Nameserver Problem Revisited -
Bob Goodwin - W2BOD
bobgoodwin at wildblue.net
Sat Apr 7 14:42:18 UTC 2007
Tim wrote:
>
>
> The advert blocking was done with a series of master zone
> configurations, like this:
>
> zone "adimages.com" { type master; file "dead.zone"; };
> zone "admonitor.com" { type master; file "dead.zone"; };
>
> Where they *all* reference the same "dead.zone" DNS zone record file.
>
> Anyway, to try and answer everything in one go regarding blocking of
> annoyances on some websites, I'll post a series of files below. But
> I'll change one thing: I'll use blocking.conf instead of lan.conf.
> Then I can use lan.conf file for configuring local machine addresses
> (which could be masters or slaves, depending on what you're doing), and
> a separate blocking.conf file just for that purpose. It might make
> explanations simpler.
>
> My custom /var/named/chroot/etc/named.conf file:
>
> ---------------[begin example]------------------
> ## LAN:
>
> view lan_resolver {
> match-clients { localhost; };
> match-destinations { localhost; };
> include "/etc/blocking.conf";
> include "/etc/rndc.key";
> };
>
> include "/etc/named.caching-nameserver.conf";
> ----------------[end example]-------------------
>
> This is a simple default file, that's easy to replace should it get
> borked by a BIND update. The named.conf file will be loaded by default
> by BIND, and this one refers to the named.caching-nameserver.conf file
> so that function still works, and without altering the supplied conf
> file. It includes any other custom files that I want to use, in this
> case the blocking.conf file. I'd include a lan.conf file, too, in that
> view section, if I was also using it to resolve local addresses (instead
> of the hosts file, which is inadequate for certain services).
>
> NB: It'd be a bit less painful without having to use "views", but since
> the caching nameserver configuration file does, you're forced into
> working the same way.
>
> My custom /var/named/chroot/etc/blocking.conf file:
>
> ---------------[begin example]------------------
> ## advert blocking:
>
> zone "adimages.com" { type master; file "dead.zone"; };
> zone "admonitor.com" { type master; file "dead.zone"; };
> zone "adsfac.net" { type master; file "dead.zone"; };
> ----------------[end example]-------------------
>
> That file's a list of any domain that I want to kill off. Just add more
> of the same below, as needed. Only use the domain name, it'll kill it
> and any sub-domains in one go.
>
> i.e. Using example.com will kill off it and www.example.com and
> news.example.com and so on... But if I'd put in www.example.com, then
> example.com would be left alone, and it'd be www.example.com and further
> subdomains of www.example.com that got blocked (e.g. it'd block ones
> like now.www.example.com and then.www.example.com, etc.).
>
> My custom /var/named/chroot/var/named/dead.zone file:
>
> ---------------[begin example]------------------
> $TTL 86400
> @ IN SOA ns.localdomain. hostmaster.mail.localdomain. (
> 200 ; serial
> 28800 ; refresh
> 7200 ; retry
> 604800 ; expire 86400
> ; ttl
> )
>
>
> IN NS ns.localdomain.
> ----------------[end example]-------------------
>
> That causes all blocked domains to get a null answer, straight away.
>
>
This scheme worked nicely until this morning!
Suddenly things have returned to the earlier state where the browser
downloads each ad again, requiring about a minute to bring up a news
article instead of the few seconds that were required after making the
suggested changes to /var/named/chroot/etc/blocked.conf and dead.zone,
etc. None of those files appear to have changed but, something has just
this morning.
This mornings updates include:
Apr 07 03:32:53 Updated: ImageMagick.i386 6.2.8.0-4.fc6
Apr 07 03:32:53 Updated: ImageMagick-c++.i386 6.2.8.0-4.fc6
Apr 07 03:32:56 Updated: selinux-policy.noarch 2.4.6-49.fc6
Apr 07 03:33:05 Updated: selinux-policy-targeted.noarch 2.4.6-49.fc6
Apr 07 03:33:06 Updated: ImageMagick-perl.i386 6.2.8.0-4.fc6
selinux is disabled and the rest don't appear suspect.
And I don't know where to look next?
Bob Goodwin
More information about the fedora-list
mailing list