Discussion:
Problem with named.conf being overwritten in 4.6
Alan Worstell
2012-10-24 20:00:03 UTC
Permalink
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?

Thanks,
--
Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com or call 707-703-1050
George Niculae
2012-10-24 20:05:31 UTC
Permalink
On Wed, Oct 24, 2012 at 11:00 PM, Alan Worstell
Post by Alan Worstell
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Hi,

checking unmanaged DNS should be the only setting to prevent this,
could you provide sipxagent.log after such rewrite to see what
happens?

George
Michael Picher
2012-10-24 23:15:11 UTC
Permalink
Alan,

Typically you would want to manage your external DNS at a DNS provider.

For instance, a-1networks.com DNS is probably hosted somewhere (godaddy,
network solutions, etc).

The real goal here is to make it easy for users to roam outside the network
and inside the network. Thus when you setup your SIP domain you usually
want to think about what you have available for DNS in the outside world.

So, from a client perspective, internally the client would need the
following records:

_sip._udp.sipdomain SRV 10 10 5060 fqdn.of.server
_sip._tcp.sipdomain SRV 10 10 5060 fqdn.of.server

_xmpp-client._tcp.sipdomain SRV 10 10 5222 fqdn.of.server
_xmpp-server._tcp.sipdomain SRV 10 10 5269 fqdn.or.server
_xmpp-client._tcp.conference.sipdomain SRV 10 10 5222
fqdn.of.server
_xmpp-server._tcp.conference.sipdomain SRV 10 10 5222
fqdn.or.server (yes 5222!)

fqdn.of.server A ip.address.of.server (this is the only record
that different inside vs. outside).

You really don't want to open up port 53 for external DNS query... you
really just want split DNS. This means that there are two different DNS
servers that are authoritative for 'sipdomain'. One internally that
returns internal IP's and one externally that returns external IP's.

Hope that make sense.

Mike
Post by George Niculae
On Wed, Oct 24, 2012 at 11:00 PM, Alan Worstell
Post by Alan Worstell
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Hi,
checking unmanaged DNS should be the only setting to prevent this,
could you provide sipxagent.log after such rewrite to see what
happens?
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
Michael Picher, Director of Technical Services
eZuce, Inc.

300 Brickstone Square****

Suite 201****

Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin <http://www.linkedin.com/profile/view?id=35504760&trk=tab_pro>
www.ezuce.com

------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and
those who don't.
Trevor L Benson
2012-10-25 14:15:28 UTC
Permalink
Mike,

We have ACL's, Views, and split the zone into an internal AND external zone already. We are returning internal IP's to the RFC 1918's defined in our internal ACL and view for external carries "any" and has a modified zone that includes the A record for the public entry instead of the private RFC 1918 address. Everything works great, except that the "unmanaged" file keeps getting replaced by the server after a short period.

We seemed to track down that there was a named.conf.unmanaged file being used to overwrite the configuration even when in unmanaged mode. Replacing this file with our splitview named.conf that separates the internal zone from the external zone seems to have resolved the occasional reset of the /etc/named.conf. The logic appears that even when NOT using dns locally as a managed service the server is still replacing the file with a copy of the same zone created when it was a managed service. In theory if the server is not set to point to itself for DNS I would assume that the system would leave the /etc/named.conf file alone, or that a clear definition of "unmanaged service" be made. As the idea behind managing your own local firewall is to move it to unmanaged, I would assume the same would go for unmanaged DNS.


Thanks,
Trevor Benson, Network Engineer
A1 Networks
Post by Michael Picher
Alan,
Typically you would want to manage your external DNS at a DNS provider.
For instance, a-1networks.com DNS is probably hosted somewhere (godaddy, network solutions, etc).
The real goal here is to make it easy for users to roam outside the network and inside the network. Thus when you setup your SIP domain you usually want to think about what you have available for DNS in the outside world.
_sip._udp.sipdomain SRV 10 10 5060 fqdn.of.server
_sip._tcp.sipdomain SRV 10 10 5060 fqdn.of.server
_xmpp-client._tcp.sipdomain SRV 10 10 5222 fqdn.of.server
_xmpp-server._tcp.sipdomain SRV 10 10 5269 fqdn.or.server
_xmpp-client._tcp.conference.sipdomain SRV 10 10 5222 fqdn.of.server
_xmpp-server._tcp.conference.sipdomain SRV 10 10 5222 fqdn.or.server (yes 5222!)
fqdn.of.server A ip.address.of.server (this is the only record that different inside vs. outside).
You really don't want to open up port 53 for external DNS query... you really just want split DNS. This means that there are two different DNS servers that are authoritative for 'sipdomain'. One internally that returns internal IP's and one externally that returns external IP's.
Hope that make sense.
Mike
On Wed, Oct 24, 2012 at 11:00 PM, Alan Worstell
Post by Alan Worstell
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Hi,
checking unmanaged DNS should be the only setting to prevent this,
could you provide sipxagent.log after such rewrite to see what
happens?
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
Michael Picher, Director of Technical Services
eZuce, Inc.
300 Brickstone Square
Suite 201
Andover, MA. 01810
O.978-296-1005 X2015
M.207-956-0262
@mpicher <http://twitter.com/mpicher>
linkedin
www.ezuce.com
------------------------------------------------------------------------------------------------------------
There are 10 kinds of people in the world, those who understand binary and those who don't.
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
Alan Worstell
2012-10-25 15:15:41 UTC
Permalink
Hello,
As Trevor mentioned, replacing /etc/named.conf.unmanaged with our
changed conf resolved this. I had noticed in sipxagent.log entries about
fulfilling promises from that file.
Attached is the log file in question.

Regards,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
Post by George Niculae
On Wed, Oct 24, 2012 at 11:00 PM, Alan Worstell
Post by Alan Worstell
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Hi,
checking unmanaged DNS should be the only setting to prevent this,
could you provide sipxagent.log after such rewrite to see what
happens?
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
George Niculae
2012-10-25 22:10:18 UTC
Permalink
On Thu, Oct 25, 2012 at 6:15 PM, Alan Worstell
Post by Alan Worstell
Hello,
As Trevor mentioned, replacing /etc/named.conf.unmanaged with our changed
conf resolved this. I had noticed in sipxagent.log entries about fulfilling
promises from that file.
Attached is the log file in question.
Thanks,

could you also provide output for

/usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged

performed on primary?

George
Alan Worstell
2012-10-25 23:11:24 UTC
Permalink
Hello,
My earlier reply to the list is currently held in moderation (I believe
because I attached another log which was slightly larger) but named.conf
is still actually being overwritten. /etc/named.conf.unmanaged still has
our changes, but /etc/named.conf keeps going back to the default.
Here is the output of that command:

# /usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged
-unmanaged_ntpd
-unmanaged_dhcpd
-firewall_unmanaged
-sipxdns_unmanaged
=sipxdns_unmanaged_0=127.0.0.1
=sipxdns_unmanaged_1=208.201.224.11
=sipxdns_unmanaged_2=
=sipxdns_unmanaged_3=

Thanks,

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
Post by George Niculae
On Thu, Oct 25, 2012 at 6:15 PM, Alan Worstell
Post by Alan Worstell
Hello,
As Trevor mentioned, replacing /etc/named.conf.unmanaged with our changed
conf resolved this. I had noticed in sipxagent.log entries about fulfilling
promises from that file.
Attached is the log file in question.
Thanks,
could you also provide output for
/usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged
performed on primary?
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
George Niculae
2012-10-25 23:19:53 UTC
Permalink
On Fri, Oct 26, 2012 at 2:11 AM, Alan Worstell
Post by Alan Worstell
Hello,
My earlier reply to the list is currently held in moderation (I believe
because I attached another log which was slightly larger) but named.conf
is still actually being overwritten. /etc/named.conf.unmanaged still has
our changes, but /etc/named.conf keeps going back to the default.
# /usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged
-unmanaged_ntpd
-unmanaged_dhcpd
-firewall_unmanaged
-sipxdns_unmanaged
=sipxdns_unmanaged_0=127.0.0.1
=sipxdns_unmanaged_1=208.201.224.11
=sipxdns_unmanaged_2=
=sipxdns_unmanaged_3=
Hello,

the - in front of sipxdns_unmanaged (-sipxdns_unmanaged) means that
option is not enabled, so you're still running in managed mode, can
you please double check if checkbox is enabled in DNS page?

Here is the output from my machine, running same DNS & firewall
unmanaged, notice the + in front of:

-unmanaged_ntpd
-unmanaged_dhcpd
+sipxdns_unmanaged
=sipxdns_unmanaged_0=
=sipxdns_unmanaged_1=
=sipxdns_unmanaged_2=
=sipxdns_unmanaged_3=
+firewall_unmanaged

George
George Niculae
2012-10-25 23:21:08 UTC
Permalink
Post by George Niculae
On Fri, Oct 26, 2012 at 2:11 AM, Alan Worstell
Post by Alan Worstell
Hello,
My earlier reply to the list is currently held in moderation (I believe
because I attached another log which was slightly larger) but named.conf
is still actually being overwritten. /etc/named.conf.unmanaged still has
our changes, but /etc/named.conf keeps going back to the default.
# /usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged
-unmanaged_ntpd
-unmanaged_dhcpd
-firewall_unmanaged
-sipxdns_unmanaged
=sipxdns_unmanaged_0=127.0.0.1
=sipxdns_unmanaged_1=208.201.224.11
=sipxdns_unmanaged_2=
=sipxdns_unmanaged_3=
Hello,
the - in front of sipxdns_unmanaged (-sipxdns_unmanaged) means that
option is not enabled, so you're still running in managed mode, can
you please double check if checkbox is enabled in DNS page?
I mean in DNS page, under Configuration Control section, the Unmanaged
Service option

George
Alan Worstell
2012-10-25 23:34:50 UTC
Permalink
Yes, this is correct, it was set to managed in the gui again. I know
that it *was* set to unmanaged, because I had to create the cfengine
script to allow udp 53 through the local firewall.
I've set it to unmanaged again.

Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
Post by George Niculae
Post by George Niculae
On Fri, Oct 26, 2012 at 2:11 AM, Alan Worstell
Post by Alan Worstell
Hello,
My earlier reply to the list is currently held in moderation (I believe
because I attached another log which was slightly larger) but named.conf
is still actually being overwritten. /etc/named.conf.unmanaged still has
our changes, but /etc/named.conf keeps going back to the default.
# /usr/share/sipxecs/cfmodules/sipx 1 | grep unmanaged
-unmanaged_ntpd
-unmanaged_dhcpd
-firewall_unmanaged
-sipxdns_unmanaged
=sipxdns_unmanaged_0=127.0.0.1
=sipxdns_unmanaged_1=208.201.224.11
=sipxdns_unmanaged_2=
=sipxdns_unmanaged_3=
Hello,
the - in front of sipxdns_unmanaged (-sipxdns_unmanaged) means that
option is not enabled, so you're still running in managed mode, can
you please double check if checkbox is enabled in DNS page?
I mean in DNS page, under Configuration Control section, the Unmanaged
Service option
George
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
m***@mattkeys.net
2012-10-24 23:52:11 UTC
Permalink
How about making it immuatble? :

$ chattr +i /etc/named.conf

I agree it would probably be best to find out why it's being overwritten in the first place.
________________________________________
From: sipx-users-***@list.sipfoundry.org [sipx-users-***@list.sipfoundry.org] On Behalf Of Alan Worstell [***@a-1networks.com]
Sent: Wednesday, October 24, 2012 4:00 PM
To: Discussion list for users of sipXecs software
Subject: [sipx-users] Problem with named.conf being overwritten in 4.6

Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?

Thanks,

--
Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
For support issues please email ***@a-1networks.com or call 707-703-1050
Tony Graziano
2012-10-25 00:05:34 UTC
Permalink
I don't think that's a viable long term solution. An update or service
activation/deactivation in roles for sipx could still break it.

If there is confusion, realize the different between split DNS (internal
zone answering with internal IPS) and bind views which is something which
should be run on something other than sipx (IMO).
Post by m***@mattkeys.net
$ chattr +i /etc/named.conf
I agree it would probably be best to find out why it's being overwritten
in the first place.
________________________________________
Sent: Wednesday, October 24, 2012 4:00 PM
To: Discussion list for users of sipXecs software
Subject: [sipx-users] Problem with named.conf being overwritten in 4.6
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Thanks,
--
Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
Trevor L Benson
2012-10-25 14:20:14 UTC
Permalink
Tony,

Wouldn't the same be said for an unmanaged firewall then? Moving firewall to unmanaged and manually creating your own tables and rules has been suggested more than once as how to control iptables, no suggestion that the system at some point would add/remove or reset the rules was made. If the same can't be said for DNS I think we need a clear definition of what "unmanaged" services are and how they still interact in some managed mode with the system.


Thanks,
Trevor Benson, Network Engineer
A1 Networks
Voice: 707-703-1041
I don't think that's a viable long term solution. An update or service activation/deactivation in roles for sipx could still break it.
If there is confusion, realize the different between split DNS (internal zone answering with internal IPS) and bind views which is something which should be run on something other than sipx (IMO).
$ chattr +i /etc/named.conf
I agree it would probably be best to find out why it's being overwritten in the first place.
________________________________________
Sent: Wednesday, October 24, 2012 4:00 PM
To: Discussion list for users of sipXecs software
Subject: [sipx-users] Problem with named.conf being overwritten in 4.6
Hello,
We have a 4.6 server set up, and wanted to have a split view DNS system
so it hands the public IP address out to public queries and the internal
address to anything on the local LAN. I've configured the DNS service to
be unmanaged in the GUI, added a firewall script in
/usr/share/sipxecs/cfinputs/plugin.d/ to allow UDP port 53 through, and
queries work internally and externally.
However, periodically, /etc/named.conf keeps getting overwritten with a
generic conf.
Is there any way to prevent this from being overwritten?
Thanks,
--
Alan Worstell
A1 Networks - Systems Administrator
VTSP, dCAA, LPIC-1, Linux+, CLA, DCTS
(707)570-2021 x204
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
Telephone: 434.984.8426
Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
Loading...