Reverse rfc1918 zone on non-ucs server

UCS - Univention Corporate Server
#1

Hi,

in my infrastructure are some non-ucs Networks. They are using e.g. 192.168.3/24.
I used disable-empty-zone to ignore loading an empty zone, so my forwarders have to be asked:

root@master:/etc/bind# tail -5 /etc/bind/named.conf.options
	disable-empty-zone "168.192.in-addr.arpa";
	disable-empty-zone "168.192.IN-ADDR.ARPA.";
	disable-empty-zone "3.168.192.in-addr.arpa";
};

But it doesn`t work:

$: dig -x 192.168.3.11`

; <<>> DiG 9.9.5-9+deb8u13A~4.2.1.201708081700-Univention <<>> -x 192.168.3.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31832
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;11.3.168.192.in-addr.arpa.	IN	PTR

;; AUTHORITY SECTION:
168.192.IN-ADDR.ARPA.	86400	IN	SOA	168.192.IN-ADDR.ARPA. . 0 28800 7200 604800 86400

;; Query time: 1 msec
;; SERVER: 192.168.13.2#53(192.168.13.2)
;; WHEN: Thu Dec 07 16:54:27 CET 2017
;; MSG SIZE  rcvd: 109

flag aa indicates, that ucs-master feels authorative.

$: grep 168.192.IN-ADDR.ARPA /var/log/daemon.log
…
master named[5804]: automatic empty zone: 168.192.IN-ADDR.ARPA
…

So he ignores my disable-empty-zone statements.

I also tried this in local.conf.samba4 (samba backend)

zone "3.168.192.in-addr.arpa" IN {
 type forward;
 forwarders { 192.168.1.2; 192.168.1.25; };
};

But it’s ignored because he thinks he’s authoritative.

How can I resolve my IPs? What`s the right way to do it (beside moving those networks to ucs).

tia
/thorsten

#2

Hi

i am not familiar with this option and what it does, but one problem might be that /etc/bind/named.conf.options is not included in the bind config (named.conf.debian is not used in UCS)

-> grep -r named.conf.options named.conf named.conf.proxy  named.conf.debian 
named.conf.debian:include "/etc/bind/named.conf.options";

Please try to include the options into the options block in /etc/bind/named.conf.proxy.

-> more /etc/bind/named.conf.proxy
...
options {
        directory "/var/cache/bind";
	listen-on { any; };
        ...
        disable-empty-zone "168.192.in-addr.arpa";
	disable-empty-zone "168.192.IN-ADDR.ARPA.";
	disable-empty-zone "3.168.192.in-addr.arpa";

};
...
-> service  bind9 restart
-> dig -x 192.168.0.3| grep flags
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 11, ADDITIONAL: 10
; EDNS: version: 0, flags:; udp: 4096

Problem is, this file is automatically generated from a template (triggered by setting certain UCR variables or updates of the univention-bind package) and your changes might be lost.

You could also modify the template /etc/univention/templates/files/etc/bind/named.conf.proxy, but in doing so you loose all further updates of this template (it is a configuration file and we do not overwrite modified configuration files during package updates).

So, i suggest not to edit the template but the file itself, even if that means you have to check the file for your changes after updates.

Please let me know if changing the options in /etc/bind/named.conf.proxy helps you. If so i will create a feature request to allow arbitrary options in /etc/bind/named.conf.proxy via UCR variables (options can be set in UCR variables and the template includes the content of these variables into the options block).

Best regards,
Felix

#3

Hi,
as I´m using samba-backend I altered named.conf.samba4 and everything is running smooth now.
Thanks!

Mastodon