User Tools

Site Tools


No ai soldati italiani all'estero




Rigacci.Org usa energia elettrica da fonti rinnovabili, grazie al gruppo di acquisto Merci Dolci.

Merci Dolci - Energia Rinnovabile

Software libero!

Petizione contro i brevetti software

Faunalia: Soluzioni GIS professionali



This is an old revision of the document!

Bind DNS server

lame server resolving

I have been getting a lot of these “lame server resolving” floods. From my research these are when soemone is trying to do dns lookups on ips etc that are not setup corretly with DNS. Is there a way to restrict DNS lookups to the IPs on my box only so these type of floods do not occur?

The error messages you're seeing are harmless and not the result of an attack or anything like that. if you don't want to see them, add the following to your named.conf:

logging {
    category lame-servers {null;};

the problem is that your name server is trying to resolve a domain which has incorrectly configured name servers. restricting your name server in the way you mentioned would prevent you from using your server to look up remote IP addresses. unless your machine is configured (/etc/resolv.conf) to use an additional name server, you don't want to do this. you can however restrict outside machines from using your server to resolve domains for which your server is not authoritative.

to do this, add the following to your named.conf:

acl localip {; aaa.bbb.ccc.ddd; };
// replace aaa.bbb.ccc.ddd with your server's IP address.
// if you have multiple IP addresses, you should add them all, separated by semi-colons
options {
    allow-transfer {localip;};
    allow-recursion {localip;};

Dynamic DNS zones

How to set a dynamic zone in your DNS server; in your /etc/bind/named.conf.local declare the zone, who is allowed to update, who is allowed to do a zone transfer and the name of the zone file:

zone "" {
    type master;
    allow-update {; };
    allow-transfer {;;; };
    file "";
    max-journal-size 150k;

A journal file will be created:, this file will grow untill it reaches the max-journal-size. You can freeze the dynamic updates when you have to manually edit the zone file, this will also remove the journal file. After that, the thaw command is required:

rndc freeze
rndc thaw

This is my script to remove all the journal files:

# Purge the journal of dynamic DNS zones.
find /var/cache/bind/ -type f -name "*.jnl" | while read LINE; do
    DOMAIN="$(basename $LINE | sed 's/\.jnl$//')"
    rndc freeze "$DOMAIN"
    rndc thaw "$DOMAIN"

The journal file will grow on the slave DNS server too; the freeze command cannot be used because the zone is not on this server:

rndc freeze
rndc: 'freeze' failed: not found

On the slave server we must use the retransfer command:

rndc retransfer

Viste private e notify

Come configurare un server DNS con una vista privata e inoltrare le notify ad uno slave.

Configurazione del master

Purtroppo se si vuole utilizzare le view, tutte le zone devono essere inserite in una view. Quindi la configurazione predefinita Debian che carica le zone hint, localhost,, ecc. da /etc/bind/named.conf (al di fuori di qualunque view) non va bene.

Le zone si possono caricare dal file /etc/bind/named.conf.local mettendole nelle varie view:

view "private" {
    match-clients {;;; };
    include "/etc/bind/zones.local.any";
    include "/etc/bind/zones.local.private";
view "public" {
    match-clients {"any"; };
    include "/etc/bind/zones.local.any";
    include "/etc/bind/zones.local.public";

Nell'esempio sopra il file /etc/bind/zones.local.any contiene le zone che devono valere in ogni vista e quindi deve includere anche quelle zone che Debian mette originariamente in /etc/bind/named.conf (oppure in named.conf.default-zones con Debian Squeeze).

Una zona privata contenuta in /etc/bind/zones.local.private deve consentire il trasferimento di zona allo slave:

zone "" {
    type master;
    file "";
    allow-transfer {; };

Configurazione dello slave

Quando il master notifica lo slave di un aggiornamento, questo deve presentarsi con l'indirizzo IP master e trattandosi di vista privata, tale indirizzo deve essere incluso nei match-clients autorizzati alla view. Ecco quindi la configurazione dello slave in /etc/bind/named.conf.local:

view "private" {
    match-clients {;;; };
    include "/etc/bind/zones.local.any";
    include "/etc/bind/zones.local.private";

Mentre nel file /etc/bind/zones.local.private si definisce la zona e il master autorizzato alle notify:

zone "" {
    type slave;
    masters {; };
    file "slave/";

NOTA: Se master e slave sono collegati da una VPN con indirizzi IP point-to-point, può essere necessario utilizzare il masquerading in modo che il master si presenti allo slave con l'indirizzo dichiarato nella configurazione, piuttosto che con l'indirizzo della punto-punto. Altrimenti si rischia un errore dir notify Refused.

doc/appunti/linux/sa/bind_named.1296830655.txt.gz · Last modified: 2011/02/04 15:44 by niccolo