silvernetuk

Well-Known Member
Sep 2, 2002
311
0
166
United Kingdom
Hi,

When in Windows Dos if I do a nslookup command then type server ns1.silverdns.com then type ls silvernetuk.net it list the following

& ls silvernetuk.net
[ns1.silverdns.com]
silvernetuk.net. NS server = ns1.silverdns.com
silvernetuk.net. NS server = ns2.silverdns.com
silvernetuk.net. A 66.xxx.xx.2
billing A 66.xxx.xx.2
cp A 66.xxx.xx.2
demosite A 66.xxx.xx.2
forum A 66.xxx.xx.2
forums A 66.xxx.xx.2
ftp A 66.xxx.xx.2
localhost A 127.0.0.1
members A 66.xxx.xx.2
olddesign A 66.xxx.xx.2
support A 66.xxx.xx.2
thesales A 66.xxx.xx.2
&


So I am doing the following commands to get this

C:\nslookup
Default Server: dns-loh-tb.proxy.aol.com
Address: 195.93.33.134

& server ns1.silverdns.com
Default Server: ns1.silverdns.com
Address: 66.xxx.xx.3

& ls silvernetuk.net
[ns1.silverdns.com]
silvernetuk.net. NS server = ns1.silverdns.com
silvernetuk.net. NS server = ns2.silverdns.com
silvernetuk.net. A 66.xxx.xx.2
billing A 66.xxx.xx.2
cp A 66.xxx.xx.2
demosite A 66.xxx.xx.2
forum A 66.xxx.xx.2
forums A 66.xxx.xx.2
ftp A 66.xxx.xx.2
localhost A 127.0.0.1
members A 66.xxx.xx.2
olddesign A 66.xxx.xx.2
support A 66.xxx.xx.2
thesales A 66.xxx.xx.2


How do I stop this from listed the above, when doing the above nslookup command, as I have been told a lot of other host block this as you can see by the one I have done on yahoo


C:\nslookup
Default Server: dns-loh-tb.proxy.aol.com
Address: 195.93.33.134

& server ns5.yahoo.com
Default Server: ns5.yahoo.com
Address: 64.58.77.85

& ls yahoo.com
[ns5.yahoo.com]
*** Can't list domain yahoo.com: Query refused

How do I get mine to do that ?

Regards,
Garry
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
In the named.conf between controls and zone add options.

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };

};

options {
allow-transfer { none; };
};


zone "." {
type hint;
file "/var/named/named.ca";
};



Restart named.
 

casey

Well-Known Member
Jan 17, 2003
2,303
0
191
Hi guys,

I tried this, and it caused BIND to fail. Did I do something wrong?
After removing the code, BIND works fine, but I'd really like this option...
Can't have it both ways?
 

dgbaker

Well-Known Member
PartnerNOC
Sep 20, 2002
2,576
9
343
Toronto, Ontario Canada
cPanel Access Level
DataCenter Provider
Did you restart named after making change?
Are you editing it with pico or vi?
Editing /etc/named.conf?

This shouldn't cause bind to fail at all. Check for typos and exact syntax. Aslo ensure that it is exactly where it is required and that no Zone info before it.
 

casey

Well-Known Member
Jan 17, 2003
2,303
0
191
I'm editing with pico.
etc/named.conf

However, all I did was restart bind. How do I restart named?

Thanks,

Casey
 

ecoutez

Well-Known Member
May 23, 2002
152
0
316
If Bind (which IS named) fails to start, look at the tail of /var/log/messages and you'll find the reason. Most likely a syntax error like a missing or extra ;

- Jason
 

casey

Well-Known Member
Jan 17, 2003
2,303
0
191
It says,

Mar 11 20:08:21 server2 named[9250]: no longer listening on 162.42.211.135#53
Mar 11 20:08:21 server2 named[9247]: exiting
Mar 11 20:08:21 server2 named: named shutdown succeeded
Mar 11 20:08:21 server2 named[9290]: starting BIND 9.2.1 -u named
Mar 11 20:08:21 server2 named[9290]: using 1 CPU
Mar 11 20:08:21 server2 named[9293]: loading configuration from '/etc/named.conf'
Mar 11 20:08:21 server2 named[9293]: /etc/named.conf:28: 'options' redefined near 'options'
Mar 11 20:08:21 server2 named[9293]: loading configuration: already exists
Mar 11 20:08:21 server2 named[9293]: exiting (due to fatal error)
Mar 11 20:08:21 server2 named: named startup failed


I copied and pasted it inbetween the lines above just as David said to do.
 
Last edited:

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
dgbaker said:
options {
allow-transfer { none; };
};
Sorry for digging up this old thread, but I was wondering the following
if ns2 is on the same server as ns1, is it then necessary to add the ip address of ns2 to allow-transfer as well?

Also I noticed some people put 127.0.0.1 in there, but that's not necessary is it?
 

jamesbond

Well-Known Member
Oct 9, 2002
738
1
168
chirpy said:
There is a nicer example on the forums for this. For AXFR's I don't believe you need the other IPs as it doesn't need to do transfers with itself. This is the one:
http://forums.cpanel.net/showthread.php?t=15922
I was looking at that one as well. I know it's probably not necessary but I've added 127.0.0.1, ns1, ns2 and the main ip just to be on the safe side :)

What I have now is this :

acl trusted {
127.0.0.1;
ns1 ip;
ns2 ip;
main ip;
};

options {
version "currently unavailable";
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
};

I was also looking at the allow-query command. Doesn't it make sense to only allow queries for domains that belong to your server (or network) instead of allowing queries for any domain? Or does allow-recursion already take care of this?
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,462
25
473
Go on, have a guess
Yup. You don't want to block allow-query otherwise your domains won't resolve, the allow-recursion stops outsiders using your server for DNS resolution of zones not on your server, which could cause more issues than the primary issue of allowing full zone transfers.