Named

From Leo's Notes
Last edited on 12 August 2019, at 19:27.

This article will go over some features in the BIND DNS service.

Enable Query Logging

Use rndc to enable query logging:

rndc querylog on

Lookups will then be dumped into /var/log/messages

To see whether rndc querylog is enabled, run:

rndc status
 ...
 query logging is ON
 ...
 server is up and running

This will be turned off whenever the service restarts. To enable logging by default, edit /etc/named.conf with:

logging {
        channel "querylog" {
                file "/var/log/named-query.log";
                print-time yes;
        };
        category queries { querylog; };
};

Disable IPv6 Lookups

If you have querylog enabled, you may see lots of messages like:

May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns2.google.com/A/IN': 2001:503:231d::2:30#53
May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns2.google.com/AAAA/IN': 2001:503:231d::2:30#53
May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns3.google.com/A/IN': 2001:503:231d::2:30#53
May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns4.google.com/A/IN': 2001:503:231d::2:30#53
May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns3.google.com/AAAA/IN': 2001:503:231d::2:30#53
May  5 12:14:44 linux named[2492]: error (network unreachable) resolving 'ns1.google.com/A/IN': 2001:503:231d::2:30#53
May  5 12:14:57 linux named[2492]: error (network unreachable) resolving 'ns2.p42.dynect.net/A/IN': 2001:500:3::42#53

Since I don't have IPv6 on my network, it's obvious why I can't look up addresses using IPv6. To fix this on a RedHat based system, edit the config in /etc/sysconfig/named do:

vi /etc/sysconfig/named
 OPTIONS="-4"

Creating 'zones' via Views

If you want to provide a set of IP addresses or subnets with a specific set of zones, use views to accomplish this. The basic syntax for a view is:

view "NetworkAB" {
	match-clients { subnetA; subnetB; };

	# Zones go here
};

You may also use acl to group multiple subnets into one 'client'.


acl subnetAB { subnetA; subnetB; };

view "NetworkAB" {
	match-clients { subnetAB; };

	# Zones go here
};

To have one specific IP address inside another view instead, use the ! operator in either the ACL definition list or the match-clients list.

acl subnetAB { ! leosIPInSubnetA/32; subnetA; subnetB; };
acl subnetLeo { leosIPInSubnetA/32; };

view "NetworkAB" {
	match-clients { subnetAB; };

	# Zones go here
};

view "LeosView" {
	match-clients { subnetLeo; };

	# Zones only Leo can see can go here
}

Troubleshooting

100% CPU Usage

If named is using 100% CPU, it might be unhappy with the managed-keys-directory at /var/named/dynamic. The directory exists with the proper permissions. Commenting out the line appears to fix the issue.