[MaraDNS list] Configuring MaraDNS and Deadwood to work together

Sam Trenholme strenholme.usenet at gmail.com
Sun Oct 9 18:15:22 EDT 2011 

Excellent.  To be honest, Harlan, I myself had exact the same problem
when setting up Deadwood on one of my VMs a couple of months ago.
Don't thank me for my help; thank JFC Morfin whose generous
sponsorship makes it possible for me to spend more than one day a
month baby sitting MaraDNS.

I have added some code so Deadwood will refuse to start if one has a
bind_address not in recursive_acl (telling people what the offending
bind_address is):

http://maradns.org/deadwood/snap/deadwood-S-20111009-1.tar.bz2

And, on that note, I am done with MaraDNS and Deadwood updates until
the end of the month, barring receiving more sponsorship.  I have been
ignoring my beautiful wife because of this issue.

I would like to again thank JFC Morfin for his generous sponsorship,
and for letting me tell me wife "Sorry about ignoring you, but I did
get paid for this work".  :)

- Sam

2011/10/9 Harlan H. Bloom <harlan at bloomenterprises.org>:
> I must have missed in the documentation that I needed to have addresses in both the bind_address and the recursive_acl, making sure the addresses in the recursive_acl had a "/16" after them.  Things are working much better now and I can put the new DNS server into production.
>
> Thank You for your time and attention.
>
> ----- Original Message -----
> From: "Sam Trenholme" <strenholme.usenet at gmail.com>
> To: "maradns list" <list at maradns.org>
> Sent: Sunday, October 9, 2011 3:45:05 PM
> Subject: Re: [MaraDNS list] Configuring MaraDNS and Deadwood to work together
>
> Look over the default dwood3rc file included with your copy of
> Deadwood, and try and figure out what each of the parameters does.  In
> particular, your issue is that Deadwood works fine with 127.0.0.x IPs
> but doesn't work with other IPs.
>
> Note to self: One of these days, add code to raz users when they try
> and have a bind_address that isn't in the recursive_acl.  Better yet,
> refuse to start Deadwood if it has a bind_address not in its
> recursive_acl
>
> - Sam
>
> 2011/10/7 Harlan H. Bloom <harlan at bloomenterprises.org>:
>> Hi Sam,
>>  This suggestion didn't work either.  I have several runs of dig below.
>>
>> Thanks,
>>
>> Harlan...
>>
>> dwoodrc:
>> bind_address="127.0.0.1" # IP we bind to
>> chroot_dir = "/etc/maradns" # Directory we run program from (not used in Win32)
>>
>> root_servers = {}
>> root_servers["."]="198.41.0.4, 192.228.79.201, 192.33.4.12, 128.8.10.90,"
>> root_servers["."]+="192.203.230.10, 192.5.5.241, 192.112.36.4, 128.63.2.53, "
>> root_servers["."]+="192.36.148.17, 192.58.128.30, 193.0.14.129, 199.7.83.42, "
>> root_servers["."]+="202.12.27.33"
>> root_servers["vpn."]="127.0.0.2"
>> recursive_acl = "127.0.0.1/16" # Who is allowed to use the cache
>>
>> maxprocs = 8 # Maximum number of pending requests
>> handle_overload = 1 # Send SERVER FAIL when overloaded
>>
>> maradns_uid = 99 # UID Deadwood runs as
>> maradns_gid = 99 # GID Deadwood runs as
>>
>> maximum_cache_elements = 60000
>>
>> cache_file = "dw_cache"
>> resurrections = 1
>>
>> mararc:
>> hide_disclaimer="YES"
>>
>> csv2 = {}
>> csv2["vpn."] = "db.vpn"
>>
>> ipv4_bind_addresses = "127.0.0.2"
>> chroot_dir = "/etc/maradns"
>>
>> command:
>> dig @127.0.0.1 mail.vpn
>>
>> output:
>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 mail.vpn
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62025
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;mail.vpn.                      IN      A
>>
>> ;; AUTHORITY SECTION:
>> mail.vpn.               0       IN      SOA     z.mail.vpn. y.mail.vpn. 1 1 1 1 1
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri Oct  7 23:10:35 2011
>> ;; MSG SIZE  rcvd: 66
>>
>> command:
>> dig @127.0.0.2 mail.vpn
>>
>> what output should be:
>> ; <<>> DiG 9.7.3 <<>> @127.0.0.2 mail.vpn
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21770
>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
>> ;; WARNING: recursion requested but not available
>>
>> ;; QUESTION SECTION:
>> ;mail.vpn.                      IN      A
>>
>> ;; ANSWER SECTION:
>> mail.vpn.               86400   IN      CNAME   mailtmp1.vpn.
>> mailtmp1.vpn.           86400   IN      A       10.8.1.25
>>
>> ;; AUTHORITY SECTION:
>> vpn.                    86400   IN      NS      synth-ip-7f000002.vpn.
>>
>> ;; ADDITIONAL SECTION:
>> synth-ip-7f000002.vpn.  86400   IN      A       127.0.0.2
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 127.0.0.2#53(127.0.0.2)
>> ;; WHEN: Fri Oct  7 23:17:39 2011
>> ;; MSG SIZE  rcvd: 113
>>
>> command:
>> dig @127.0.0.1 www.yahoo.com
>>
>> output:
>> ; <<>> DiG 9.7.3 <<>> @127.0.0.1 www.yahoo.com
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51381
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
>>
>> ;; QUESTION SECTION:
>> ;www.yahoo.com.                 IN      A
>>
>> ;; ANSWER SECTION:
>> www.yahoo.com.          3542    IN      CNAME   fp3.wg1.b.yahoo.com.
>> fp3.wg1.b.yahoo.com.    3542    IN      CNAME   any-fp3-lfb.wa1.b.yahoo.com.
>> any-fp3-lfb.wa1.b.yahoo.com. 3542 IN    CNAME   any-fp3-real.wa1.b.yahoo.com.
>> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       67.195.160.76
>> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       209.191.122.70
>> any-fp3-real.wa1.b.yahoo.com. 3542 IN   A       98.139.180.149
>>
>> ;; Query time: 1 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri Oct  7 23:19:41 2011
>> ;; MSG SIZE  rcvd: 160
>>
>

More information about the list mailing list