#11  
Old 15th July 2010, 18:55
qb7 qb7 is offline
Member
 
Join Date: Jul 2010
Posts: 50
Thanks: 12
Thanked 4 Times in 4 Posts
Default post the named.conf

Quote:
Originally Posted by falko View Post
Looks good. If you use BIND - can you post your named.conf?
# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
"/var/named/chroot/etc/named.conf" 29L, 938C
Reply With Quote
Sponsored Links
  #12  
Old 16th July 2010, 05:27
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

Hi qb7. You need to fix the listen-on and allow-query parameters as I mentioned on the 1st page.
Reply With Quote
  #13  
Old 16th July 2010, 05:58
veuster veuster is offline
Member
 
Join Date: Jul 2010
Posts: 30
Thanks: 11
Thanked 0 Times in 0 Posts
Exclamation need confirmation

Hi matty, I need to ask something.

I have a VPS that I use as nameserver and webserver

My website on my VPS can't be accessed before.

I have registered my nameserver to my domain provider and assigns the domain nameserver to my nameserver. I waited for a week and it doesn't work

At first I think it's because my nameserver (in this case my VPS) have to be added in the global registry of my domain provider, according to some howto article. So I tried to contact my domain provider, but they say I must ask the VPS provider and the VPS provider says I must ask the domain provider.

Then, I also found out that in order to check the DNS is running and accessible, one should be able to telnet to the server IP at port 53. I tried this but can't connect.

After I read this thread, you suggest to change the parameter in named.conf.
I tried it and it works like a charm. My website can be accessed now.
What I want to ask is :
Is it OK to make this change? I mean secure or anything?

Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter

Thanks.
Reply With Quote
  #14  
Old 19th July 2010, 00:56
matty matty is offline
Member
 
Join Date: Apr 2010
Location: Australia
Posts: 85
Thanks: 2
Thanked 12 Times in 11 Posts
Default

Quote:
Originally Posted by veuster View Post
After I read this thread, you suggest to change the parameter in named.conf.
I tried it and it works like a charm. My website can be accessed now.
What I want to ask is :
Is it OK to make this change? I mean secure or anything?
Yes, it's fine for a server that needs zones to be publically accessable.

It's important to understand a couple of concepts about name servers. When you host a zone, the name server becomes an authoritative name server. That is, your name servers are the only ones in the world that can answer queries authoritatively (meaning it has the exact, non-cached answer) for that zone. Because we're running ISPConfig, we probably want everyone in the world to be able to ask our nameservers about the the zones we host, so that they can see the sites and services we host. To enable that, we need to set bind to allow-queries from any(where).

allow-query { any; };

The other main function of name servers is to do the work querying other name servers that host other peoples zones, so that we can connect to their sites and services. This is a function known as recursion. That is, we ask our name server to find out the address of a site, and it then goes and makes multiple queries until it obtains an answer (or fails) and then passes that answer back to your computer. It's best practice to only allow your name server to perform recursive lookups for computers you control or trust, and not allow everybody on the 'net to use your name server in that way. So you tell bind who is allowed to do recursion. In this example, use your own networks, and don't forget to allow localhost so the nameserver can access its own service. An ISP would probably allow the IP ranges of its user base.

allow-recursion { 192.168.0.0/24; 192.168.3.0/24; localhost; };

The other parameter I mentioned, listen-on, tells bind to only answer queries it receives on the specified network interfaces. If it is left as localhost/127.0.0.1, it will ignore queries from anywhere but itself.

listen-on { any; };

Advanced users may have a need to do things a little different to the examples above, but these will suit 99% of us that use ISPConfig to host publicly accessable DNS zones and web/email servers.

Quote:
Because I followed the perfect server guide and the guide says nothing about this. The guide just put localhost or 127.0.0.1 in the parameter
There's quite a few perfect server guides. I'm sure falko and till would appreciate feedback that could be used to improve them. Could you point out which one you used?
Reply With Quote
The Following 2 Users Say Thank You to matty For This Useful Post:
qb7 (19th July 2010), veuster (19th July 2010)
  #15  
Old 19th July 2010, 07:10
veuster veuster is offline
Member
 
Join Date: Jul 2010
Posts: 30
Thanks: 11
Thanked 0 Times in 0 Posts
Default nice explanation

Thanks a lot.
That explains everything that have happened.

I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko :

http://www.howtoforge.com/perfect-se...64-ispconfig-2

But I think almost all the guide still used named.conf which point their query to localhost or 127.0.0.1
Maybe they hope that we'll be able to change it according to our needs, but some people still doesn't know about this concept.
Thank you everyone!
Reply With Quote
  #16  
Old 19th July 2010, 13:35
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,743 Times in 2,577 Posts
Default

Quote:
Originally Posted by veuster View Post
I used CentOS 5.5 (32 bit) with ISPConfig 3.0.2.2 according to this guide by falko :

http://www.howtoforge.com/perfect-se...64-ispconfig-2
This tutorial is for ISPConfig 2 and therefore incompatible with ISPConfig 3. For ISPConfig 3, you should've used this guide: http://www.howtoforge.com/perfect-se...64-ispconfig-3
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #17  
Old 19th July 2010, 17:02
qb7 qb7 is offline
Member
 
Join Date: Jul 2010
Posts: 50
Thanks: 12
Thanked 4 Times in 4 Posts
Default this is my named.conf now. Is run OK for internet request

Quote:
Originally Posted by falko View Post
This tutorial is for ISPConfig 2 and therefore incompatible with ISPConfig 3. For ISPConfig 3, you should've used this guide: http://www.howtoforge.com/perfect-se...64-ispconfig-3
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named/chroot/var/named";
dump-file "/var/named/chroot/var/named/data/cache_dump.db";
statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
allow-query {any; };
recursion no;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.root";
};
include "/var/named/chroot/etc/named.conf.local";

This configuration run OK for a littel internet web server. Falko, this is a security problem? This is a security hole?
My server run in CentOS 5.5 and last estable ispConfig 3.
Wich the configutation of the guide http://www.howtoforge.com/perfect-se...64-ispconfig-3 don't run OK for the internet request. Don't show the web pages. Why?

Last edited by qb7; 19th July 2010 at 17:06.
Reply With Quote
  #18  
Old 21st July 2010, 17:33
veuster veuster is offline
Member
 
Join Date: Jul 2010
Posts: 30
Thanks: 11
Thanked 0 Times in 0 Posts
 
Default wrong url

Sorry Falko, I posts the wrong url, I use the ISPconfig 3 really.

This is the url:
http://www.howtoforge.com/perfect-se...64-ispconfig-3

But, as you can see the problem is still the same.
Do you think matty is right?

The listen-on port 53 and allow-query needs to be set to { any; } ?

I don't know, maybe you have the right answer.
Anyway, thanks.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem in DNS createch Installation/Configuration 1 2nd April 2010 13:18
Problem with some scopes of DNS A records - Adress invalid radim_h Installation/Configuration 1 21st February 2010 12:35
DNS problem mrmagoo Installation/Configuration 1 1st September 2007 07:59
DNS Problem with mailserver pesja Installation/Configuration 5 14th July 2006 14:42
DNS issue and user's alias problem rosa hsiao General 3 2nd November 2005 10:03


All times are GMT +2. The time now is 12:45.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.