I started to draw up an acl, with all those addresses
in, as I had
previously, but then put them in "bare" when trying to test what was
happening. I couldn't see the point of the restricted queries on an
authoritative server. Seemed daft. But it was suggested that specifically
naming the slaves while trying it out would be a sensible move ????? The
forwarding was something I have always had. That's easily removed. as with
the allow queries.
Let me try that now
On Tue, 23 Jul 2019 at 22:28, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Keith,
On Tue, Jul 23, 2019 at 10:06:20PM +0100, Keith Williams wrote:
So you will need to see the conf files
/etc/bind/named.conf.local
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
zone "keiths-place.co.uk" {
type master;
file "/var/lib/bind/keiths-place.co.uk.hosts";
allow-query {
85.119.84.35;
85.119.80.222;
2001:ba8:1f1:f085::53;
2600:3c01:e000:259::53;
45.33.107.124;
172.104.29.216;
2600:3c03::31:2153;
2001:ba8:1f1:f309::2;
127.0.0.1;
};
check-names warn;
notify yes;
};
I am confused as to why you are trying to limit who can query your
zone when you are running an authoritative server. I get that you
only have the BitFolk nameservers listed at the registry, but
blocking queries makes debugging harder.
Named.conf
acl slaves {
85.119.84.35; 2001:ba8:1f1:f309::2;
};
Nothing appears to reference this acl as far as I can see.
// This is the primary configuration file for the
BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on
the
// structure of BIND configuration files in
Debian, *BEFORE* you
customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
and finally named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow
multiple
// ports to talk. See
http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses
replacing
// the all-0's placeholder.
forwarders {
8.8.8.8;
};
Why are you forwarding queries anywhere? This is an authoritative
server; it should only be receiving queries for the zones you've put
in it, so no need for forwarders.
allow-query {
85.119.84.35; 2001:ba8:1f1:f309::2;
};
Down here again you are restricting queries. I am not sure whether
this global option overrides the one in the zone, as well - probably
not. But why is it even here?
also-notify {
85.119.84.35; 2001:ba8:1f1:f309::2;
};
notify yes;
forward first;
I am a bit concerned about the effect of "forward first" on an auth
DNS server…
And as Antony mentioned I don't see any allow-transfer. In my
named.conf.options I have an
allow-transfer {
a;
list;
of;
acl;
names;
};
which match all the servers I want to be allowed to do transfers.
Your previous config must have similar, right?
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users