AIX

Hey All,

We have defined abc.this.that in:

/etc/named.conf

and corresponding files but after the change that we verified through dig -x this.that ptr all is resolving correctly. However in the /var/log/named/named.log file we still see entries for:

Code:

4-May-2015 12:15:30.390 queries: client 10.0.0.54#51132: query: loopback.abc.this.that IN A +

Where could this abc.this.that be pulled from? I expect to see only this.that entries and nothing else. Checked /etc/hosts and /etc/resolv.conf files on all clients but no luck. We running named on the AIX vlpar in a test environment.

I grepped all the named config files for any trace of abc.this.that and nothing. netcd is not running so not caching. Any ideas? This is AIX 7.1.

Thanks,
DH

This is contradictory. You say "we have defined abc.this.that in /etc/named.conf." You make statements like "we have verified through dig -x this.that ptr all is resolving correctly", but don't show any output. What exactly is the issue? Who is 10.0.0.54? Are the clients resolving correctly? What is in named.conf. What is in netsvc.conf on the clients.

Hey Br,

Thanks very much for looking into this. Appreciated. The DNS server has:

Code:

# cat /etc/netsvc.conf|grep -v "#"

hosts=bind,local
#

Clients do not have anything defined in /etc/netsvc.conf. It did not make a diff in our scenario. When I do nslookup on a client like lab01.this.that it resolves correctly and I get the right IP.

When I type dig -x 10.0.0.54 ptr it correctly returns the name of client: lab01.this.that. So reverse lookups are also good. Yet the named.log file contains entries like these:

Code:

04-May-2015 13:12:30.074 client 10.0.0.54#51878: query 'loopback.abc.this.that/A/IN' approved

for the loopback device. Why is it still trying to go to abc.this.that on the loopback device?

Sorry I CAN'T get too detailed in exact names so lab01 and abc.this.that are host and domain name place holders for real ones.

I just noticed and see a bunch of messages like this:

Code:

 query (cache) 'lab01.abc.this.that/A/IN' approved

so looks like it's 'caching' somewhere but not sure where since rndc is off.

The point is that it is keeping the old FQDN abc.this.that when I already changed it to this.that earlier (removing the abc).

It's ok if it's not enough information to let you guy's suggest anything then we'll just plug away at it on this end. No worries.

Thanks,
DH

---------- Post updated at 01:39 PM ---------- Previous update was at 01:30 PM ----------

Maybe I could ask the reverse scenario. If I changed an old domainname from abc.this.that to this.that, and it still somehow kept showing abc.this.that for the loopback device within the /var/log/named/named.log file, where could I go to look to change that?

Thanks,
DH

---------- Post updated at 01:50 PM ---------- Previous update was at 01:39 PM ----------

When running rndc dumpdb -all then trying to use strings <dump file> it showed nothing cached for abc.this.that at all.

Thanks,
DH

your AIX LPAR tries to resolve localhost or loopback (127.0.0.1) address. Because /etc/hosts resolution is disabled by netsvc.conf, it tries to look up in DNS. In your /etc/resolv.conf probably something like:

Code:

domain abc.this.that

Because loopback is not FQDN and probably is not resolvable, AIX tries to resolve it with domain attached.

1.) I dont' see a suitable option in the bind config for doing that. So hosts=local,bind ? I'm looking to have bind do most of the work so I dont' rely on local files though.

I'm trying to remove all traces of abc.this.that from the system. So in my /etc/resolv.conf I have 'domain this.that'. /etc/hosts seems to be read and works fine when I add entries there but again, that's customization that would need to be duplicated across many other hosts.

I also want to have one nameserver in the /etc/resolv.conf file. I tested by adding in other nameservers that I have a forwarders and that works of course but not on the forwarders line in my named.conf (That's another problem I have, the AIX DNS bind9 setup won't properly resolve against the forwarders I have listed including the one to the Windows 2012 DNS Server).

I'm trying to keep to one nameserver as I scale this up I want less to manage in the local files and more centrally managed within Bind.

Thanks,
DH

---------- Post updated at 09:36 AM ---------- Previous update was at 08:47 AM ----------

I should add that I can resolve against the Windows 2012 DNS directly like this:

Code:

nslookup host01 <WIN 2012 DNS Server IP>

but not in the forwarders line in the /etc/named.conf file. It's a second issue but might have some bearing on this problem here however. Also looks like abc.this.that is coming from the other hosts from some cached entries (ie maybe NIM or CIFS entries) that are hitting the AIX DNS box. I did a test by using a bogus domain such as xyz.this.that and that also appeared in the logs. But I just can't find where the abc.this.that is still defined on the other hosts. Reboot did not help.

Thanks,
DH

---------- Post updated at 10:01 AM ---------- Previous update was at 09:36 AM ----------

Hey All,

A bit more on the /etc/named.conf forwarders line:

Code:

options {
        listen-on-v6 port 53 { any; };
        directory "/etc/named";
        listen-on port 53 { 127.0.0.1; 172.20.255.174; };

        // allow-query-cache { none; };
        // allow-query { any; };
        // recursion yes;

        forward first;
        forwarders { 10.0.0.10; 123.1.2.3; 10.0.0.11; 123.1.2.4; 123.1.1.1 };
};

10.X are internal Windows 2012 DNS server IP's.
123.X are external, but reachable, to this DNS server.

This DNS server is 10.0.0.20.

I can't get any logs to show up on why the forwarding is not fully working as well.

---------- Post updated at 10:49 AM ---------- Previous update was at 10:01 AM ----------

tcpdump showed no communication to the Windows 2012 DNS server on a forwarding call, even though I have it explicitly listed.

Is there a way to verify that forwarding is working? Maybe I'm missing packages?

Code:

# lslpp -w /usr/sbin/named
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /usr/sbin/named                             bos.net.tcp.server    Symlink
# ls -altri /usr/sbin/named
 2662 lrwxrwxrwx    1 root     system           16 May  7 2014  /usr/sbin/named -> /usr/sbin/named9
# lslpp -w /usr/sbin/named9
  File                                        Fileset               Type
  ----------------------------------------------------------------------------
  /usr/sbin/named9                            bos.net.tcp.server    File
# named -v
named: continuing without SRC support
BIND 9.4.1
#

This is a laudable intention, but you should put that into a realistic perspective. Do you want the server to ask DNS for "some.host.somewhere"? Definitely! Do you want your server to ask DNS for "localhost"? Most probably not. Your DNS server would get swamped with unnecessary requests even if you manage to make that work.

So, put "local" before "bind" in the resolver configuration to allow for a minimum of name resolution independent of the DNS. Hosts to put in there are:

localhost
your NIM server if you have one
maybe the IP of your local server (optimizes network throughput)
if you have a HACMP cluster all the nodes and service IPs (recommended practice in IBM documentation)

All the rest can and should be resolved via BIND. Otherwise you run into the problems you experience right now. I believe agent.kgb has analyzed how it came to pass correctly.

I hope this helps.

bakunin

Yes, tried that thank you, it worked like advertised but I need this going through bind. Yes it's nice if there is local redundancy but scaling this over many servers presents a management headeache if all in local files. I'll look at reversing it like you said but later and for now I'll keep it as hosts=bind,local till I work everything out with the DNS config. Thanks to your help and a bit more digging looks like I'm fine with how things are now except for one thing I posted here:

Multiple DNS forwarders and syntax question.

And the question here about forwarder logging that I'm seeing very little of:

How could I enable logging of bind 9 forwarders messages?

Thanks,
DH