# (SOLVED) Problem with DNS..



## cruzler (May 27, 2009)

Hi all, i need help, please..

I just had build a DNS server using bind9 for ISP, it run well, i can sent an email, open the website, n there is no error log on messages, and i already add the additional PTR too, but i have got problem when, my client use my DNS as their primary/secondary DNS on their network settings, they can't browsing to any site at all, except my website on my DNS.. 

And my friend told me, to enable Query on named.conf, to solve this problem, is true, if this problem is because i am not enable the query? And if is it true, how can i enable this query? :\

Thanks..


----------



## SirDice (May 27, 2009)

Did you set up forwarding or added the root zone?


----------



## cruzler (May 27, 2009)

@SirDice
No sir, should i set it? but, how? 

Thanks..


----------



## rocky (May 27, 2009)

cruzler said:
			
		

> but i have got problem when, my client use my DNS as their primary/secondary DNS on their network settings, they can't browsing to any site at all, except my website on my DNS..



You should allow your users to use your DNS server. Check your DNS server setting and the firewall too.


----------



## cruzler (May 27, 2009)

@rocky

But, what should i check from this named.conf? n i already shutdown my firewall to try this, but, it doesn't solve the problem..


----------



## rocky (May 27, 2009)

You should read the manual of BIND. There are various ways to control DNS server security. For e.g, the *controls* directive. 

I think you should post your bind configuration here and then we may help...


----------



## SirDice (May 27, 2009)

Add to the options section in named.conf:

```
forward only;
forwarders {
    1.2.3.4;
    2.3.4.5;
};
```
Replace the IP addresses with the IP addresses of your ISP's DNS servers.


----------



## DutchDaemon (May 27, 2009)

http://forums.freebsd.org/showthread.php?t=3213
http://forums.freebsd.org/showthread.php?t=3393


----------



## vivek (May 27, 2009)

You need to setup caching dns by adding forward only zone as suggested by above poster. This will open your dns to rest of the world. I suggest you take help of ACL or views to restrict access to your own customer i.e. ISP netblock only.


----------



## cruzler (May 28, 2009)

rocky said:
			
		

> You should read the manual of BIND. There are various ways to control DNS server security. For e.g, the *controls* directive.
> 
> I think you should post your bind configuration here and then we may help...



Ok sir, thanks..



			
				SirDice said:
			
		

> Add to the options section in named.conf:
> 
> ```
> forward only;
> ...



But sir, how if we are the ISP's ? 



			
				DutchDaemon said:
			
		

> http://forums.freebsd.org/showthread.php?t=3213
> http://forums.freebsd.org/showthread.php?t=3393



Hoo.. i see.. Thanks sir..



			
				vivek said:
			
		

> You need to setup caching dns by adding forward only zone as suggested by above poster. This will open your dns to rest of the world. I suggest you take help of ACL or views to restrict access to your own customer i.e. ISP netblock only.



Should i add catching dns? or Maybe this is because ACL? 


Based on what DutchDaemon n vivek said, maybe this is about ACL/recrusion/query, right..? Hmm.. i try..


----------



## ItaRi (May 28, 2009)

Can show a config named.conf, costs what to guess...


----------



## DutchDaemon (May 28, 2009)

If you need to play the role of "ISP DNS", you will have to define an acl containing the IP networks that are allowed to use your DNS (your ISP networks), and allow that acl recursive query access. The two threads I pointed you to will contain all necessary information about that. 

I assume that you are running a regular BIND (base system or ports version) which will already have things like the root nameservers configured (as 'named.root' in etc/namedb/, and as 'zone "."' (type hint) in named.conf).


----------



## cruzler (Jun 2, 2009)

ItaRi said:
			
		

> Can show a config named.conf, costs what to guess...



Roger that, sir..



			
				DutchDaemon said:
			
		

> If you need to play the role of "ISP DNS", you will have to define an acl containing the IP networks that are allowed to use your DNS (your ISP networks), and allow that acl recursive query access. The two threads I pointed you to will contain all necessary information about that.
> 
> I assume that you are running a regular BIND (base system or ports version) which will already have things like the root nameservers configured (as 'named.root' in etc/namedb/, and as 'zone "."' (type hint) in named.conf).



I see, sir.. sorry i am late to reply.. But sir, i was insert the ACL, then allow the option, the named can start well, n there is no error on log/messages, but, my client still cannot use my DNS..  

This is my named.conf :


```
acl "xfer" {
        xxx.xxx.xxx.xxx(my another nameserver IP);
};

acl "trusted" {
        xxx.xxx.xxx.xxx/xx; (My block IP who can use my DNS)
        xxx.xxx.xxx.xxx/xx;
        xxx.xxx.xxx.xxx/xx;
        localhost;
};
-------------------------------
options {
        // Relative to the chroot directory, if any
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";


allow-recursion {
        xfer;
};

allow-query {
        trusted;
};

allow-query-cache {
        trusted;
};
--------------------------------------
zone "mydomain.com" {
        type master;
        allow-update { none; };
        allow-query { trusted; };
        allow-transfer  { my slave IP; };
        file "master/mydomain.com.zone";
};

zone "xx.xxx.xxx.in-addr.arpa" {
        type master;
        allow-query { trusted; };
        file "master/xx.xxx.xxx.in-addr.arpa.rev";
};
```

Puff.. I don't know how to check the error, because there is no error log on message log..


----------



## icer (Jun 2, 2009)

cruzler said:
			
		

> Puff.. I don't know how to check the error, because there is no error log on message log..



more /var/log/messages

dmesg -a


----------



## cruzler (Jun 2, 2009)

@icer

Hoo.. i see.. Thanks sir..

Btw, Thanks to all, my problem solved, this is because i forget to set recursion to "yes".. once again, thanks..


----------

