A small DNS problem

Just so I find it again when I run across the same problem in the future:

I wanted to log in to one of my servers and couldn’t access it, because I couldn’t resolve the name from one specific domain. All other domains worked fine.

So let’s head over to the DNS server and check what we can do. I’m running BIND, and it ships with two tools, named-checkconf and named-checkzone. As the name implies named-checkconf checks the overall configuration, named-checkzone single zone. There is also an option -z for named-checkconf that checks all the primary zones found in the configuration.

Using make for system administration

In another blog post I wrote that I’m using make to restart BIND and showed the following example:

root@dns:/etc/bind# cat Makefile
all:
        /usr/sbin/named-checkconf -z
        /usr/sbin/rndc reload

The all in the above Makefile is the default target used when calling make without options. The second line (Note that there is a TAB) runs a bind tool called named-checkconf with the option -z to check the BIND configuration and zones. If that works the third line is executed and BIND is restarted. If named-checkconf fails because you have a bad configuration the third line will not be executed.

Need help?

Some shameless advertising:

If you need some help with IPv6, DNS, Linux, Automation and related stuff feel free to contact me. I’m available for about two days a week, remote preferred.

Disabling IPv6

Yet another Mastodon-inspired post. In this toot the author reports that downloading python packages is slow, and the Internet said that disabling IPv6 is the solution.

Slow can mean two different things here. If the host I’m using has a globally unique IPv6 address, but my connection to the outside is broken somehow, most software would try IPv6 first and then, after a timeout would fall back to IPv4 and try again. It can also mean that the IPv6 connection is working, but the download is actually slow.

ip6tables - Do you spot the error?

Some time ago I was asked why IPv6 wasn’t working. The customer had just configured some ipv6tables rules and IPv6 stopped working. See if you can spot the error in the following example rule set:

ip6tables -A INPUT -p ICMP -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport ssh  -j ACCEPT
ip6tables -A INPUT -j DROP

The mistake is in line one. In IPv6 neighbor discovery and other functions rely on ICMPv6 which is a different protocol then ICMP. Some how ip6tables is fine with loading the ICMP protocol.

License: CC BY-SA 4.0