Linode Forum :: Binding

Linode Forum
Linode Community Forums

FAQ

Search

Members

Register

Login [ Anonymous ]

Binding

Post new topic Reply to topic

Board index » Linux Community Forums » Linux Networking

Print view

Previous topic | Next topic

Author

Message

ferfer

Post subject: Binding

PostPosted: Thu May 19, 2005 11:41 am

Offline

Junior Member

Joined: Thu May 12, 2005 2:06 pm
Posts: 48

Hi,

I need some help with BIND9.

I'm going to allocate ~20 domains in a typical LAMP system (Gentoo). Most of those domains are registered via Gandi in which I can do custom DNS (A, MX, CNAME...), so I really don't need to run BIND in my system. But, I want to run BIND because 1) I want to learn it, 2) I want to use webmin --> servers --> virtualmin and it seems simpler if I use BIND, 3) running BIND lets me create some scripts to add subdomains ad-hoc, for example.

I made a glue record using Gandi's interface, so I now have ns.mydomain.net pointing to my linode IP. Gandi provides free secondary NS for me -- although that's a question for tomorrow. I think that glue record was the first step.

Now, I have bind (named) started, and I can do dig @myip linode.com and it answers.

And that is exactly my problem. I don't want people to point to my linode as their DNS server, and asks it for everything. I agree my DNS knowledgement is about zero, but I think it should be possible for my BIND to answer ONLY for the domains it hosts, and only for them.

I've started reading about BIND and I cannot find this option -- well, I really don't know the term I'm looking for. Any ideas?

Thank you!

Top

Profile

Reply with quote

Ciaran

Post subject:

PostPosted: Thu May 19, 2005 12:35 pm

Offline

Senior Member

Joined: Fri Feb 13, 2004 11:30 am
Posts: 140
Location: England, UK

I don't know the specific option myself, but I can help you with the term you want. What you want is an option that means the server only answers for domains for which it considers itself "authoritative".

Simply put, a non-authoritative domain is one which it has to check from another source (or which has been cached from another source). An authoritative one is one that it knows about itself without having to check anywhere else, which will be the case for your own DNS entries.

Top

Profile

Reply with quote

NecroBones

Post subject:

PostPosted: Thu May 19, 2005 12:40 pm

Offline

Senior Member

Joined: Wed Mar 17, 2004 12:35 am
Posts: 118
Website: http://www.necrobones.com/
Location: Sterling, VA

I think you're looking for something like this:

Code:

options {
        directory "/var/named";
        recursion no;
};

Change "/var/named" to wherever, of course. You probably already have an options section in your named.conf, and you would just need to add the recursion statement to it. Make sure your resolv.conf doesn't list localhost etc. :)

_________________
----
Ed/Bones.

Top

Profile

Reply with quote

ferfer

Post subject:

PostPosted: Thu May 19, 2005 5:06 pm

Offline

Junior Member

Joined: Thu May 12, 2005 2:06 pm
Posts: 48

Thank you for your answers. Recursion no seems to do the trick, but when I try nslookup from Windows or dig from my linode:

Quote:

> www.terra.es
Servidor: lixx-xx.members.linode.com
Address: 70.85.xxx.xxx

Nombre: www.terra.es
Served by:
- L.ROOT-SERVERS.NET

- M.ROOT-SERVERS.NET

- A.ROOT-SERVERS.NET

- B.ROOT-SERVERS.NET

- C.ROOT-SERVERS.NET

- D.ROOT-SERVERS.NET

- E.ROOT-SERVERS.NET

- F.ROOT-SERVERS.NET

- G.ROOT-SERVERS.NET

- H.ROOT-SERVERS.NET

Quote:

; <<>> DiG 9.2.5 <<>> @localhost www.terra.es
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16071
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;www.terra.es. IN A

;; AUTHORITY SECTION:
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
. 3600000 IN NS H.ROOT-SERVERS.NET.
. 3600000 IN NS I.ROOT-SERVERS.NET.
. 3600000 IN NS J.ROOT-SERVERS.NET.
. 3600000 IN NS K.ROOT-SERVERS.NET.
. 3600000 IN NS L.ROOT-SERVERS.NET.
. 3600000 IN NS M.ROOT-SERVERS.NET.
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.

;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu May 19 22:59:24 2005
;; MSG SIZE rcvd: 241

It seems quite strange. I've found a way to do an "Authoritative Only DNS Server", at http://www.zytrax.com/books/dns/ch6/index.html#authoritative, and I see that the approach is the same (recursion no).

I was expecting an error message for my request, but anyway it may work for my needs.

Thank you very much!

Top

Profile

Reply with quote

gmt

Post subject: Re: Binding

PostPosted: Thu May 19, 2005 10:25 pm

Offline

Senior Member

Joined: Sun Jul 20, 2003 8:29 am
Posts: 100
Website: http://www.ipo-australia.com
Location: Tropical Queensland, Australia

fernandonajer wrote:

Hi,

And that is exactly my problem. I don't want people to point to my linode as their DNS server, and asks it for everything.

I have dns on my linode with differecnt IPs. Its unlikely that can reach anything else either.

You can configure dns so that other servers will cache even if if your dns server is down.

Top

Profile

Reply with quote

NecroBones

Post subject:

PostPosted: Fri May 20, 2005 9:24 am

Offline

Senior Member

Joined: Wed Mar 17, 2004 12:35 am
Posts: 118
Website: http://www.necrobones.com/
Location: Sterling, VA

fernandonajer wrote:

Thank you for your answers. Recursion no seems to do the trick, but when I try nslookup from Windows or dig from my linode:

-snip-

It seems quite strange. I've found a way to do an "Authoritative Only DNS Server", at http://www.zytrax.com/books/dns/ch6/index.html#authoritative, and I see that the approach is the same (recursion no).

I was expecting an error message for my request, but anyway it may work for my needs.

Thank you very much!

Yeah, you won't get an error, just the root hints. Basically your server tells the client "I don't have that information, but here's where you can start".

If you really wanted to configure it to generate errors or NXDOMAINs, I'm sure there are some config tricks you can do, but it's not going to be worth your time. :)

_________________
----

Ed/Bones.

Top

Profile

Reply with quote

ferfer

Post subject:

PostPosted: Fri May 20, 2005 9:51 am

Offline

Junior Member

Joined: Thu May 12, 2005 2:06 pm
Posts: 48

NecroBones wrote:

If you really wanted to configure it to generate errors or NXDOMAINs, I'm sure there are some config tricks you can do, but it's not going to be worth your time.

Ok, I'll leave it that way. I've started to host my sites with my own DNSs, I've 3 of them up and running, so I'm

Thank you for your help!

Top

Profile

Reply with quote

sweh

Post subject:

PostPosted: Tue May 24, 2005 5:13 pm

Offline

Senior Member

Joined: Tue Apr 13, 2004 6:54 pm
Posts: 833

Try something like

options {
allow-recursion { 127.0.0.1; };
directory "/var/named";
};

This _should_ only allow your own machine to use your DNS server for recursive lookups.

If I try to use my server to lookup other stuff (firstly for a domain it's authorative for, then for someone elses domain):

> server 66.160.141.105
Default server: 66.160.141.105
Address: 66.160.141.105#53
> sweh.spuddy.org
Server: 66.160.141.105
Address: 66.160.141.105#53

sweh.spuddy.org canonical name = linode.spuddy.org.
Name: linode.spuddy.org
Address: 66.160.141.105
> www.linode.com
Server: 66.160.141.105
Address: 66.160.141.105#53

Non-authoritative answer:
*** Can't find www.linode.com: No answer
>

_________________
Rgds
Stephen
(Linux user since kernel version 0.11)

Top

Profile

Reply with quote

Post new topic Reply to topic

Board index » Linux Community Forums » Linux Networking

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

RSS