# named.conf script?

## cwc

I'm running named.  I'm a nooby on this one.

When I add an internal view I get a start error for named.

Here's my named conf: and my zone file.

Are glaring errors?  Is it my named conf or the zone file?

also I've never seen this line before:

azzerare.casa.		IN TXT	"v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"

I just threw it in per  http://www.gentoo.org/doc/en/bind-guide.xml

Thanks

```

acl "xfer" {

   

   none;

};

acl "trusted" {

   127.0.0.0/8;

   ::1/128;

};

options {

   directory "/var/bind";

   pid-file "/var/run/named/named.pid";

   /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

   //bindkeys-file "/etc/bind/bind.keys";

   listen-on-v6 {none; };

   listen-on { 127.0.0.1;192.168.1.14; };

   allow-query {

      /*

       * Accept queries from our "trusted" ACL.  We will

       * allow anyone to query our master zones below.

       * This prevents us from becoming a free DNS server

       * to the masses.

       */

      trusted;

   };

   allow-query-cache {

      /* Use the cache for the "trusted" ACL. */

      trusted;

   };

   allow-recursion {

      /* Only trusted addresses are allowed to use recursion. */

      trusted;

   };

   allow-transfer {

      /* Zone tranfers are denied by default. */

      none;

   };

   allow-update {

      /* Don't allow updates, e.g. via nsupdate. */

      none;

   };

};

logging {

   channel default_log {

      file "/var/log/named/named.log" versions 5 size 50M;

      print-time yes;

      print-severity yes;

      print-category yes;

   };

   category default { default_log; };

   category general { default_log; };

};

*/

include "/etc/bind/rndc.key";

controls {

   inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

   type hint;

   file "/var/bind/root.cache";

};

zone "localhost" IN {

   type master;

   file "pri/localhost.zone";

   notify no;

};

zone "127.in-addr.arpa" IN {

   type master;

   file "pri/127.zone";

   notify no;

};

view "internal" {

        match-clients { 192,168,1.14/24; localhost; };

        recursion yes;

        zone "casa" {

                type master;

                file "pri/azzerare.internal";

                allow-transfer { any; };

        };

};

```

pri/azzerare.internal

```

$TTL 2d

@   IN SOA   ns.azzerare.casa.   root.azzerare.casa. (

   1012071   ; 1012071

   3h   ; refresh

   1h   ; retry

   1w   ; expiry

   1d )   ; minimum

azzerare.casa.      IN MX   0 mail.azzerare.casa.

azzerare.casa.      IN TXT   "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"

azzerare.casa.      IN NS   ns.azzerare.casa.

azzerare.casa.      IN NS   24.217.29.6

www.azzerare.casa.   IN A   192.168.1.14

ns.azzerare.casa.   IN A   192.168.1.14

mail.azzerare.casa.   IN A   192.168.1.14

router.azzerare.casa.   IN A   192.168.1.1

```

----------

## desultory

 *cwc wrote:*   

> also I've never seen this line before:
> 
> azzerare.casa.		IN TXT	"v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
> 
> I just threw it in per  http://www.gentoo.org/doc/en/bind-guide.xml

 That is meant to prevent source spoofing in e-mail.

As for the rest:

```
./named.conf:67: unknown option '*'

./named.conf:92: missing ';' before '/'

./named.conf:92: expected IP match list element near '/'

```

```
azzerare.internal:13: NS record '24.217.29.6' appears to be an address

zone casa/IN: has no NS records

zone casa/IN: not loaded due to errors.

```

Try these instead:

```
acl "xfer" {

        none;

};

acl "trusted" {

        127.0.0.0/8;

        ::1/128;

};

options {

        directory "/var/bind";

        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 {none; };

        listen-on { 127.0.0.1;192.168.1.14; };

        allow-query {

                /*

                 * Accept queries from our "trusted" ACL.  We will

                 * allow anyone to query our master zones below.

                 * This prevents us from becoming a free DNS server

                 * to the masses.

                 */

                trusted;

        };

        allow-query-cache {

                /* Use the cache for the "trusted" ACL. */

                trusted;

        };

        allow-recursion {

                /* Only trusted addresses are allowed to use recursion. */

                trusted;

        };

        allow-transfer {

                /* Zone tranfers are denied by default. */

                none;

        };

        allow-update {

                /* Don't allow updates, e.g. via nsupdate. */

                none;

        };

};

logging {

        channel default_log {

                file "/var/log/named/named.log" versions 5 size 50M;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        category default { default_log; };

        category general { default_log; };

};

include "/home/dean/tmp/sandbox/rndc.key";

controls {

        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

view "internal" IN {

        match-clients { 192.168.1.14/24; localhost; };

        recursion yes;

        zone "." in {

                type hint;

                file "/var/bind/root.cache";

        };

        zone "localhost" IN {

                type master;

                file "pri/localhost.zone";

                notify no;

        };

        zone "127.in-addr.arpa" IN {

                type master;

                file "pri/127.zone";

                notify no;

        };

        zone "casa" IN {

                type master;

                file "pri/azzerare.internal";

                allow-transfer { any; };

        };

};

```

```
$TTL 2d

@       IN SOA  ns.azzerare.casa.       root.azzerare.casa. (

        1012071 ; 1012071

        3h      ; refresh

        1h      ; retry

        1w      ; expiry

        1d )    ; minimum

                        IN MX   0 mail.azzerare.casa.

                        IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"

                        IN NS   ns.azzerare

www.azzerare.casa.      IN A    192.168.1.14

ns.azzerare.casa.       IN A    192.168.1.14

mail.azzerare.casa.     IN A    192.168.1.14

router.azzerare.casa.   IN A    192.168.1.1

```

If that fails, post any and all error messages and the output of named-checkconf and named-checkzone.

----------

## cwc

 *desultory wrote:*   

>  *cwc wrote:*   also I've never seen this line before:
> 
> azzerare.casa.		IN TXT	"v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"
> 
> I just threw it in per  http://www.gentoo.org/doc/en/bind-guide.xml That is meant to prevent source spoofing in e-mail.
> ...

 

thank for the line.  give me a few days to try this out.  work calls  :Smile: 

----------

## cwc

thanks for the help!

i got things to work with the internal zone

I can not resolve azzerare.casa with my /etc/resolv.conf set to:

azzerare ~ # more /etc/resolv.conf

# Generated by net-scripts for interface eth0

nameserver 192.168.1.1

nameserver 192.168.1.14

To do my external zone do I follow the pattern below?

$TTL 2d

@	IN SOA	ns.YOUR_DOMAIN.	ADMIN.YOUR_DOMAIN. (

	MODIFICATION	;serial

	3h	;refresh

	1h	;retry

	1w	;expiry

	1d )	;minimum

YOUR_DOMAIN.		IN MX	0 mail.YOUR_DOMAIN.

YOUR_DOMAIN.		IN TXT	"v=spf1 ip4:YOUR_PUBLIC_IP/32 mx ptr mx:mail.YOUR_DOMAIN ~all"

YOUR_DOMAIN.		IN NS	ns.YOUR_DOMAIN.

YOUR_DOMAIN.		IN NS	SLAVE_DNS_SERVER

www.YOUR_DOMAIN.	IN A	YOUR_PUBLIC_IP

ns.YOUR_DOMAIN.		IN A	YOUR_PUBLIC_IP

mail.YOUR_DOMAIN.	IN A	YOUR_PUBLIC_IP

----------

## desultory

 *cwc wrote:*   

> I can not resolve azzerare.casa with my /etc/resolv.conf set to:
> 
> azzerare ~ # more /etc/resolv.conf
> 
> # Generated by net-scripts for interface eth0
> ...

 From where?

 *cwc wrote:*   

> To do my external zone do I follow the pattern below?

 If I read your meaning correctly, you can.

----------

## cwc

 *desultory wrote:*   

>  *cwc wrote:*   I can not resolve azzerare.casa with my /etc/resolv.conf set to:
> 
> azzerare ~ # more /etc/resolv.conf
> 
> # Generated by net-scripts for interface eth0
> ...

 

Thanks for the line.

I actually only got "/etc/init.d/named restart" to work without an error.  I can not ping anything other than names in my hosts file.

azzerare ~ # ping www.azzerare.casa

ping: unknown host www.azzerare.casa

Here's my host file:

# /etc/hosts: Local Host Database

# IPv4 and IPv6 localhost aliases

127.0.0.1       azzerare localhost

::1             azzerare localhost

192.168.1.14    azzerare.casa azzerare localhost

/etc/resolv.conf

# Generated by net-scripts for interface eth0

nameserver 192.168.1.1

nameserver 192.168.1.14

azzerare ~ # named-checkzone azzerare.casa /var/bind/pri/azzerare.internal 

zone azzerare.casa/IN: loaded serial 1012142

azzerare ~ # cat /var/bind/pri/azzerare.internal 

$TTL 2d

@       IN SOA  ns.azzerare.casa.       root.azzerare.casa. (

        1012142 ; 1012142

        3h      ; refresh

        1h      ; retry

        1w      ; expiry

        1d )    ; minimum

                        IN MX   0 mail.azzerare.casa.

                        IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"

   			IN NS   ns.azzerare.casa.

www.azzerare.casa.      IN A    192.168.1.14

ns.azzerare.casa.       IN A    192.168.1.14

mail.azzerare.casa.     IN A    192.168.1.14

router.azzerare.casa.   IN A    192.168.1.1

----------

## desultory

My prior revision of your zone file was a bit too conservative in correcting problems, try this.

```
$TTL 2d

@       IN SOA  mail.azzerare.casa.       root.azzerare.casa. (

        1012071 ; 1012071

        3h      ; refresh

        1h      ; retry

        1w      ; expiry

        1d )    ; minimum

         IN MX   0 mail.azzerare.casa.

         IN TXT  "v=spf1 ip4:192.168.1.14/24 mx ptr mx:mail.azzerare.casa ~all"

         IN NS   ns

www      IN A    192.168.1.14

ns       IN A    192.168.1.14

mail     IN A    192.168.1.14

router   IN A    192.168.1.1

```

----------

## cwc

 *desultory wrote:*   

> My prior revision of your zone file was a bit too conservative in correcting problems, try this.
> 
> ```
> $TTL 2d
> 
> ...

 

named started but I could not resolve ping router.azzerare.casa  .  i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.

 this is interesting:

azzerare ~ # ping www.azzerare.casa

PING www.azzerare.casa (184.106.31.166) 56(84) bytes of data.

64 bytes from 184.106.31.166: icmp_req=1 ttl=114 time=64.4 ms

64 bytes from 184.106.31.166: icmp_req=2 ttl=114 time=64.2 ms

thank you so much for the help!

----------

## desultory

 *cwc wrote:*   

> named started but I could not resolve ping router.azzerare.casa  .  i reset /etc/resolv.conf and checked to make sure a new serial number got loaded.

 What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa?

----------

## cwc

 *desultory wrote:*   

>  *cwc wrote:*   named started but I could not resolve ping router.azzerare.casa  .  i reset /etc/resolv.conf and checked to make sure a new serial number got loaded. What output do you get from dig router.azzerare.casa (dig is part of net-dns/bind-tools), on the system that is unable to ping router.azzerare.casa?

 

azzerare ~ # dig router.azzerare.casa

; <<>> DiG 9.7.1 <<>> router.azzerare.casa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47387

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:

;router.azzerare.casa.		IN	A

;; Query time: 5 msec

;; SERVER: 192.168.1.1#53(192.168.1.1)

;; WHEN: Fri Dec 17 04:24:09 2010

;; MSG SIZE  rcvd: 38

azzerare ~ #

----------

## desultory

Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly?

----------

## cwc

 *desultory wrote:*   

> Perhaps an obvious question, but have you restarted named? Also, are the other names resolving properly?

 

yes.  only azzerare and azzerare.casa resolve but they are in my /etc/hosts file

----------

## desultory

 *cwc wrote:*   

> only azzerare and azzerare.casa resolve but they are in my /etc/hosts file

 Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.

```
acl "xfer" {

        none;

};

acl "trusted" {

        127.0.0.0/8;

        ::1/128;

};

options {

        directory "/var/bind";

        pid-file "/var/run/named/named.pid";

        /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

        //bindkeys-file "/etc/bind/bind.keys";

        listen-on-v6 {none; };

        listen-on { 127.0.0.1;192.168.1.14; };

        allow-query {

                /*

                 * Accept queries from our "trusted" ACL.  We will

                 * allow anyone to query our master zones below.

                 * This prevents us from becoming a free DNS server

                 * to the masses.

                 */

                192.168.1.14/24;

                trusted;

        };

        allow-query-cache {

                /* Use the cache for the "trusted" ACL. */

                trusted;

        };

        allow-recursion {

                /* Only trusted addresses are allowed to use recursion. */

                trusted;

        };

        allow-transfer {

                /* Zone tranfers are denied by default. */

                none;

        };

        allow-update {

                /* Don't allow updates, e.g. via nsupdate. */

                none;

        };

};

logging {

        channel default_log {

                file "/var/log/named/named.log" versions 5 size 50M;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        category default { default_log; };

        category general { default_log; };

};

include "/home/dean/tmp/sandbox/rndc.key";

controls {

        inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};

zone "." in {

        type hint;

        file "/var/bind/root.cache";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        notify no;

};

zone "casa" IN {

        type master;

        file "pri/azzerare.internal";

        allow-transfer { any; };

};

```

----------

## cwc

 *desultory wrote:*   

>  *cwc wrote:*   only azzerare and azzerare.casa resolve but they are in my /etc/hosts file Which means, to put none to fine a point on it, that they do not resolve via named. When you are checking for information from DNS use dig to query the actual server or servers of interest, circumventing DNS just to make things roughly work is pointless if you are trying to get DNS itself to work.
> 
> ```
> acl "xfer" {
> 
> ...

 

thanks again for the lines.  the last name.conf worked along with my zone file

I got this to work.  I like the way I access the nodes on my network this way.  eg.  router.casa  azzerare.casa

I set /etc/resolv.conf to :

nameserver 192.168.1.14

nameserver 192.168.1.1

all seems to be working fine. EXCEPT  Chromium will work with the real and local dns but not Firefox or Epiphany

do I need an outside zone?

azzerare / # dig casa

; <<>> DiG 9.7.1 <<>> casa

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9206

;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; WARNING: recursion requested but not available

;; QUESTION SECTION:

;casa.				IN	A

;; AUTHORITY SECTION:

casa.			86400	IN	SOA	mail.casa. root.casa. 101221 10800 3600 604800 86400

;; Query time: 0 msec

;; SERVER: 192.168.1.14#53(192.168.1.14)

;; WHEN: Tue Dec 21 22:28:31 2010

;; MSG SIZE  rcvd: 68

thanks again!

----------

