Forum Discussion
NimbostratusGTM issue - connection refused
Hi.
I'm working with GTM v11.5.2 HF1. I'm having a strange problem that I would like to know your coments about it.
The topology is:
Workstation->GTM->Link Controler->DNS Server (Authoritative)
If I make a DNS query from workstation direct to the Link Controler, it return the ip address as I expect.
If I make a DNS query from workstation to the GTM, it's give me query refused.
How the GTM is configured?
I create a forward zone (teste.com) with link controler ip address. The recursion is on in named configuration, also Set recursion is enable in GTM settings.
If I make the query from shell in GTM (using listener ip address), the query return the IP address and I can see communication between gtm and link controller using tcpdump.
If I make the query from workstation in GTM (using listener ip address) it's give me QUERY REFUSED and I CAN'T see communication between gtm and link controller using tcpdump. I also did a tcpdump between workstation and GTM, GTM refuse the query without check Link Controller.
Please, help. Any comments ? tips?? have u seend it before ?
Regards.
3 Replies
Caio_178191Problem solved.
You must put an ACL in named configuration.
Here we have a default Named Configuration in GTM with recursive deactivated.
Code restrict rndc access to local machines use the key in the default place: /config/rndc.key controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; logging { channel logfile { syslog daemon; severity error; print-category yes; print-severity yes; print-time yes; }; category default { logfile; }; category config { logfile; }; category notify { logfile; }; }; options { listen-on port 53 { 127.0.0.1; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; recursion no; directory "/config/namedb"; allow-transfer { localhost; }; check-names master warn; check-integrity yes; max-journal-size 1M; version "none"; }; acl "zrd-acl-000-000" { 127.10.0.0; }; CodeTo activate the recursion, we should change the "no" to "yes" in the line "recursion no". But besides that, we need to add an acl. So, our code will be:
Code restrict rndc access to local machines use the key in the default place: /config/rndc.key controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; logging { channel logfile { syslog daemon; severity error; print-category yes; print-severity yes; print-time yes; }; category default { logfile; }; category config { logfile; }; category notify { logfile; }; }; options { listen-on port 53 { 127.0.0.1; "zrd-acl-000-000"; }; listen-on-v6 port 53 { ::1; }; recursion yes; directory "/config/namedb"; allow-transfer { localhost; }; check-names master warn; check-integrity yes; max-journal-size 1M; version "none"; allow-recursion { internal; }; }; acl "zrd-acl-000-000" { 127.10.0.0; }; acl "internal" { 0.0.0.0/0; }; CodeAfter this configuration, the system starts to accept recursive querys.
______54573when we recursion yes; and set acl.sometimes GTM will response with source ip 127.0.0.1 to client:10233.748891740127.0.0.110.198.105.41DNS84Standard query response 0x3fb7 Server failure .do you know ?
- boneyard
MVP
i would start a new thread and add some info, for example packet capture or dig output.
