On Friday 27 December 2002 08:56 pm, Danny Mayer wrote:
> At 01:23 PM 12/27/02, Robin Lynn Frank wrote:
> >Somebody who is no longer available here set this up. The problem is that
> > we are having intermittent DNS problems and I am wondering if this is
> > screwed up.
>
> Why intermittent? You probably have major problems.
>
Here comes a very loud and apologetic "duh!". I discovered, belatedly that
the individual who worked on the system had temporarily given bind nothing to
do, when he had to travel overseas. We've been wholly reliant on our ISP's
nameservers since, and it is their servers that ocassionally leave us unable
to resolve major portions of the internet. That said, I have to point out
that since we are not "wealthy" enough to have our own "guru", we've assigned
several tasks to different members of our staff (i.e., I get to play with
postfix). This is essentially the 2nd day I'm looking into the intricacies
of bind, so my apologies for being ignorant.
I will look over the suggestions you and Ken Cormack have given and see if I
can add another area of expertise(?) to my credentials.
> >options {
> > // DNS tables are located in the /var/named directory
> > directory "/var/named";
> > pid-file "/var/run/named/named.pid";
> >
> > // Forward any unresolved requests to our ISP's name server
> > forwarders {
> > 162.42.18.5;
> > 162.42.18.15;
> > };
>
> You don't need to forward to your ISP when you could make the query
> yourself. Your firewall appears to allow queries from your server on
> port 53, see below. This is not complete since you would need either
> a forward first or forward only statement for it to be used. You may
> as well eliminate this.
>
> > /*
> > * If there is a firewall between you and nameservers you
> > want * to talk to, you might need to uncomment the query-source *
> > directive below. Previous versions of BIND always asked * questions
> > using port 53, but BIND 8.1 uses an unprivileged * port by default.
> > */
> > query-source address * port 53;
> > };
>
> Just make sure that the firewall will allow outbound queries to any other
> nameserver on port 53, TCP and UDP. Don't rely on your ISP's servers
> to handle the queries.
>
> > zone "." {
> > type hint;
> > file "root.hints";
> > };
> > // All our DNS information is stored in /var/named/domain.name.db
> >
> > zone "paradigm-omega.net" {
> > type master;
> > file "paradigm-omega.net.db";
> > // some security
> > allow-transfer { 127.0.0.1; };
>
> This allows only the localhost to transfer the zone. No other server
> will be able to do so. Look at the NS records in the zone file and
> at a minimum add them to the allow-transfer list.
>
> > };
> >
> >
> >
> > zone "0.0.127.in-addr.arpa" {
> > notify no;
> > type master;
> > file "127.0.0.rev";
> > allow-transfer { 127.0.0.1; };
> > };
>
> You really don't care about this allow-transfer.
>
> > zone "0.168.192.in-addr.arpa" {
> > notify no;
> > type master;
> > file "192.168.0.rev";
> > allow-transfer { 127.0.0.1; };
> > };
>
> Ditto.
>
> >server 192.128.167.77 {
> > transfers 512;
> > };
> >server 192.128.133.77 {
> > transfers 512;
> > };
> >server 209.219.209.7 {
> > transfers 512;
> > };
> >server 196.6.1.83 {
> > transfers 512;
> > };
> >server 198.6.1.161 {
> > transfers 512;
> > };
> >server 206.228.179.10 {
> > transfers 512;
> > };
> >server 144.228.254.10 {
> > transfers 512;
> > };
> >server 144.228.255.10 {
> > transfers 512;
> > };
> >server 140.153.43.44 {
> > transfers 512;
> > };
> >server 192.82.113.7 {
> > transfers 512;
> > };
> >server 130.114.200.6 {
> > transfers 512;
> > };
>
> These aren't referenced anywhere so they do nothing. They certainly can't
> transfer zones since they are not on the allow-transfer list. Since this
> server is not a slave to for any zone the transfer clause has no effect and
> it's for incoming and not outgoing zone transfers. 512 simultaneous zone
> transfers is very high anyway. If you really had that many slave zones on
> the machine in the first place you'd be in danger of having the server
> overwelmed by trying to handle zone transfers, a DOS attack if ever there
> was one. You may as well get rid of all of these statements.
>
> Danny
--
==========================================================================
Robin Lynn Frank - Director of Operations - Paradigm-Omega, LLC
No attachments or active content is permitted in incoming mail.
Copyright and PGP/GPG info in mail or message headers.
Free email addresses are not accepted. ICQ: 147240022
==========================================================================
|
