNS server…
And as Antony mentioned I don't see any allow-transfer. In my
named.conf.options I have an
allow-transfer {
a;
list;
of;
acl;
names;
};
which match all the servers I want to be allowed to do transfers.
Your previous config must have similar, right?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users