BIND not reading /etc/hosts on MacOSX Lion

binddomain-name-systemlionmac-osx

With BIND (named) enabled on an OS-X Lion iMac, DNS lookups look at /etc/hosts only after checking with BIND and hence I can't override addresses using the hosts file. BIND does not even seem to access /etc/hosts (or /etc/resolv.conf) as far as I can see (using dtruss and from the sandbox log) so it must be some other OS-X DNS mechanism that does that.

Can I somehow tell BIND to consult /etc/hosts?

Thanks for your time and help

William

ps. Using BIND 9.7.3-P3
built with '–mandir=/usr/share/man' '–infodir=/usr/share/info' '–disable-dependency-tracking' '–prefix=/usr' '–sysconfdir=/private/etc' '–localstatedir=/private/var' '–enable-atomic=no' '–with-openssl=yes' '–with-gssapi=yes' '–enable-symtable=none' 'CFLAGS=-arch x86_64 -arch i386 -g -Os -pipe -gdwarf-2 -D__APPLE_USE_RFC_2292' 'LDFLAGS=-arch x86_64 -arch i386 ' 'CXXFLAGS=-arch x86_64 -arch i386 -g -Os -pipe '

Best Answer

BIND does not consult /etc/hosts. In Unix/Linux this is handled by the name service switch (nsswitch), which typically consults hosts and then DNS.

In Mac OS X this is handled by Directory Services.

You may want to flush the DS cache if you're having issues. Check the man pages for DirectoryService and dscacheutil.

Related Solutions

Bind is not resolving specific host

In your dig output, the name servers for that domain appear to be ns.agasoft.co.il and ns3.agasoft.co.il.

However, as of right now, their name servers are webserver1.agasoft.co.il and webserver2.agasoft.co.il.

It appears they changed their name servers.

In addition, mailhost.agasoft.co.il does not exist, according to those servers. Instead, their mail server (as identified by their MX record) is mailserver1.agasoft.co.il. This host does exist, and both name servers return the same address for it: 82.80.246.156.

Also note that in your dig output above, you requested a trace for mailhost.agasoft.co.il but the output shows for mailserver1.agasoft.co.il. Was that a typo in your question?

Summary: the agasoft.co.il domain appears to have recently changed their name servers and possibly also their mail server. If you are trying to find out why mail couldn’t be delivered to them, that’s why. The old name servers (according to your dig output) have a TTL of 1 day, so the problem should clear up in a day or so.

BIND Zone – Public and Private Hosts in the Same Zone

Yes, Bind does this with views. Some in detailed examples are here and here.

It would look something like this in named.conf:

view "trusted" {
 match-clients { 192.168.23.0/24; }; // our network
  recursion yes;
  zone "example.com" {
   type master;
   // private zone file including local hosts
   file "internal/master.example.com";
  };
  // add required zones
 };
view "badguys" {
 match-clients {"any"; }; // all others hosts
 // recursion not supported
 recursion no;
 };
 zone "example.com" {
   type master;
   // public only hosts
   file "external/master.example.com";
  };
  // add required zones
 };

One trick I typically do to make administration easier is to simply have the internal file $INCLUDE the external file -- just don't forget about SOAs.

As a final word of caution, don't pretend this is anything more than Rubber Chicken Security (not that there's anything wrong with that).

Thanks for your time and help

Best Answer

Related Solutions

Bind is not resolving specific host

BIND Zone – Public and Private Hosts in the Same Zone

Related Topic