Adding DNS Forwarders to ISPConfig

Discussion in 'Installation/Configuration' started by gavinlowle, Jun 14, 2011.

  1. gavinlowle

    gavinlowle New Member

    Hi,

    I have installed and configured ISPConfig 3 for the sole purpose of providing Bind DNS answers to my internal clients for internal zones. However, I need to add forwarding of DNS for non-authoritative zones/domains to the internet for resolution. I know I can manipulate bind to do this for me, but does this compromise the functionality of ISPConfig by doing this?

    I'm primarily using ISPConfig as a way to provide a GUI interface to Bind for non-CLI admins.

    If ISPConfig is not the 'kiddie' for the job, I'm open to suggestion...

    Thank you in advance.
    Gavin.
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You can modify the named.conf file, but dont modify the named.conf.local.
     
  3. gavinlowle

    gavinlowle New Member

    Hi Till,

    When I add the following to my /etc/bind/named.conf my Bind DNS stops answering any queries. any clues?

    options {
    forwarders { 8.8.8.8; 8.8.4.4; };
    };

    Cheers,
    Gavin.
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Please check the syslog or messages log file for errors.
     
  5. gavinlowle

    gavinlowle New Member

    With forwarders enabled, I get nothing, I don't see errors and DNS doesn't function, clients just get DNS request timeouts.

    Without forwarders, local DNS queries are fine, but internet bound queries are greeted with (in /var/log/syslog)

    client ip.add.re.ss. query (cache) 'bbc.co.uk/A/IN' denied

    Which I would expect as forwarders are not enabled.
     
  6. gavinlowle

    gavinlowle New Member

    Hi,
    This is the output I see when forwarders are enabled in my /etc/bind/named.conf file

    Extract from named.conf
    -----------------------------
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    options {
    forwarders { 8.8.8.8; 8.8.4.4; };
    };

    Tail of log
    ------------------------------
    Jul 1 12:11:01 s1-ns0-int named[4734]: adjusted limit on open files from 4096 to 1048576
    Jul 1 12:11:01 s1-ns0-int named[4734]: found 1 CPU, using 1 worker thread
    Jul 1 12:11:01 s1-ns0-int named[4734]: using up to 4096 sockets
    Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration from '/etc/bind/named.conf'
    Jul 1 12:11:01 s1-ns0-int named[4734]: /etc/bind/named.conf:12: 'options' redefined near 'options'
    Jul 1 12:11:01 s1-ns0-int named[4734]: loading configuration: already exists
    Jul 1 12:11:01 s1-ns0-int named[4734]: exiting (due to fatal error)
     
  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    The named otions are defined in the file /etc/bind/named.conf.options. So remove the options part that you added in named.conf file and edit the /etc/bind/named.conf.options instead, add or edit the forwarders line in that file inside the existing options part.
     
  8. gavinlowle

    gavinlowle New Member

    OK, with that done BIND loads cleanly again, however forwarded queries are dumped with

    /ispconfig/cron.log)
    Jul 1 12:41:03 s1-ns0-int named[3107]: client 10.1.20.1#49339: query (cache) 'google.com/A/IN' denied
     
  9. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Plaese post the content of the file /etc/bind/named.conf.options and the complete named.conf file.
     
  10. gavinlowle

    gavinlowle New Member

    /etc/bind/named.conf
    -------------------------
    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    //options {
    //forwarders { 8.8.8.8; 8.8.4.4; };
    //};

    /etc/bind/named.conf.options
    ----------------------------------

    options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk. See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    forwarders {
    8.8.8.8;8.8.4.4;
    };

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    };
     
  11. gavinlowle

    gavinlowle New Member

    Any idea Till?
     
  12. gavinlowle

    gavinlowle New Member

    Hi Till,
    You have been very helpful so far, so much so that I took the time to invest in the ISPConfig manual in the hope that maybe I could glean my answers there. Unfortunately I cannot answer my outstanding query using the manual. I would be very appreciative if you could review my outstanding query regarding the forwarders.
    Thank you in advance,
    Gavin.
     
  13. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    My guess is that there's already another options {} section somewhere else in your configuration, and that you should have defined forwarders {} there.
     
  14. gavinlowle

    gavinlowle New Member

    Thanks for the reply Falko, but I fail to see where this other options section that you refer to could be?

    I have purely followed the guide for building the perfect server on Ubuntu 11.04 and configured Bind for ISPConfig3, then tried to enable forwarders, nothing more.

    *Any* other clues or hints on where you think this might be would be very useful. Sadly I'm on the brink of ditching ISPConfig in favour of Bind & Webmin for my Admins, for the want of a small problem.

    Gavin.
     
  15. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Did you check all files that are included in /etc/bind/named.conf?

    If you use a chrooted BIND, there might be another named.conf that you have to look at (run
    Code:
    updatedb
    locate named.conf
    to find it).
     
  16. gavinlowle

    gavinlowle New Member

    Hi Falko,

    Sorry for the tardy response to your follow up, other things took over and I'm only now revisiting this one.

    I still have a problem here with this which I cannot resolve.

    I followed your advice regarding 'updatedb' and 'locate' to find other instance of named.conf and there are no other instances, also bind is not chrooted.

    So a little recap:
    My client machine (M$7) can query ISPConfig3 (Ubuntu 11.04, installed following the perfect server guide) for authoritative domains configured on the ISPConfig. If I query a non-authoritative domain, eg www.bbc.co.uk, my Win7 machine just gets Query Refused and a tail of the var/log/syslog shows

    Code:
    Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57759: query (cache) 'bbc.co.uk/A/IN' denied
    Sep 22 18:21:44 s1-ns0-int named[1512]: client 10.1.20.1#57760: query (cache) 'bbc.co.uk/AAAA/IN' denied
    This is example output from my desktop querying the ISPConfig, both an internal resource (my desktop) and then www.bbc.co.uk

    Code:
    C:\Users\GLowle>dig glowle.pageone.co.uk
    
    ; <<>> DiG 9.8.1b1 <<>> glowle.pageone.co.uk
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: [COLOR="Red"]NOERROR[/COLOR], id: 26014
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;glowle.pageone.co.uk.          IN      A
    
    ;; ANSWER SECTION:
    glowle.pageone.co.uk.   86400   IN      A       10.1.20.1
    
    ;; AUTHORITY SECTION:
    pageone.co.uk.          86400   IN      NS      ns0-int.pageone.co.uk.
    pageone.co.uk.          86400   IN      NS      ns1-int.pageone.co.uk.
    
    ;; ADDITIONAL SECTION:
    ns0-int.pageone.co.uk.  86400   IN      A       192.168.103.100
    ns1-int.pageone.co.uk.  86400   IN      A       192.168.103.101
    
    ;; Query time: 4 msec
    ;; SERVER: 192.168.103.100#53(192.168.103.100)
    ;; WHEN: Thu Sep 22 18:33:10 2011
    ;; MSG SIZE  rcvd: 130
    
    
    C:\Users\GLowle>dig www.bbc.co.uk
    
    ; <<>> DiG 9.8.1b1 <<>> www.bbc.co.uk
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: [COLOR="Red"]REFUSED[/COLOR], id: 14178
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;www.bbc.co.uk.                 IN      A
    
    ;; Query time: 3 msec
    ;; SERVER: 192.168.103.100#53(192.168.103.100)
    ;; WHEN: Thu Sep 22 18:33:21 2011
    ;; MSG SIZE  rcvd: 31
    
    
    C:\Users\GLowle>
    This is my locate

    Code:
    toor@s1-ns0-int:~$ locate named.conf
    /etc/bind/named.conf
    /etc/bind/named.conf.default-zones
    /etc/bind/named.conf.local
    /etc/bind/named.conf.options
    /usr/share/man/man5/named.conf.5.gz
    This is my named.conf

    Code:
    toor@s1-ns0-int:~$ cat /etc/bind/named.conf
    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local
    
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    //options {
    //forwarders { 8.8.8.8; 8.8.4.4; };
    //};
    This is my named.conf.local

    Code:
    toor@s1-ns0-int:~$ cat /etc/bind/named.conf.local
    zone "pageone.co.uk" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.pageone.co.uk";
    };
    zone "103.168.192.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.103.168.192.in-addr.arpa";
    };
    zone "1.1.10.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.1.1.10.in-addr.arpa";
    };
    zone "20.1.10.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.20.1.10.in-addr.arpa";
    };
    zone "paging.org.uk" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.paging.org.uk";
    };
    zone "203.168.192.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.203.168.192.in-addr.arpa";
    };
    zone "128.20.172.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.128.20.172.in-addr.arpa";
    };
    zone "129.20.172.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.129.20.172.in-addr.arpa";
    };
    zone "128.30.172.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.128.30.172.in-addr.arpa";
    };
    zone "98.1.10.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.98.1.10.in-addr.arpa";
    };
    zone "60.1.10.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.60.1.10.in-addr.arpa";
    };
    zone "200.168.192.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.200.168.192.in-addr.arpa";
    };
    zone "143.168.192.in-addr.arpa" {
            type master;
            allow-transfer {none;};
            file "/etc/bind/pri.143.168.192.in-addr.arpa";
    };
    This is my named.conf.options

    Code:
    toor@s1-ns0-int:~$ cat /etc/bind/named.conf.options
    options {
            directory "/var/cache/bind";
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
    forwarders {
            8.8.8.8;8.8.4.4;
    };
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on-v6 { any; };
    };
    I can quite happily perform non-authoritative lookups directly on the ISPConfig host though:

    Code:
    toor@s1-ns0-int:~$ dig www.bbc.co.uk
    
    ; <<>> DiG 9.7.3 <<>> www.bbc.co.uk
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28664
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.bbc.co.uk.                 IN      A
    
    ;; ANSWER SECTION:
    www.bbc.co.uk.          90      IN      CNAME   www.bbc.net.uk.
    www.bbc.net.uk.         89      IN      A       212.58.246.94
    
    ;; AUTHORITY SECTION:
    .                       74919   IN      NS      m.root-servers.net.
    .                       74919   IN      NS      k.root-servers.net.
    .                       74919   IN      NS      c.root-servers.net.
    .                       74919   IN      NS      d.root-servers.net.
    .                       74919   IN      NS      f.root-servers.net.
    .                       74919   IN      NS      e.root-servers.net.
    .                       74919   IN      NS      b.root-servers.net.
    .                       74919   IN      NS      j.root-servers.net.
    .                       74919   IN      NS      l.root-servers.net.
    .                       74919   IN      NS      g.root-servers.net.
    .                       74919   IN      NS      a.root-servers.net.
    .                       74919   IN      NS      i.root-servers.net.
    .                       74919   IN      NS      h.root-servers.net.
    
    ;; Query time: 49 msec
    ;; SERVER: 192.168.103.100#53(192.168.103.100)
    ;; WHEN: Thu Sep 22 18:30:48 2011
    ;; MSG SIZE  rcvd: 284
    So, it's just my inbound client queries that get refused.

    If you need any other information please let me know.

    Kind regards,
    Gavin.
     
  17. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

Share This Page