HPE Community
Operating System - Linux
1754783 Members
3893 Online
108825 Solutions
New Discussion

Secondary DNS

 
SOLVED
Go to solution
rmueller58
Valued Contributor

‎12-19-2006 06:13 AM

‎12-19-2006 06:13 AM

Secondary DNS

We are rebuilding a secondary BIND server on a temporary box. In order to migrate from Bind 9.2.1 to 9.3.2 Our current box is running RH9 with BIND 9.2.1



I’ve loaded Fedora FC6 with BIND 9.3.2 on a temporary box,



I am able to get BIND 9.3.2 to start and RNDC sees the zone files,



I have it setup in the /var/named/chroot with a symbolic link from the /var/named/chroot/etc/named.conf to /etc/named.conf



I do an RNDC STATUS and see it is reading the zone files,

number of zones: 239

debug level: 0

xfers running: 0

xfers deferred: 0

soa queries in progress: 2

query logging is OFF

recursive clients: 0/1000

tcp clients: 0/100

server is up and running



when I query the zone via NSLOOKUP or DIG I get a SERVFAIL



;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10654

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0



My primary server named.conf has the allow-transfer { secondary; secondary-temp; }: directives..



My temp named.conf has the following info in the header:





options {

directory "/etc";

allow-transfer { primary-address; };

allow-query { any; };

// query-source address * port 53;

};



controls {





Here is what is being seen in the /var/log/messages



Dec 19 13:39:50 esutemp kernel: audit(1166553590.778:6905): avc: denied { write } for pid=19878 comm="named" name="secondary" dev=dm-0 ino=6547817 scontext=root:system_r:named_t:s0 tcontext=root:object_r:named_conf_t:s0 tclass=dir

Dec 19 13:39:50 esutemp named[19877]: zone waterloo/IN: loading master file secondary/waterloo: permission denied



Dec 19 13:59:10 esutemp named[20107]: zone ben.esu3.k12.ne.us/IN: ben_node85.ben.esu3.k12.ne.us/A: bad owner name (check-names)

..



..

Dec 19 13:59:14 esutemp named[20107]: zone 236.202.205.in-addr.arpa/IN: zone transfer deferred due to quota



On ad naseum.

Any insight appreciated..






0 Kudos
18 REPLIES 18
George Liu_4
Trusted Contributor

‎12-19-2006 06:29 AM

‎12-19-2006 06:29 AM

Solution

Re: Secondary DNS

seems several problems.

First please disable selinux, and post the result again

use "setenforce 0" to disable selinux
0 Kudos
rmueller58
Valued Contributor

‎12-19-2006 06:46 AM

‎12-19-2006 06:46 AM

Re: Secondary DNS

nslookup www.msn.com @nstemp.ourdomain.org

;; connection timed out; no servers could be reached

Dec 19 14:48:32 nstemp named[20352]: secondary/azonefile.org:236: dcw_node89.azonefile.org: bad owner name (check-names)

the quota and permission denied errors went away but DIG and NSLOOKUP's fail, also the checkname stuff is filling the messages log.

0 Kudos
George Liu_4
Trusted Contributor

‎12-19-2006 07:14 AM

‎12-19-2006 07:14 AM

Re: Secondary DNS

I don't think you are allow to make zone trasfet from msn.com

You need to setup forwarder to dig msn.com
0 Kudos
George Liu_4
Trusted Contributor

‎12-19-2006 07:17 AM

‎12-19-2006 07:17 AM

Re: Secondary DNS

try to dig any host in your own domain first.

0 Kudos
rmueller58
Valued Contributor

‎12-19-2006 07:29 AM

‎12-19-2006 07:29 AM

Re: Secondary DNS

George,
I shut Shutoff selinux
here is the output, 1st from the working primary and second from the temporary secondary.. I've checked the named.boot it seems to be running through the zones files, getting bad checkname errors..

> [root@esutemp ~]# dig www.esu3.org @205.202.253.1

; <<>> DiG 9.3.2 <<>> www.esu3.org @205.202.253.1
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48489
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.esu3.org. IN A

;; ANSWER SECTION:
www.esu3.org. 86400 IN A 205.202.241.39

;; AUTHORITY SECTION:
esu3.org. 86400 IN NS ns2.esu3.org.
esu3.org. 86400 IN NS ns1.esu3.org.

;; ADDITIONAL SECTION:
ns1.esu3.org. 86400 IN A 205.202.253.1
ns2.esu3.org. 86400 IN A 205.202.253.3

;; Query time: 7 msec
;; SERVER: 205.202.253.1#53(205.202.253.1)
;; WHEN: Tue Dec 19 15:30:57 2006
;; MSG SIZE rcvd: 114

> e^H[root@esutemp ~]# dig www.esu3.org @205.202.253.1

; <<>> DiG 9.3.2 <<>> www.esu3.org @205.202.253.1
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48489
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.esu3.org. IN A

;; ANSWER SECTION:
www.esu3.org. 86400 IN A 205.202.241.39

;; AUTHORITY SECTION:
esu3.org. 86400 IN NS ns2.esu3.org.
esu3.org. 86400 IN NS ns1.esu3.org.

;; ADDITIONAL SECTION:
ns1.esu3.org. 86400 IN A 205.202.253.1
ns2.esu3.org. 86400 IN A 205.202.253.3

;; Query time: 7 msec
;; SERVER: 205.202.253.1#53(205.202.253.1)
;; WHEN: Tue Dec 19 15:30:57 2006
;; MSG SIZE rcvd: 114

[root@esutemp ~]# dig www.esu3.org @205.202.253.2

; <<>> DiG 9.3.2 <<>> www.esu3.org @205.202.253.2
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.3.2 <<>> www.esu3.org @205.202.253.2
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
0 Kudos
George Liu_4
Trusted Contributor

‎12-19-2006 07:51 AM

‎12-19-2006 07:51 AM

Re: Secondary DNS

on 205.202.253.2, what's the output of
ps -ef|grep named

and netstat -an|grep 53

Would like to turn off iptables/ipchains too on this host when tetsing
0 Kudos
rmueller58
Valued Contributor

‎12-19-2006 08:01 AM

‎12-19-2006 08:01 AM

Re: Secondary DNS

George,

When I do a /etc/named start, restart or stop it is taking a LONGGG time to finish now.. I am thinking I will reload the OS and make sure I disable SELINUX and Firewall setting on load. I stopped iptables/ipchains same result slow start of named.
Our old DNS server had all files in /etc/namedb as named root

within the directory structure is a "/secondary where the zone files exist..

The /var/log/message file is filling up with bad check-name junk..


I am going back to scratch will post after I get things back in place..

Starting named is taking way longer then with the primary. I will check back after I get the OS rebuilt and zone files in place and ownership defined to named.



0 Kudos
George Liu_4
Trusted Contributor

‎12-19-2006 08:04 AM

‎12-19-2006 08:04 AM

Re: Secondary DNS

OK. Also remember onething, if you could, not enable chroot option when you do testing, it causes various issues.

After everything works, suggest to use chroot.

Also, SOA files needs to be changed.
Good Luck
0 Kudos
rmueller58
Valued Contributor

‎12-19-2006 08:53 AM

‎12-19-2006 08:53 AM

Re: Secondary DNS

George,

I have it rebuilt from scratch with SELINUX and IPTABLES disabled..

I've done the following:

Copied my existing secondary files over placed them in /var/named/chroot/etc

the following files are listed:

rw-r--r-- 1 root named 195 Dec 19 15:44 localhost.zone
-rw-r--r-- 1 root root 1279 Dec 19 15:35 localtime
-rw-r--r-- 1 root named 21066 Dec 19 15:44 named.boot
-rw-r--r-- 1 root named 2133 Dec 19 15:44 named.ca
-rw-r----- 1 root named 1100 Sep 11 04:13 named.caching-nameserver.conf
-rw-r--r-- 1 root named 30339 Dec 19 15:46 named.conf
-rw-r--r-- 1 root named 251 Dec 19 15:44 named.local
-rw-r----- 1 root named 955 Sep 11 04:13 named.rfc1912.zones
-rw-r--r-- 1 root named 113 Dec 19 15:32 rndc.key
drwxrwxrwx 2 root named 20480 Dec 15 08:12 secondary
drwxr-xr-x 2 root named 4096 Jun 13 1999 src





Getting Check-names errors in log:

Getting Permission Denied errors in the log:
Dec 19 15:46:43 esutemp named[2332]: zone 109.3.10.in-addr.arpa/IN: loading mast
er file secondary/109.3.10.in-addr.arpa: permission denied

The top of my named.conf looks like this:
// generated by named-bootconf.pl

options {
directory "/etc";
allow-transfer { 205.202.253.1; };
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};

Bottom has an include for /etc/rndc.key which is a symlink to /var/named/chroot/etc/rndc.key

named.boot is still on the system, however I thought this was deprecated with v8?
the file look as such from the top:
;
; named.boot
;
; Description: The named.boot file is required to boot a BIND name server.
;
; Syntax: directory
; ;[comment]
; primary
; secondary [ ...]
; cache
; slave
; forwarders [ ...]
;
; location where domain data files are stored
; ;[comment] text following the ';' character is ignored
; domain For a secondary or primary line, the name of the BIND
; domain for which the server is a secondary or primary
; server. For a cache line, the name of the domain for
; which the file, , is a cache.
; host For a secondary line, the IP address of a primary or
; secondary server distributing the database for domain,
; . For a forwarders line, the IP address of a host
; to which queries should be forwarded.
; file For a secondary line, the name of the file in which the
; data of domain, , received from one of the hosts
; specified can be dumped. For a primary line, the file from
; which to read the master copy of the domain data. For a
; cache line, the name of the file in which the cache is
; stored.
;
directory /etc/namedb
;
secondary esu3.k12.ne.us 205.202.253.1 secondary/esu3.k12.ne.us

secondary esu3.net 205.202.253.1 secondary/esu3.net
secondary esu3.org 205.202.253.1 secondary/esu3.org
;
;
primary 0.0.127.in-addr.arpa named.local
;
;
; School district domains
;
secondary arl.esu3.k12.ne.us 205.202.253.1 secondary/arl.esu3.k12.ne.us

I am beyond baffled as to what to look at next..

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.