i do this: - that should get you started!
// *** EXTERNAL VIEW ***
view "external-in" in {
match-clients {
any;
};
recursion no;
additional-from-auth no;
additional-from-cache no;
// HINT
zone "." {
type hint;
file "root.hints";
};
// FORWARDS
zone "localhost" {
type master;
file "ex.addr/localhost";
allow-query{
any;
};
};
// REVERSES
zone "0.0.127.in-addr.arpa" {
type master;
file "ex.rev/127.0.0";
};
};
/////////////////////////////////////////////
// *** INTERNAL VIEW ***
view "internal-in" in {
match-clients {
internalnet;
};
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
// HINTS
zone "." {
type hint;
file "root.hints";
};
// FORWARDS
zone "localhost" {
type master;
file "in.addr/localhost";
allow-query{
any;
};
};
zone "home.domain.com" {
type master;
file "in.addr/home.domain.com";
allow-query{
any;
};
};
// REVERSES
zone "0.0.127.in-addr.arpa" {
type master;
file "in.rev/127.0.0";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "in.rev/192.168.1";
allow-query{
any;
};
};
James wrote:
> Thanks Marc, this worked.
>
> Now I need to setup acl sets for the internal and external network.
>
>
> On Thu, Jul 3, 2008 at 10:46 AM, Marc Skinner <marc at e-skinner.net
> <mailto:marc at e-skinner.net>> wrote:
>
> Might want to try this:
>
> acl bogusnets { 0.0.0.0/8 <http://0.0.0.0/8>;
> 169.254.0.0/16 <http://169.254.0.0/16>;
> 224.0.0.0/3 <http://224.0.0.0/3>;
> };
>
> acl internalnet {
> 127.0.0.1 <http://127.0.0.1/>;
> 192.168.1.0/24 <http://192.168.1.0/24>;
> };
>
> acl mynet {
> 127.0.0.1 <http://127.0.0.1/>;
> 192.168.1.0/24 <http://192.168.1.0/24>;
> };
>
> acl thisdns {
> 127.0.0.1 <http://127.0.0.1/>;
> 192.168.1.whaever your DNS server is;
> };
>
>
>
> in options section:
>
>
> allow-notify {
> mynet;
> };
> allow-query {
> mynet;
> };
> allow-recursion {
> mynet;
> };
> blackhole {
> bogusnets;
> };
> listen-on {
> thisdns;
> };
> listen-on-v6 {
> none;
> };
> query-source address * port 53;
> version "!BIND!";
>
>
>
>
>
>
>
>
>
>
> James wrote:
>
> Howdy,
> I have Fedora 9 installed and would like to use it as the DNS
> system in the house.
> The setup is as follows
> options {
> listen-on port 53 { 127.0.0.1 <http://127.0.0.1/>
> <http://127.0.0.1 <http://127.0.0.1/>>; };
>
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
> recursion yes;
> forwarders {
> 68.87.77.130 <http://68.87.77.130/>
> <http://68.87.77.130 <http://68.87.77.130/>>;
> 68.87.72.130 <http://68.87.72.130/>
> <http://68.87.72.130 <http://68.87.72.130/>>;
>
> };
> };
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
> zone "." IN {
> type hint;
> file "named.ca <http://named.ca/> <http://named.ca
> <http://named.ca/>>";
>
> };
>
> include "/etc/named.rfc1912.zones";
> zone "home.local" {
> type master;
> file "/var/named/home.local.hosts";
> };
>
> zone "1.168.192.in-addr.arpa" {
> type master;
> file "1.168.192.in-addr.arpa.zone";
> allow-update { key "rndckey"; };
> notify yes;
> I have the files in /var/named setup and configured. From the
> DNS system I can type
> nslookup 43p and get the following
> [root at fc9 named]# vi /etc/named.conf
> [root at fc9 named]# nslookup 43p
> Server: 127.0.0.1 <http://127.0.0.1/>
> <http://127.0.0.1 <http://127.0.0.1/>>
> Address: 127.0.0.1#53 <http://127.0.0.1/#53>
> <http://127.0.0.1#53 <http://127.0.0.1/#53>>
> Name: 43p.home.local
> Address: 192.168.1.52 <http://192.168.1.52/>
> <http://192.168.1.52 <http://192.168.1.52/>>
>
> From a windows system I get the following
> C:\Users\dalan>nslookup 43p
> Server: UnKnown
> Address: 192.168.1.50:53 <http://192.168.1.50:53/>
> <http://192.168.1.50:53 <http://192.168.1.50:53/>>
>
> *** UnKnown can't find 43p: Query refused
> From the AIX system I get
> (43p-aix) [dalan] nslookup 43p
> *** Can't find server name for address 192.168.1.50:Query refused
> *** Default servers are not available
> (43p-aix) [dalan]
> I have shut off the firewall and SE-Linux on the Fedora
> system. I'm not sure why the fedora system is
> blocking/refusing the request coming from another system.
> I even put the following entries in iptables.
> SERVER_IP="192.168.1.50 <http://192.168.1.50/>
> <http://192.168.1.50 <http://192.168.1.50/>>"
>
> iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d
> $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0
> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0
> --dport 53 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d
> $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0
> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $SERVER_IP
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0
> --dport 53 -m state --state ESTABLISHED -j ACCEPT
> I still have the same effect.
> Running the following shows that the system is refusing the
> connection.
> /usr/sbin/tcpdump -X port 53
>
> [root at fc9 named]# /usr/sbin/tcpdump -X port 53
> tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size
> 96 bytes
> 21:39:38.512926 IP aix.sparish.local.52686 >
> fc9.sparish.local.domain: 46304+ PTR?
> 50.1.168.192.in-addr.arpa. (43)
> 0x0000: 4500 0047 ac22 0000 1e11 6ccd c0a8 0134
> E..G."....l....4
> 0x0010: c0a8 0132 cdce 0035 0033 7c2c b4e0 0100
> ...2...5.3|,....
> 0x0020: 0001 0000 0000 0000 0235 3001 3103 3136
> .........50.1.16
> 0x0030: 3803 3139 3207 696e 2d61 6464 7204 6172
> 8.192.in-addr.ar <http://8.192.in-addr.ar/>
> <http://8.192.in-addr.ar <http://8.192.in-addr.ar/>>
>
> 0x0040: 7061 0000 0c00 01 pa.....
> 21:39:38.519048 IP fc9.sparish.local.domain >
> aix.sparish.local.52686: 46304 Refused- 0/0/0 (43)
> 0x0000: 4500 0047 0000 4000 4011 b6ef c0a8 0132
> E..G.. at .@......2 <mailto:E..G..@ <mailto:E..G..@>. at ......2>
>
> 0x0010: c0a8 0134 0035 cdce 0033 fc26 b4e0 8105
> ...4.5...3.&....
> 0x0020: 0001 0000 0000 0000 0235 3001 3103 3136
> .........50.1.16
> 0x0030: 3803 3139 3207 696e 2d61 6464 7204 6172
> 8.192.in-addr.ar <http://8.192.in-addr.ar/>
> <http://8.192.in-addr.ar <http://8.192.in-addr.ar/>>
>
> 0x0040: 7061 0000 0c00 01 pa.....
> Any help would be welcome
> Thanks
> ------------------------------------------------------------------------
>
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> tclug-list at mn-linux.org <mailto:tclug-list at mn-linux.org>
> http://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
>
>
>