rigacci.org

User Tools

Site Tools

Trace: Bind DNS server
doc:appunti:linux:sa:bind_named

This is an old revision of the document!

Table of Contents

Bind DNS server

lame server resolving

I have been getting a lot of these “lame server resolving” floods. From my research these are when soemone is trying to do dns lookups on ips etc that are not setup corretly with DNS. Is there a way to restrict DNS lookups to the IPs on my box only so these type of floods do not occur?

The error messages you're seeing are harmless and not the result of an attack or anything like that. if you don't want to see them, add the following to your named.conf: 

logging {
    category lame-servers {null;};
};

the problem is that your name server is trying to resolve a domain which has incorrectly configured name servers. restricting your name server in the way you mentioned would prevent you from using your server to look up remote IP addresses. unless your machine is configured (/etc/resolv.conf) to use an additional name server, you don't want to do this. you can however restrict outside machines from using your server to resolve domains for which your server is not authoritative.

to do this, add the following to your named.conf: 

acl localip { 127.0.0.1; aaa.bbb.ccc.ddd; };
// replace aaa.bbb.ccc.ddd with your server's IP address.
// if you have multiple IP addresses, you should add them all, separated by semi-colons
options {
    allow-transfer {localip;};
    allow-recursion {localip;};
}

Dynamic DNS zones

How to set a dynamic zone in your DNS server; in your /etc/bind/named.conf.local declare the zone, who is allowed to update, who is allowed to do a zone transfer and the name of the zone file: 

zone "dyn.rigacci.org" {
    type master;
    allow-update { 127.0.0.1; };
    allow-transfer { 127.0.0.1; 217.19.150.6; 217.19.150.16; };
    file "dyn.rigacci.org";
    max-journal-size 150k;
};

A journal file will be created: dyn.rigacci.org.jnl, this file will grow untill it reaches the max-journal-size. You can freeze the dynamic updates when you have to manually edit the zone file, this will also remove the journal file. After that, the thaw command is required: 

rndc freeze dyn.rigacci.org
rndc thaw dyn.rigacci.org

This is my script to remove all the journal files: 

#!/bin/sh
# Purge the journal of dynamic DNS zones.
 
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
find /var/cache/bind/ -type f -name "*.jnl" | while read LINE; do
    DOMAIN="$(basename $LINE | sed 's/\.jnl$//')"
    rndc freeze "$DOMAIN"
    rndc thaw "$DOMAIN"
done

The journal file will grow on the slave DNS server too; the freeze command cannot be used because the zone is not on this server: 

rndc freeze dyn.rigacci.org
rndc: 'freeze' failed: not found

On the slave server we must use the retransfer command: 

rndc retransfer dyn.rigacci.org
doc/appunti/linux/sa/bind_named.1191408549.txt.gz · Last modified: 2011/02/04 15:30 (external edit)