Named not allowing query?

Pzz

Verified User
Joined
May 20, 2013
Messages
138
Location
The Hague area, The Netherlands
I changed some DNS (MX) setting, and was waiting for it to actualy change. Well it didn't.

intoDNS.com reported:
Code:
Looks like your nameservers do not agree on the SOA serial. Ths SOA records as reported by your nameservers:
195.8.195.195 ->  2016101903
37.97.199.195 ->  2016101903
149.210.146.112 ->  2020032101

I took a look at the named.run and this log reported: (among others):
Code:
client @0x7fd73af03250 87.253.155.101#37009 (<mydomain.tld>): zone transfer '<mydomain.tld/AXFR/IN' denied

Now I'm viewing my named.conf. I read some articles already and I say that my nameservers IP should be allowed here. But there are no IP's. Allow query isn't even enabled! how can any secundairy nameserver ever read my data? All my zones are listed, so thie must be the actual one being used.

Which brings me to the conclusion, for someone who doesn't change his DNS often, that maybe the NAMED.CONF I used to have got overwritten (months) ago by a new one with an update?

And when I run the conf-check the conf doesn't seems to up up-to-date at all:
Code:
$ named-checkconf /etc/named.conf
/etc/named.conf:34: dnssec-lookaside 'auto' is no longer supported

Well, it doesn't make sense to me. Here's my named.conf,, and probably pretty default:

Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        allow-transfer { none; };
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        //recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
 
zone "mydomain.tld" { type master; file "/var/named/mydomain.tld.db"; };
zone ...
zone ...
...
 
Allow query isn't even enabled!
Ofcourse not. That's a security risk and since a short while it's disabled by default.

I read some articles already and I say that my nameservers IP should be allowed here.
That depends. If you're using Directadmin's own Multi Server DNS clustering, there is no need for ip's in the named.conf. When reading this:
you can see that it's not mentioned there either. Reason is that mutli dns clustering works differently, it makes connection directly with the other DA instance via port 2222. So the exchange is done via DA and not via named/bind.

However, if your other nameservers are non-DA servers, so they need transfers, then your ip's should be mentioned indeed. You have to do this yourself.
I can't remember -ever- that my named.conf got overwritten by some update.

/etc/named.conf:34: dnssec-lookaside 'auto' is no longer supported
Correct. I don't know if this is added by default by the OS or by DA. But if it's done by DA, that line can be removed. However this is just a notice, it will not let your named system fail. It's up to date for the rest.

Concuding:
1.) Which system exactly are you using for your nameservers. Your own kind of dns clustering or DA multiserver clustering?
2.) You should take care that your SOA date records match.
3.) IntoDNS sometimes does strange, verify also with another system like dnsstuff.com or something like that.
4.) When having looked at my points 1-3 what exactly are your remaining questions?
 
Well. That starts me thinking....

The situation was (years ago) that I had my own primary nameserver (on my VPS) and used two nameserver of my hoster (TransIP).

And it always seemed to work well. I can't remember that I ever had to make any modification in names.conf.

Now that there is a problem (well, everything is still working) I start to wonder how it could have ever worked. I mean: I never made a study of how to create a nameserver in DA or how to add secondariy nameservers. It just worked ( I guess).

I'll try to figure this out now with some extra reading to start with and I'll get back with new questions....

GJ
 
Oke. When using default, DA has some local nameserver structure to be able to setup the domains and generate DNS records needed for several things anyway. But if you never really setup your own nameservers with 2 ip's, you are using the external nameservers of Transip.

I don't know if Transip nameservers support AFXR (dns transfers) otherwise that would be nice. I don't know any hoster which does, but you can ask them in a ticket or something.

In any case that you in fact only use your external nameservers for your domain, remember that you can do anything you want, but important DNS changes like changes in MX records, ip's, SPF and DKIM records for example, need to be copied into the dns of Transip.

So if you changed the MX record in DA, you also have to change this in Transip's dns system to have any effect outside of your vps (so on the internet worldwide). Same for other things.
I'm Dutch too, so if it's easier for you to ask questions in the Dutch (Nederlands) language, feel free to send me a pm.
 
  • Like
Reactions: Pzz
Back
Top