PDA

View Full Version : Adding DNS Forwarders to ISPConfig


gavinlowle
14th June 2011, 14:37
Hi,

I have installed and configured ISPConfig 3 for the sole purpose of providing Bind DNS answers to my internal clients for internal zones. However, I need to add forwarding of DNS for non-authoritative zones/domains to the internet for resolution. I know I can manipulate bind to do this for me, but does this compromise the functionality of ISPConfig by doing this?

I'm primarily using ISPConfig as a way to provide a GUI interface to Bind for non-CLI admins.

If ISPConfig is not the 'kiddie' for the job, I'm open to suggestion...

Thank you in advance.
Gavin.

till
14th June 2011, 16:33
You can modify the named.conf file, but dont modify the named.conf.local.

gavinlowle
21st June 2011, 17:14
Hi Till,

When I add the following to my /etc/bind/named.conf my Bind DNS stops answering any queries. any clues?

options {
forwarders { 8.8.8.8; 8.8.4.4; };
};

Cheers,
Gavin.

till
21st June 2011, 17:28
Please check the syslog or messages log file for errors.

gavinlowle
21st June 2011, 18:01
With forwarders enabled, I get nothing, I don't see errors and DNS doesn't function, clients just get DNS request timeouts.

Without forwarders, local DNS queries are fine, but internet bound queries are greeted with (in /var/log/syslog)

client ip.add.re.ss. query (cache) 'bbc.co.uk/A/IN' denied

Which I would expect as forwarders are not enabled.

gavinlowle
1st July 2011, 14:17
Hi,
This is the output I see when forwarders are enabled in my /etc/bind/named.conf file

Extract from named.conf
-----------------------------
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
options {
forwarders { 8.8.8.8; 8.8.4.4; };
};

Tail of log
------------------------------
Jul 1 12:11:01 s1-ns0-int named[4734]: adjusted limit on open files from 4096 to 1048576
Jul 1 12:11:01 s1-ns0-int named[4734]: found 1 CPU, using 1 worker thread
Jul 1 12:11:01 s1-ns0-int named[4734]: using up to 4096 sockets
Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration from '/etc/bind/named.conf'
Jul 1 12:11:01 s1-ns0-int named[4734]: /etc/bind/named.conf:12: 'options' redefined near 'options'
Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration: already exists
Jul 1 12:11:01 s1-ns0-int named[4734]: exiting (due to fatal error)

till
1st July 2011, 14:25
The named otions are defined in the file /etc/bind/named.conf.options. So remove the options part that you added in named.conf file and edit the /etc/bind/named.conf.options instead, add or edit the forwarders line in that file inside the existing options part.

gavinlowle
1st July 2011, 14:45
OK, with that done BIND loads cleanly again, however forwarded queries are dumped with

/ispconfig/cron.log)
Jul 1 12:41:03 s1-ns0-int named[3107]: client 10.1.20.1#49339: query (cache) 'google.com/A/IN' denied

till
1st July 2011, 14:49
Plaese post the content of the file /etc/bind/named.conf.options and the complete named.conf file.

gavinlowle
1st July 2011, 14:51
/etc/bind/named.conf
-------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//options {
//forwarders { 8.8.8.8; 8.8.4.4; };
//};

/etc/bind/named.conf.options
----------------------------------

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
8.8.8.8;8.8.4.4;
};

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

gavinlowle
1st July 2011, 18:40
Any idea Till?

gavinlowle
11th July 2011, 12:46
Hi Till,
You have been very helpful so far, so much so that I took the time to invest in the ISPConfig manual in the hope that maybe I could glean my answers there. Unfortunately I cannot answer my outstanding query using the manual. I would be very appreciative if you could review my outstanding query regarding the forwarders.
Thank you in advance,
Gavin.

falko
12th July 2011, 11:23
My guess is that there's already another options {} section somewhere else in your configuration, and that you should have defined forwarders {} there.

gavinlowle
12th July 2011, 16:54
Thanks for the reply Falko, but I fail to see where this other options section that you refer to could be?

I have purely followed the guide for building the perfect server on Ubuntu 11.04 and configured Bind for ISPConfig3, then tried to enable forwarders, nothing more.

*Any* other clues or hints on where you think this might be would be very useful. Sadly I'm on the brink of ditching ISPConfig in favour of Bind & Webmin for my Admins, for the want of a small problem.

Gavin.

falko
13th July 2011, 11:31
Did you check all files that are included in /etc/bind/named.conf?

If you use a chrooted BIND, there might be another named.conf that you have to look at (run
updatedb
locate named.conf
to find it).

gavinlowle
22nd September 2011, 20:41
Hi Falko,

Sorry for the tardy response to your follow up, other things took over and I'm only now revisiting this one.

I still have a problem here with this which I cannot resolve.

I followed your advice regarding 'updatedb' and 'locate' to find other instance of named.conf and there are no other instances, also bind is not chrooted.

So a little recap:
My client machine (M$7) can query ISPConfig3 (Ubuntu 11.04, installed following the perfect server guide) for authoritative domains configured on the ISPConfig. If I query a non-authoritative domain, eg www.bbc.co.uk, my Win7 machine just gets Query Refused and a tail of the var/log/syslog shows

Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57759: query (cache) 'bbc.co.uk/A/IN' denied
Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57760: query (cache) 'bbc.co.uk/AAAA/IN' denied

This is example output from my desktop querying the ISPConfig, both an internal resource (my desktop) and then www.bbc.co.uk

C:\Users\GLowle>dig glowle.pageone.co.uk

; <<>> DiG 9.8.1b1 <<>> glowle.pageone.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26014
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;glowle.pageone.co.uk. IN A

;; ANSWER SECTION:
glowle.pageone.co.uk. 86400 IN A 10.1.20.1

;; AUTHORITY SECTION:
pageone.co.uk. 86400 IN NS ns0-int.pageone.co.uk.
pageone.co.uk. 86400 IN NS ns1-int.pageone.co.uk.

;; ADDITIONAL SECTION:
ns0-int.pageone.co.uk. 86400 IN A 192.168.103.100
ns1-int.pageone.co.uk. 86400 IN A 192.168.103.101

;; Query time: 4 msec
;; SERVER: 192.168.103.100#53(192.168.103.100)
;; WHEN: Thu Sep 22 18:33:10 2011
;; MSG SIZE rcvd: 130


C:\Users\GLowle>dig www.bbc.co.uk

; <<>> DiG 9.8.1b1 <<>> www.bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 14178
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.bbc.co.uk. IN A

;; Query time: 3 msec
;; SERVER: 192.168.103.100#53(192.168.103.100)
;; WHEN: Thu Sep 22 18:33:21 2011
;; MSG SIZE rcvd: 31


C:\Users\GLowle>

This is my locate

toor@s1-ns0-int:~$ locate named.conf
/etc/bind/named.conf
/etc/bind/named.conf.default-zones
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/usr/share/man/man5/named.conf.5.gz

This is my named.conf

toor@s1-ns0-int:~$ cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
//options {
//forwarders { 8.8.8.8; 8.8.4.4; };
//};

This is my named.conf.local

toor@s1-ns0-int:~$ cat /etc/bind/named.conf.local
zone "pageone.co.uk" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.pageone.co.uk";
};
zone "103.168.192.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.103.168.192.in-addr.arpa";
};
zone "1.1.10.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.1.1.10.in-addr.arpa";
};
zone "20.1.10.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.20.1.10.in-addr.arpa";
};
zone "paging.org.uk" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.paging.org.uk";
};
zone "203.168.192.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.203.168.192.in-addr.arpa";
};
zone "128.20.172.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.128.20.172.in-addr.arpa";
};
zone "129.20.172.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.129.20.172.in-addr.arpa";
};
zone "128.30.172.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.128.30.172.in-addr.arpa";
};
zone "98.1.10.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.98.1.10.in-addr.arpa";
};
zone "60.1.10.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.60.1.10.in-addr.arpa";
};
zone "200.168.192.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.200.168.192.in-addr.arpa";
};
zone "143.168.192.in-addr.arpa" {
type master;
allow-transfer {none;};
file "/etc/bind/pri.143.168.192.in-addr.arpa";
};

This is my named.conf.options

toor@s1-ns0-int:~$ cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
8.8.8.8;8.8.4.4;
};

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

I can quite happily perform non-authoritative lookups directly on the ISPConfig host though:

toor@s1-ns0-int:~$ dig www.bbc.co.uk

; <<>> DiG 9.7.3 <<>> www.bbc.co.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28664
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;www.bbc.co.uk. IN A

;; ANSWER SECTION:
www.bbc.co.uk. 90 IN CNAME www.bbc.net.uk.
www.bbc.net.uk. 89 IN A 212.58.246.94

;; AUTHORITY SECTION:
. 74919 IN NS m.root-servers.net.
. 74919 IN NS k.root-servers.net.
. 74919 IN NS c.root-servers.net.
. 74919 IN NS d.root-servers.net.
. 74919 IN NS f.root-servers.net.
. 74919 IN NS e.root-servers.net.
. 74919 IN NS b.root-servers.net.
. 74919 IN NS j.root-servers.net.
. 74919 IN NS l.root-servers.net.
. 74919 IN NS g.root-servers.net.
. 74919 IN NS a.root-servers.net.
. 74919 IN NS i.root-servers.net.
. 74919 IN NS h.root-servers.net.

;; Query time: 49 msec
;; SERVER: 192.168.103.100#53(192.168.103.100)
;; WHEN: Thu Sep 22 18:30:48 2011
;; MSG SIZE rcvd: 284

So, it's just my inbound client queries that get refused.

If you need any other information please let me know.

Kind regards,
Gavin.

falko
23rd September 2011, 11:16
Take a look at http://erikimh.com/disable-recursion-in-bind/ . If you want to allow recursion, set
recursion yes;
in your named configuration.