The allow-query { internals; } might be something worth tinkering....

From: "Jack Craig" <jack.craig.aptos@gmail.com>
Date: Friday, 13 November 2020 at 08:03:43
To: "Community support for Fedora users" <users@lists.fedoraproject.org>
Subject: F32 bind9 split dns debug



hi all,
any dns pros in the house??

i am trying to debug a split view dns.
i am using F32 & bind9 where i have internal & external views.

internal network 10.0.0.0/24, external 108.220.213.120/29

what i think i am seeing is a refusal of query, but Why??

where can i find a query_log print-severity definition?

dig shows, ...

dig ws.linuxlighthouse.com ns

; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> ws.linuxlighthouse.com ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 45484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ws.linuxlighthouse.com. IN NS

;; Query time: 355 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:53:45 PST 2020
;; MSG SIZE  rcvd: 51

dig 108.220.213.121

; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc32 <<>> 108.220.213.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46338
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;108.220.213.121. IN A

;; ANSWER SECTION:
108.220.213.121. 0 IN A 108.220.213.121

;; Query time: 1 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Thu Nov 12 22:54:52 PST 2020
;; MSG SIZE  rcvd: 60

suggestions?

tia, jackc...


my named.conf

/* top of file */

acl slaves {
    108.220.213.122;
};

acl internals {
    10.0.0.0/24;
    127.0.0.0/8;
};

/*
    108.220.213.120/29;
*/

options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";
secroots-file "data/named.secroots";
recursing-file "data/named.recursing";

listen-on port 53 { localhost; };
listen-on-v6 port 53 { any; };

        allow-query  { internals;  };
allow-query-cache { any; };
        allow-transfer    { 108.220.213.120/29; };  

recursion yes;

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };

/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */

/* Enable serving of DNSSEC related data - enable on both authoritative
    and recursive servers DNSSEC aware servers */
dnssec-enable yes;

/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;

/* In Fedora we use /run/named instead of default /var/run/named
  so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";

managed-keys-directory "/var/named/dynamic";

        /* In Fedora we use system-wide Crypto Policy */
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";

        /* use querylog all the time rndc */
        querylog yes;
};

logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
        print-category yes;
        print-severity yes;
    };
default.log:12-Nov-2020 22:16:58.021 query-errors: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/AAAA at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:58.503 query-errors: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270
default.log:12-Nov-2020 22:16:59.036 query-errors: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query failed (REFUSED) for ws.linuxlighthouse.com/IN/A at ../../../bin/named/query.c:7270

    channel security_file {
        severity debug 2;
        file "/var/log/named/security.log" versions 3 size 5m;
        print-time yes;
        print-category yes;
        print-severity yes;
    };
security.log:12-Nov-2020 22:16:58.021 client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/AAAA/IN' denied
security.log:12-Nov-2020 22:16:58.503 client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied
security.log:12-Nov-2020 22:16:59.036 client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query 'ws.linuxlighthouse.com/A/IN' denied

    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity debug 3;
        print-time yes;
        print-category yes;
        print-severity yes;
    };
queries.log:12-Nov-2020 22:16:58.021 queries: info: client @0x7f99e01bab90 60.215.138.163#62853 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN AAAA -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:58.503 queries: info: client @0x7f99e01bab90 60.215.138.163#48181 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
queries.log:12-Nov-2020 22:16:59.036 queries: info: client @0x7f99e01bab90 60.215.138.163#52399 (ws.linuxlighthouse.com): view external-wan-view: query: ws.linuxlighthouse.com IN A -E(0)DC (10.0.0.101)
                                                                                                                                                                     

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};

include "/etc/rndc.key";

controls {
      inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .  */

view "internal-lan-view"
{
match-clients    { internals; };
recursion yes;

zone "linuxlighthouse.com" {
           type master;
           file "/var/named/internal.db";
};
};

/* This view will contain zones you want to serve only to "external" clients
   that have addresses that are not match any above view: */

view "external-wan-view"
{
match-clients   { any; };
recursion no;

zone "linuxlighthouse.com" {
            type master;
            file "/var/named/linuxlighthouse.com.db";
            allow-query     { any;  };
/*
            allow-transfer { slaves; };
*/
};

        zone "213.220.108.in-addr.arpa" {
            type master;
            file "/var/named/213.220.108.in-addr.arpa";
            allow-query     { any;  };
        };
};


; Authoritative data for linuxlighthouse.com zone
;
; $ORIGIN linuxlighthouse.com.
$TTL 86400
@                        IN SOA  ws.linuxlighthouse.com.   root.linuxlighthouse.com. (
                                       2020101601      ; serial
                                       1D              ; refresh
                                       1H              ; retry
                                       1W              ; expire
                                       86400 )         ; minimum
;
;jack.craig.aptos@gmail.com
;
@                         IN      NS     ws
                          IN      MX  10 mail
                          IN      A      108.220.213.121

ws                        IN      A      108.220.213.121
www                       IN      A      108.220.213.121
mail                      IN      A      108.220.213.121

; cname later
;ws2                       IN      A      68.94.157.1
;dns157r8.sbcglobal.net.   IN      A      68.94.157.8

;
; DNSSEC/CAA setup
; example.org. CAA 128 issue "letsencrypt.org"

; linuxlighthouse.com.   CAA 128 issue "letsencrypt.org"


;
$include "/var/named/linuxlighthouse.com.db"

@                         IN     A     10.0.0.1
ws                        IN     A     10.0.0.101
www                       IN     A     10.0.0.101
ws2                       IN     A     10.0.0.102

[jackc@ws ~$



Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.