New delegation to UNIX continued

  • Thread starter Thread starter Scot
  • Start date Start date
S

Scot

Thanks to William and Kevin for pointing me in the right direction on
delegation vs stub zone on my earlier post.

I am still not getting the results I expect to see and may not have all I
need in place to get things running.

Basically, I am trying to help set up a MAPS server for a group that does
not have $$ for Postini.

W2K server is running DNS and Active Directory for their environment.

MAPS program is up and running on local UNIX box. Running dig at local host
returns:
[root at maps root]# dig @localhost 6.60.255.68.abuse.nonprofit.local

; <<>> DiG 9.2.1 <<>> @localhost 6.60.255.68.abuse.nonprofit.local
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40548
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;6.60.255.68.abuse.nonprofit.local. IN A

;; ANSWER SECTION:
6.60.255.68.abuse.nonprofit.local. 3600 IN A 127.0.0.2

;; Query time: 24 msec
;; SERVER: 127.0.0.1#53(localhost)
;; WHEN: Wed Oct 6 08:27:58 2004
;; MSG SIZE rcvd: 68

(The 127.0.0.2 is the correct answer for an IP listed in the abusive sender
database on the MAPS box. If the address is not listed you do not get the
127.0.0.2.)

HOWEVER running dig using the Wintel DNS server gives:
[root at maps root]# dig 10.10.10.1 6.60.255.68.abuse.nonprofit.local +nord

; <<>> DiG 9.2.1 <<>> 10.10.10.1
6.60.255.68.abuse.nonprofit.local +nord
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11111
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;10.10.10.1. IN A

;; AUTHORITY SECTION:
... 8745 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 0000000000 0000 000 000000 000

;; Query time: 23 msec
;; SERVER: 10.10.10.1#53(10.10.10.1)
;; WHEN: Wed Oct 6 08:35:35 2004
;; MSG SIZE rcvd: 103

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48322
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;6.60.255.68.abuse.nonprofit.local. IN A

;; AUTHORITY SECTION:
abuse.nonprofit.local. 3600 IN NS maps.nonprofit.local.

;; ADDITIONAL SECTION:
maps.nonprofit.local. 3600 IN A 10.10.10.10

;; Query time: 66 msec
;; SERVER: 10.10.10.1#53(10.10.10.1)
;; WHEN: Wed Oct 6 08:35:35 2004
;; MSG SIZE rcvd: 109

If I am reading the AUTHORITY SECTION correctly, the W2K machine seems to
delegate zone "abuse" to the
machine "maps", just not sure why listed addresses are not returning
127.0.0.2.

Following is an excerpt from some online directions for the MAPS program. I
am just not totally clear how we could make some of the changes on a Windows
box. Can zones be manually edited as described?

Configure the DNS server(s) your mail server(s) use to forward
dnsbl.njabl.org queries to your rbldnsd server(s). Add the following to
named.conf:
zone "dnsbl.njabl.org" IN {
type forward;
forward first;
forwarders {
127.0.0.1 port 530;
};
};
If you're running rbldnsd on a dedicated system (not an existing DNS
server), adjust the IP in the forwarders statement appropriately. With the
setup above, if your local rbldnsd becomes unavailable, dnsbl.njabl.org
queries will fall back to the root-servers. If your network generates a
large volume of queries (thousands/sec), it may make sense to run multiple
rbldnsd copies of dnsbl.njabl.org on several systems with the rsync update
slightly staggered. rbldnsd will not answer queries while reloading the zone
data into memory. Depending on the speed of your system and the size of the
zone data, reloading could make the rbldnsd server unavailable for several
seconds.

If you're running bind 8.x, the port option above is not supported. You'll
need to dedicate an IP address to rbldnsd and make bind not listen on that
IP by telling it which IPs to listen on. i.e. Setup an IP alias of 127.0.0.2
on your lo interface. Replace the bind config above with:
options {
listen-on {
x.x.x.x;
127.0.0.1;
};
};

zone "dnsbl.njabl.org" IN {
type forward;
forward first;
forwarders {
127.0.0.2;
};
};
replacing x.x.x.x with the IP address of your server. If your server has
many IPs, you can list each one, or use CIDR notation such as x.x.x.0/24.

TIA for any help.
 
In
Scot said:
Thanks to William and Kevin for pointing me in the right direction on
delegation vs stub zone on my earlier post.

I am still not getting the results I expect to see and may not have
all I need in place to get things running.
Click to expand...
TIA for any help.
Click to expand...

I didn't see the previous thread, but I'm wondering whether you decided to
use a stub zone (assuming you have WIndows 2003 DNS) or did you use a
delegation from Win2000 to your BIND machine?

How did you setup the delegation or stub zone? From what I see, all you
needed to do was create the nonprofit.local zone and delegate abuse to the
Unix box, unless I;m missing something simple.

Btw- there's a really inexpensive way (especially compared to Postini or
USA.net, or others of the like) to do this and its automatically updated.
Its called ORF by Vamsoft. www.vamsoft.com. Runs on an Exchange server.
Costs only USD$99.00 for upto four servers. I use this for a couple of my
clients. They love it.Kills about 90% of the trash.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Ace said:
In


I didn't see the previous thread, but I'm wondering whether you
decided to use a stub zone (assuming you have WIndows 2003 DNS) or
did you use a delegation from Win2000 to your BIND machine?
Click to expand...

Delegation on W2K
How did you setup the delegation or stub zone? From what I see, all
you needed to do was create the nonprofit.local zone and delegate
abuse to the Unix box, unless I;m missing something simple.
Click to expand...

setup:
Open the forward lookup zone, nonprofit.local, right click in the zone,
select New delegation, name the delegation abuse, give the delegation the
FQDN and IP address of the Unix DNS server.
Btw- there's a really inexpensive way (especially compared to Postini
or USA.net, or others of the like) to do this and its automatically
updated. Its called ORF by Vamsoft. www.vamsoft.com. Runs on an
Exchange server. Costs only USD$99.00 for upto four servers. I use
this for a couple of my clients. They love it.Kills about 90% of the
trash.
Click to expand...

An interesting option. But I was trying to stop the traffic BEFORE it hit
the Exchange server.
 
In
Scot said:
Delegation on W2K

setup:
Open the forward lookup zone, nonprofit.local, right click in the
zone, select New delegation, name the delegation abuse, give the
delegation the FQDN and IP address of the Unix DNS server.


An interesting option. But I was trying to stop the traffic BEFORE
it hit the Exchange server.
Click to expand...

The delegation sounds fine. But you're implying MS DNS is not asking your
BIND server for the record thru the delegation? Then I'm curious, in the MS
DNS server, the delegated folder is grayed out? (which it should be).

I'm curious about the Authority Section as well:
;; AUTHORITY SECTION:
abuse.nonprofit.local. 3600 IN NS maps.nonprofit.local.

;; ADDITIONAL SECTION:
maps.nonprofit.local. 3600 IN A 10.10.10.10

In your delegation, you delegated to the FQDN of the BIND server. Is it
called "maps.nonprofit.local"? It's almost as if it's a CNAME record?

Try to do that in the.dns file. If the zone is AD Integrated, I would
suggest to toggle it back to a Primary, make the changes, see if it works,
then toggle it back to AD Integrated.

Ace
 
Ace said:
In

The delegation sounds fine. But you're implying MS DNS is not asking
your BIND server for the record thru the delegation? Then I'm
curious, in the MS DNS server, the delegated folder is grayed out?
(which it should be).
Click to expand...

Yes the folder is grayed out.
I'm curious about the Authority Section as well:
;; AUTHORITY SECTION:
abuse.nonprofit.local. 3600 IN NS maps.nonprofit.local.

;; ADDITIONAL SECTION:
maps.nonprofit.local. 3600 IN A 10.10.10.10

In your delegation, you delegated to the FQDN of the BIND server. Is
it called "maps.nonprofit.local"? It's almost as if it's a CNAME
record?
Click to expand...

The UNIX box is not running BIND. It is running an abusive host listing
program called rbldnsd http://www.corpit.ru/mjt/rbldnsd.html . rbldnsd is a
small and fast DNS daemon which is especially made to serve DNSBL zones.
The UNIX box is called "maps". There is an "A" record in the
nonprofit.local domain for maps. There is a delegation to "abuse", when I
select properties for "abuse" it lists "maps.nonprofit.local" on the name
server tab.

There does not appear to be any CNAME associated with "maps", and I tried to
add a CNAME just to see what would happen and got an error: "A new record
cannot be created. A CNAME record cannot be added to this DNS name. The
DNS name contains records that are incompatible with the CNAME record."
Try to do that in the.dns file. If the zone is AD Integrated, I would
suggest to toggle it back to a Primary, make the changes, see if it
works, then toggle it back to AD Integrated.
Click to expand...

There is a CACHE.DNS file and a dns.txt file (empty) in
C:\WINNT\system32\dns. There are some files in \backup which contain what
appears to be the correct data. Where is the .dns file you want me to edit?

If I change back to a Primary from AD don't I have to do that with all the
servers?
 
In
Scot said:
Yes the folder is grayed out.

The UNIX box is not running BIND. It is running an abusive host
listing program called rbldnsd http://www.corpit.ru/mjt/rbldnsd.html
. rbldnsd is a small and fast DNS daemon which is especially made to
serve DNSBL zones. The UNIX box is called "maps". There is an "A"
record in the nonprofit.local domain for maps. There is a delegation
to "abuse", when I select properties for "abuse" it lists
"maps.nonprofit.local" on the name server tab.

There does not appear to be any CNAME associated with "maps", and I
tried to add a CNAME just to see what would happen and got an error:
"A new record cannot be created. A CNAME record cannot be added to
this DNS name. The DNS name contains records that are incompatible
with the CNAME record."


There is a CACHE.DNS file and a dns.txt file (empty) in
C:\WINNT\system32\dns. There are some files in \backup which contain
what appears to be the correct data. Where is the .dns file you want
me to edit?

If I change back to a Primary from AD don't I have to do that with
all the servers?
Click to expand...


Although I've heard of rbldnsd, I haven't used it, so I'm not able to help
you on that end. If you configured the delegation fine, and the rbldnsd
server is not accepting it, then I'm to assume something is up with a
setting.

If you toggle one to a Primary, the zone will be removed from AD, so all
machines will reflect that. Just do it on the one, then try the entry once
the zone shows up in system32\dns, then switch it back to AD Integrated.
Make sure the other servers have the zone set after you do that.

Ace
 
Back
Top