Bind & FORMERR resolving domain

[NeMeM9aA]

Mam problem u ktereho nedokazu vygooglit reseni. To samo o sobe je celkem zajimave.

Popis:

Na lokalni siti jsem si zaridil dns pomoci prg. bind na gentoo.
Postupoval jsem v zasade dle tohoto HowTo.

konfiguracni soubor:

Kód:

cat /etc/bind/named.conf
options {
        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,
        // and change the forwarding ip address(es) :
        //forward first;
        forwarders {
        77.48.254.254;
        77.48.100.254;
        212.24.128.8;
        };
        statistics-file "/var/bind/named.stats"; // stats are your friend
        dump-file "/var/bind/named.dump";
        zone-statistics yes;
        //};

        listen-on-v6 { none; };
        listen-on { 127.0.0.1;
                    192.168.1.50;
        };

        // to allow only specific hosts to use the DNS server:
        //allow-query {
        //      127.0.0.1;
        //};

        // if you have problems and are behind a firewall:
        //query-source address * port 53;
        pid-file "/var/run/named/named.pid";
};





logging {

channel default_file { file "/var/log/bind/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel general_file { file "/var/log/bind/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel database_file { file "/var/log/bind/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel security_file { file "/var/log/bind/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel config_file { file "/var/log/bind/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel resolver_file { file "/var/log/bind/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-in_file { file "/var/log/bind/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-out_file { file "/var/log/bind/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel notify_file { file "/var/log/bind/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel client_file { file "/var/log/bind/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel unmatched_file { file "/var/log/bind/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel queries_file { file "/var/log/bind/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel network_file { file "/var/log/bind/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel update_file { file "/var/log/bind/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dispatch_file { file "/var/log/bind/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dnssec_file { file "/var/log/bind/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel lame-servers_file { file "/var/log/bind/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; };

category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };

                                                                    };


// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info

//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "pri/localhost.zone";
        allow-update { none; };
        notify no;
};

zone "127.in-addr.arpa" IN {
        type master;
        file "pri/127.zone";
        allow-update { none; };
        notify no;
};
zone "gj" {
        type master;
        file "gj.named";
        };
zone "1.168.192.in-addr.arpa" {
        type master;
        file "gj.rev";
        };

Ted k problemu: resolving na lokale beha tak jak predpokladano. Stejne tak i valna vetsina internetu. Ovsem nektere adresy mi neni schopen prelozit. Napr. www.phoenix.cz obcas taktez www.google.com nebo microsoft.com - ale to jen obcas. Tech adres je vicero. V logu to vypada takto:

Kód:

 cat /var/log/bind/lame-servers.log |tail -60
14-Feb-2008 13:37:04.449 FORMERR resolving 'www.microsoft.com/A/IN': 77.48.100.254#53
14-Feb-2008 13:37:04.758 FORMERR resolving 'www.microsoft.com/A/IN': 77.48.254.254#53
14-Feb-2008 13:37:04.932 FORMERR resolving 'www.microsoft.com/A/IN': 212.24.128.8#53
14-Feb-2008 13:37:05.128 FORMERR resolving 'www.microsoft.com/A/IN': 198.32.64.12#53
14-Feb-2008 13:37:05.206 FORMERR resolving 'www.microsoft.com/A/IN': 192.36.148.17#53
14-Feb-2008 13:37:05.217 FORMERR resolving 'www.microsoft.com/A/IN': 193.0.14.129#53
14-Feb-2008 13:37:05.225 FORMERR resolving 'www.microsoft.com/A/IN': 192.112.36.4#53
14-Feb-2008 13:37:05.237 FORMERR resolving 'www.microsoft.com/A/IN': 128.63.2.53#53
14-Feb-2008 13:37:05.248 FORMERR resolving 'www.microsoft.com/A/IN': 198.41.0.4#53
14-Feb-2008 13:37:05.266 FORMERR resolving 'www.microsoft.com/A/IN': 128.8.10.90#53
14-Feb-2008 13:37:05.285 FORMERR resolving 'www.microsoft.com/A/IN': 192.5.5.241#53
14-Feb-2008 13:37:05.298 FORMERR resolving 'www.microsoft.com/A/IN': 192.228.79.201#53
14-Feb-2008 13:37:05.308 FORMERR resolving 'www.microsoft.com/A/IN': 202.12.27.33#53
14-Feb-2008 13:37:05.318 FORMERR resolving 'www.microsoft.com/A/IN': 192.58.128.30#53
14-Feb-2008 13:37:05.328 FORMERR resolving 'www.microsoft.com/A/IN': 192.33.4.12#53
14-Feb-2008 13:37:05.347 FORMERR resolving 'www.microsoft.com/A/IN': 192.203.230.10#53
14-Feb-2008 13:37:53.345 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 77.48.100.254#53
14-Feb-2008 13:37:53.578 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 212.24.128.8#53
14-Feb-2008 13:37:55.812 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 193.0.14.129#53
14-Feb-2008 13:37:55.947 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.112.36.4#53
14-Feb-2008 13:37:57.955 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.36.148.17#53
14-Feb-2008 13:37:57.962 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 198.41.0.4#53
14-Feb-2008 13:37:57.970 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 198.32.64.12#53
14-Feb-2008 13:37:57.978 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.5.5.241#53
14-Feb-2008 13:37:57.991 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 128.8.10.90#53
14-Feb-2008 13:37:58.001 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 202.12.27.33#53
14-Feb-2008 13:37:58.014 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.228.79.201#53
14-Feb-2008 13:37:58.026 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.58.128.30#53
14-Feb-2008 13:37:58.034 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.33.4.12#53
14-Feb-2008 13:37:58.044 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 192.203.230.10#53
14-Feb-2008 13:37:58.050 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 77.48.254.254#53
14-Feb-2008 13:37:58.056 FORMERR resolving 'windowsupdate.microsoft.com/A/IN': 128.63.2.53#53
14-Feb-2008 13:38:50.238 FORMERR resolving 'edge.quantserve.com/A/IN': 77.48.254.254#53
14-Feb-2008 13:38:50.393 FORMERR resolving 'edge.quantserve.com/A/IN': 212.24.128.8#53
14-Feb-2008 13:38:50.436 FORMERR resolving 'edge.quantserve.com/A/IN': 77.48.100.254#53
14-Feb-2008 13:38:53.664 FORMERR resolving 'edge.quantserve.com/A/IN': 192.36.148.17#53
14-Feb-2008 13:38:54.213 FORMERR resolving 'edge.quantserve.com/A/IN': 198.41.0.4#53
14-Feb-2008 13:38:54.471 FORMERR resolving 'edge.quantserve.com/A/IN': 192.5.5.241#53
14-Feb-2008 13:38:54.509 FORMERR resolving 'edge.quantserve.com/A/IN': 128.8.10.90#53
14-Feb-2008 13:38:54.553 FORMERR resolving 'edge.quantserve.com/A/IN': 202.12.27.33#53
14-Feb-2008 13:38:54.596 FORMERR resolving 'edge.quantserve.com/A/IN': 192.228.79.201#53
14-Feb-2008 13:38:54.652 FORMERR resolving 'edge.quantserve.com/A/IN': 192.58.128.30#53
14-Feb-2008 13:38:54.693 FORMERR resolving 'edge.quantserve.com/A/IN': 192.112.36.4#53
14-Feb-2008 13:38:54.728 FORMERR resolving 'edge.quantserve.com/A/IN': 192.33.4.12#53
14-Feb-2008 13:38:55.041 FORMERR resolving 'edge.quantserve.com/A/IN': 192.203.230.10#53
14-Feb-2008 13:38:55.368 FORMERR resolving 'edge.quantserve.com/A/IN': 193.0.14.129#53
14-Feb-2008 13:38:57.441 FORMERR resolving 'edge.quantserve.com/A/IN': 198.32.64.12#53

V dusledku tudiz se dane stranky nenactou v prohlizeci apod. Pokud se ale polozi dotaz nadrazenemu dns - napr. 77.48.254.254 - tak neni problem a IP adresa je zjistena ihned.

[Rainbow]

Zrus forwarders, nech to resolvuje priamo ten BIND.

[NeMeM9aA]

Ok. Tohle vypada, ze to pomohlo.

Ovsem nechapu proc. Odkud vubec pozna kam preposilat dotazy, na ktere nezna odpoved? Z /etc/resolv.conf? Tam mam uvedene stejne IP jako ve forwarders a jako prvni je IP adresa diskutovaneho stroje. V cem je potom rozdil, zejmena pokud je zakomentovany radek "forward first;"?

edit: tak to nefunguje. Funguji sice vyse zminene adresy, ale zase nefunguje www.shorewall.net (reloadnul jsem taby co mam ve firefoxu - cca 50 adres a jen jedna nefunguje)

[Rainbow]

BIND ma IP adresy root DNS serverov (subor named.ca v tvojom konfiguraku). Od nich sa dozvie podla potreby IP adresy serverov pre tld a tak dalej.
Ked mas funkcny BIND na localhoste, tak do /etc/resolv.conf nastav nameserver 127.0.0.1.
Musi fungovat vsetko, aj ten shorewall.

[NeMeM9aA]

Vida - moje znalosti jsou pomerne dost omezene. Kazdopadne shorewall.net momentalne nefunguje. A uz zase nefunguje microsoft.com (pred hodinou jeste fungoval). Zbytek funguje. Opravdu netusim, kde jsem co zvoral.

Kód:

.....
14-Feb-2008 18:42:26.521 FORMERR resolving 'www.shorewall.net/A/IN': 128.63.2.53#53
14-Feb-2008 18:42:26.547 FORMERR resolving 'www.shorewall.net/A/IN': 192.33.4.12#53
14-Feb-2008 18:42:26.571 FORMERR resolving 'www.shorewall.net/A/IN': 192.228.79.201#53
14-Feb-2008 18:42:28.623 FORMERR resolving 'www.shorewall.net/A/IN': 192.36.148.17#53
14-Feb-2008 18:42:28.665 FORMERR resolving 'www.shorewall.net/A/IN': 202.12.27.33#53
14-Feb-2008 18:42:28.760 FORMERR resolving 'www.shorewall.net/A/IN': 192.58.128.30#53
14-Feb-2008 18:42:28.860 FORMERR resolving 'www.shorewall.net/A/IN': 193.0.14.129#53
14-Feb-2008 18:42:30.904 FORMERR resolving 'www.shorewall.net/A/IN': 192.5.5.241#53
14-Feb-2008 18:42:30.934 FORMERR resolving 'www.shorewall.net/A/IN': 192.112.36.4#53
14-Feb-2008 18:42:30.966 FORMERR resolving 'www.shorewall.net/A/IN': 128.8.10.90#53
14-Feb-2008 18:42:31.005 FORMERR resolving 'www.shorewall.net/A/IN': 198.32.64.12#53
14-Feb-2008 18:42:31.042 FORMERR resolving 'www.shorewall.net/A/IN': 198.41.0.4#53
14-Feb-2008 18:43:36.856 FORMERR resolving 'www.microsoft.com/A/IN': 77.48.100.254#53
14-Feb-2008 18:43:38.878 FORMERR resolving 'www.microsoft.com/A/IN': 77.48.254.254#53
14-Feb-2008 18:43:38.902 FORMERR resolving 'www.microsoft.com/A/IN': 192.228.79.201#53
14-Feb-2008 18:43:38.916 FORMERR resolving 'www.microsoft.com/A/IN': 192.33.4.12#53
14-Feb-2008 18:43:38.931 FORMERR resolving 'www.microsoft.com/A/IN': 192.112.36.4#53
14-Feb-2008 18:43:38.945 FORMERR resolving 'www.microsoft.com/A/IN': 192.5.5.241#53
14-Feb-2008 18:43:38.953 FORMERR resolving 'www.microsoft.com/A/IN': 192.203.230.10#53
14-Feb-2008 18:43:38.970 FORMERR resolving 'www.microsoft.com/A/IN': 202.12.27.33#53
14-Feb-2008 18:43:38.983 FORMERR resolving 'www.microsoft.com/A/IN': 192.36.148.17#53
14-Feb-2008 18:43:38.991 FORMERR resolving 'www.microsoft.com/A/IN': 128.63.2.53#53
14-Feb-2008 18:43:39.012 FORMERR resolving 'www.microsoft.com/A/IN': 128.8.10.90#53
....

edit:

jeste abych doplnil : konkretne se jedna o verzi bindu 9.3.4-r2 na 2.6.22-gentoo-r5.

Verze bude ovsem asi nepodstatna, protoze uz me to dela delsi dobu, akorat jsem to neresil. Tusim, ze jsem mel stejny problem uz na slackwaru 10. Zkousel jsem zakomentovat zone "gj" vcetne jeji reverzni casti a stejny problem. Nechapu, kde jsem mohl vyprodukovat takhle podivne a nevyzpytatelne chovani.

edit2: upgrade na bind-9.4.1_p1 nepomohl. Chova se to stejne.

[Rainbow]

Mne ten 9.4.1_p1 funguje. Ale nemam v konfiguraku ten bordel okolo logovania - skus to vsetko zakomentovat.