bind 9.12 on pfsense



  • I had installed bind 9.12 on pfsense as master and another as slave configured my zones on master, and added a reverse zone, for example 24/29.3.2.1, added a custom view to that reverse zone so in the directory do not create the folder/file correctly under /cf/named/etc/namedb/master/Global i had to create by hand /cf/named/etc/namedb/master/Global/24 and after that restart bind or make a modify it the file is created, same behaviour happend on slave, i make the correct permissions to named directory, added a custom view but the folder/file is not created, so in the slave i see general: error: dumping master file: /etc/namedb/slave/Internal-Trusted/16/tmp-wvFomakj9f: open: file not found each time bind is refresh or restarted, Internal-Trusted are another custom view and 16 the netowor referenced to the reverse zone, thant reverse zone, that are causing problem to resolve and refusing queries... so i need some help from some one please thanks



  • With this :

    @luisenrique said in bind 9.12 on pfsense:

    error: dumping master file: /etc/ ...

    you should fine this : https://forum.ubuntu-fr.org/viewtopic.php?id=260293 => It's probably a permission error.
    Your folder names have also the correct owner/permissions ?

    Btw : why did you remove all paragraphs breaks ? Your text is pretty un reable.


  • LAYER 8 Global Moderator

    huh? Could you please post screenshots of your configs or the actual zone files, etc.

    Tried reading this a few times and not clear on what the problem is - are you saying the reverse zone is not answering queries? On either master or slave? Or from the public internet or locally? Public PTR has to be pointed to the NS at the root level.. For example ARIN would be used to point your netblock to your NS for the PTRs



  • @johnpoz said in bind 9.12 on pfsense:

    • are you saying the reverse zone is not answering queries? On either master or slave? Or from the public internet or locally? Public PTR has to be pointed to the NS at the root level.. For example ARIN would be used to point your netblock to your NS for the PTRs

    Sorry about my english.. i will to post some captures of my config... i had set the correct permission to /etc/named/ and /cf/named/etc/


  • LAYER 8 Global Moderator

    why would you be messing with permissions of folders on pfsense?



  • permission, ok, but the owner is also ok ?



  • the owner and permissions under :

    [2.4.4-RELEASE][root@ns1.bicsa.cu]/root: ls -l /etc/namedb/
    total 28
    drwxrwx--- 2 bind bind 512 Jan 15 15:54 keys
    drwxrwx--- 4 bind bind 512 Jan 16 16:34 master
    -rwxrwx--- 1 bind bind 5186 Jan 11 17:34 named.conf
    -rwxrwx--- 1 bind bind 3316 Dec 7 12:01 named.root
    -rwxrwx--- 1 bind bind 163 Jan 11 17:34 rndc.conf
    drwxrwx--- 4 bind bind 512 Jan 11 17:38 slave
    [2.4.4-RELEASE][root@ns1.bicsa.cu]/root: ls -l /cf/named/
    dev/ etc/ var/
    [2.4.4-RELEASE][root@ns1.bicsa.cu]/root: ls -l /cf/named/
    total 9
    drwxr-xr-x 8 bind bind 512 Jan 17 11:22 dev
    drwxr-xr-x 3 bind bind 512 Dec 7 12:01 etc
    drwxr-xr-x 6 bind bind 512 Dec 7 12:01 var

    Which is the real directory confuses me: /etc/named and /cf/named/ ?? ...on the slave only exist /cf/named/ the vertion of pfsense are same and bind too.



  • @johnpoz said in bind 9.12 on pfsense:

    ried reading this a few times and not clear on what the problem is - are you saying the reverse zone is not answering queries? On either master or slave? Or from the public internet or locally? Public PTR has to be pointed to the NS at the

    Sorry again.. on my master the reverze zone respond fine, but not in my slave, i use the tab sync add the slave etc etc.. i had the acl and set permission transfer, so look on the slave and it create the zone, but see the error mentioned before...
    general: error: dumping master file: /etc/namedb/slave/Internal-Trusted/16/tmp-wvFomakj9f: open: file not found...
    the direct zone are responding too on both server the permition on slave are fine.. i think so
    thanks for you time and sorry again because my english.. i preffer english forum the real crack are here



  • @johnpoz
    here goes my config:
    #Bind pfsense configuration
    #Do not edit this file!!!

    key "rndc-key" {
    algorithm hmac-md5;
    secret "**************";
    };

    controls {
    inet 127.0.0.1 port 953
    allow { 127.0.0.1; } keys { "rndc-key"; };
    };

    options {
    directory "/etc/namedb";
    pid-file "/var/run/named/pid";
    statistics-file "/var/log/named.stats";
    max-cache-size 512M;
    rate-limit {
    responses-per-second 15;
    log-only no;
    };
    listen-on-v6 port 53 { ::1; };
    listen-on port 53 { 10.0.0.6; 200.55.178.28; 127.0.0.1; };
    notify yes;
    version none;
    auth-nxdomain yes;
    empty-zones-enable no;
    zone-statistics yes;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    #directory "/cf/named/var";
    #dump-file "/cf/named/var/data/cache_dump.db";
    #statistics-file "/cf/named/var/data/named_stats.txt";
    #memstatistics-file "/cf/named/var/data/named_mem_stats.txt";
    };

    logging {
    channel custom {
    syslog daemon;
    print-time no;
    print-severity yes;
    print-category yes;
    severity dynamic;
    };
    category default { custom; };
    category general { custom; };
    category database { custom; };
    category security { custom; };
    category config { custom; };
    category resolver { custom; };
    category xfer-in { custom; };
    category xfer-out { custom; };
    category notify { custom; };
    category client { custom; };
    category unmatched { custom; };
    category queries { custom; };
    category network { custom; };
    category update { custom; };
    category dispatch { custom; };
    category dnssec { custom; };
    category lame-servers { custom; };
    };

    acl "ns2" {
    200.55.136.19;
    };

    view "Internal-Trusted" {
    recursion yes;
    match-clients { ns2; localhost; localnets; };
    allow-recursion { ns2; localhost; localnets; };
    ###

    zone "bicsa.cu" {
    	type master;
    	file "/etc/namedb/master/Internal-Trusted/bicsa.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    
    	# look for dnssec keys here:
    	key-directory "/etc/namedb/keys";
    
    	# publish and activate dnssec keys:
    	auto-dnssec maintain;
    
    	# use inline signing:
    	inline-signing yes;
    
    };
    
    zone "bicsa.co.cu" {
    	type master;
    	file "/etc/namedb/master/Internal-Trusted/bicsa.co.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    
    	# look for dnssec keys here:
    	key-directory "/etc/namedb/keys";
    
    	# publish and activate dnssec keys:
    	auto-dnssec maintain;
    
    	# use inline signing:
    	inline-signing yes;
    
    };
    
    zone "ibicsa.co.cu" {
    	type master;
    	file "/etc/namedb/master/Internal-Trusted/ibicsa.co.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    };
    
    zone "16/29.136.55.200.in-addr.arpa" {
    	type master;
    	file "/etc/namedb/master/Internal-Trusted/16/29.136.55.200.DB";
    	allow-query { ns2; localhost; localnets; any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    };
    
    zone "." {
    	type hint;
    	file "/etc/namedb/named.root";
    };
    

    };
    view "Global" {
    recursion no;
    match-clients { any; };
    allow-recursion { none; };

    zone "bicsa.cu" {
    	type master;
    	file "/etc/namedb/master/Global/bicsa.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    
    	# look for dnssec keys here:
    	key-directory "/etc/namedb/keys";
    
    	# publish and activate dnssec keys:
    	auto-dnssec maintain;
    
    	# use inline signing:
    	inline-signing yes;
    
    };
    
    zone "bicsa.co.cu" {
    	type master;
    	file "/etc/namedb/master/Global/bicsa.co.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    
    	# look for dnssec keys here:
    	key-directory "/etc/namedb/keys";
    
    	# publish and activate dnssec keys:
    	auto-dnssec maintain;
    
    	# use inline signing:
    	inline-signing yes;
    
    };
    
    zone "ibicsa.co.cu" {
    	type master;
    	file "/etc/namedb/master/Global/ibicsa.co.cu.DB";
    	allow-query { any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    };
    
    zone "24/29.178.55.200.in-addr.arpa" {
    	type master;
    	file "/etc/namedb/master/Global/24/29.178.55.200.DB";
    	allow-query { any; };
    	allow-transfer { ns2; };
    	allow-update { ns2; localhost; localnets; };
    };
    
    zone "16/29.136.55.200.in-addr.arpa" {
    	type master;
    	file "/etc/namedb/master/Global/16/29.136.55.200.DB";
    	allow-query { ns2; localhost; localnets; any; };
    	allow-transfer { ns2; localhost; localnets; };
    	allow-update { ns2; localhost; localnets; };
    };
    
    zone "." {
    	type hint;
    	file "/etc/namedb/named.root";
    };
    

    };
    ###########################################################
    $TTL 1200
    ;
    $ORIGIN bicsa.cu.

    ; Database file bicsa.cu.DB for bicsa.cu zone.
    ; Do not edit this file!!!
    ; Zone version 2019011621
    ;
    bicsa.cu. IN SOA ns1.bicsa.cu. nsadmin.bicsa.cu. (
    2019011621 ; serial
    12h ; refresh
    1h ; retry
    4w ; expire
    30m ; default_ttl
    )

    ;
    ; Zone Records
    ;
    @ IN NS ns1.bicsa.cu.
    @ IN A 200.55.178.28
    ns1 IN A 200.55.178.28
    ns2 IN A 200.55.136.19
    @ IN NS ns2.bicsa.cu.
    ksmg IN A 200.55.178.30
    @ IN MX 10 ksmg.bicsa.cu.
    _dmarc IN TXT "v=DMARC1; pct=50; p=quarantine; sp=quarantine; adkim=s; aspf=s"
    default._domainkey IN TXT "v=DKIM1; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0fsGuT31yOE+AQlzZm6WtmC9v1kKRa5PD+VW5eNmO7Sci2h12k/afKngvx+mc8hfCpr4Jp4iR7gKmBBhdzUa0LG6FyTeAGXzxlUghn5JKlzMP/fT2LcMrfbtnFQE7hkFJqEUANH48ILJc6HDZ0RtJxNOLMcAwfw+KMlSCwZWFzWCnEIVSo6TNz2BL+iwkO6OrdJHtoe+kO4JJp""jbCdcCsCWN06ZJmG7QIexZMzeGHFodQhFxzv30gBGCzyUouOcHRR7yY7QrjMuFrwn3+m1eTZdDQlFYYGAXhZcWKSjCdTFaFDlrZk2wkuxZA3aJZYlnmlLuesaDWtyGRJJCr66QowIDAQAB"
    enlinea IN A 200.55.178.26
    @ IN TXT "v=spf1 mx a ip4:200.55.136.16/29 include:bicsa.co.cu include:ibicsa.co.cu -all"
    www IN A 200.55.178.26
    servicios IN A 200.55.178.26
    mx IN A 200.55.178.30
    ################################################################################
    $TTL 1200
    ;
    $ORIGIN 24/29.178.55.200.in-addr.arpa.

    ; Database file 24/29.178.55.200.DB for 24/29.178.55.200 zone.
    ; Do not edit this file!!!
    ; Zone version 2019011654
    ;
    @ IN SOA ns1.bicsa.co.cu. nsadmin.bicsa.cu. (
    2019011654 ; serial
    1d ; refresh
    2h ; retry
    4w ; expire
    1h ; default_ttl
    )

    ;
    ; Zone Records
    ;
    IN NS ns1.bicsa.co.cu.
    24/29 IN NS ns1.bicsa.co.cu.
    30 IN PTR ksmg.bicsa.cu.
    28 IN PTR ns1.bicsa.co.cu.
    #####################################################################
    $TTL 1200
    ;
    $ORIGIN 16/29.136.55.200.in-addr.arpa.

    ; Database file 16/29.136.55.200.DB for 16/29.136.55.200 zone.
    ; Do not edit this file!!!
    ; Zone version 2019011608
    ;
    @ IN SOA ns2.bicsa.co.cu. nsadmin.bicsa.cu. (
    2019011608 ; serial
    3600 ; refresh
    600 ; retry
    86400 ; expire
    3600 ; default_ttl
    )

    ;
    ; Zone Records
    ;
    IN NS ns2.bicsa.co.cu.
    16/29 IN NS ns1.bicsa.co.cu.
    19 IN PTR ns2.bicsa.co.cu.
    #########################################################################
    i'm using bind package on two pfsense server there is primary .. son on tamb sync added my secondary ns server.. the config are sync automatically fine.. so in slave serverr i see:
    Jan 18 09:38:56 named 62097 general: error: dumping master file: /etc/namedb/slave/Global/24/tmp-v3Fcqgo1Kr: open: file not found
    Jan 18 09:38:05 named 62097 general: error: dumping master file: /etc/namedb/slave/Internal-Trusted/16/tmp-QgBxoV86zy: open: file not found
    Jan 18 09:38:05 named 62097 general: error: dumping master file: /etc/namedb/slave/Global/16/tmp-pCOM04kjjg: open: file not found
    Jan 18 09:38:04 named 62097 general: error: dumping master file: /etc/namedb/slave/Internal-Trusted/24/tmp-cvzvMFVdw8: open: file not found
    i make permission owner and file directory to the bind(53) user granting the correct permission but when i make a reverse query to my slave ns server it are refuse:
    [root@temis ~]# dig @ns2.bicsa.cu -x 200.55.178.30

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.cu -x 200.55.178.30
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 61185
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;30.178.55.200.in-addr.arpa. IN PTR

    ;; Query time: 6 msec
    ;; SERVER: 200.55.136.19#53(200.55.136.19)
    ;; WHEN: Fri Jan 18 11:23:54 2019
    ;; MSG SIZE rcvd: 44
    ####################################
    Jan 18 10:24:59 named 34117 queries: info: client @0x802c70a00 200.55.178.30#56654 (bicsa.cu): view Global: query: bicsa.cu IN NS -E(0)DC (200.55.136.19)
    Jan 18 10:24:58 named 34117 query-errors: info: client @0x802c70a00 200.55.178.30#61849 (30.178.55.200.in-addr.arpa): view Global: query failed (REFUSED) for 30.178.55.200.in-addr.arpa/IN/PTR at query.c:7145
    Jan 18 10:24:58 named 34117 security: info: client @0x802c70a00 200.55.178.30#61849 (30.178.55.200.in-addr.arpa): view Global: query (cache) '30.178.55.200.in-addr.arpa/PTR/IN' denied
    Jan 18 10:24:58 named 34117 queries: info: client @0x802c70a00 200.55.178.30#61849 (30.178.55.200.in-addr.arpa): view Global: query: 30.178.55.200.in-addr.arpa IN PTR + (200.55.136.19)
    ################################################
    other queris to the slave server its respondig as spected fine i think... only reverse query are refused on slave, master are responding fine ....
    [root@temis ~]# dig @ns2.bicsa.cu bicsa.cu txt

    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.cu bicsa.cu txt
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4810
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;bicsa.cu. IN TXT

    ;; ANSWER SECTION:
    bicsa.cu. 1200 IN TXT "v=spf1 mx a ip4:200.55.136.16/29 include:bicsa.co.cu include:ibicsa.co.cu -all"

    ;; AUTHORITY SECTION:
    bicsa.cu. 1200 IN NS ns2.bicsa.cu.
    bicsa.cu. 1200 IN NS ns1.bicsa.cu.

    ;; ADDITIONAL SECTION:
    ns1.bicsa.cu. 1200 IN A 200.55.178.28
    ns2.bicsa.cu. 1200 IN A 200.55.136.19

    ;; Query time: 7 msec
    ;; SERVER: 200.55.136.19#53(200.55.136.19)
    ;; WHEN: Fri Jan 18 11:28:01 2019
    ;; MSG SIZE rcvd: 185
    #############################################
    On global view setting i match any client, disable recurtion.. i omit the config on my slave dn server because it are sync fine because it's supposed to be fine



  • pss if i make a query like:
    dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30
    ;;##

    [root@temis ~]# dig @ns2.bicsa.co.cu -x 200.55.178.24/29.30
    
    ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.1 <<>> @ns2.bicsa.co.cu -x 200.55.178.24/29.30
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45248
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available
    
    ;; QUESTION SECTION:
    ;30.24/29.178.55.200.in-addr.arpa. IN   PTR
    
    ;; ANSWER SECTION:
    30.24/29.178.55.200.in-addr.arpa. 1200 IN PTR   ksmg.bicsa.cu.
    
    ;; AUTHORITY SECTION:
    24/29.178.55.200.in-addr.arpa. 1200 IN  NS      ns1.bicsa.co.cu.
    
    ;; ADDITIONAL SECTION:
    ns1.bicsa.co.cu.        1200    IN      A       200.55.178.28
    
    ;; Query time: 287 msec
    ;; SERVER: 200.55.136.19#53(200.55.136.19)
    ;; WHEN: Fri Jan 18 14:20:58 2019
    ;; MSG SIZE  rcvd: 120
    ;;##
    

    as i said if make a query: dig @ns2.bicsa.cu -x 200.55.178.30 it are refused
    so i missing some think ? or is is the correct behaivour or i had the name zone incorrect.. or i don't has been making the query correctly... sorry thanks in advansed.