[SOLVED] Bind DNS lookup problems

bursar · 04-09-2013, 06:06 AM

We run two Debian Squeeze servers with Bind9 running to provide public DNS to our services. I'm having an odd problem with lookups and I'm not sure what I should do to fix it.

ns-uk-1 is on x.y.z.60 and is the slave.
ns-uk-2 is on x.y.z.59 and is the master.

x.y.z is a public IP address. Both servers also have private addresses.

Zone transfers from master to slave are working, and changes made on the master are reflected on the slave.

If I run nslookup from my Windows PC and set the nameserver to ns-uk-2 I can run lookups just fine. Setting the server to ns-uk-1 and performing the same lookups just gives me timeout messages.

I have setup a slave Windows public DNS server (ns3) on x.y.z.61 and lookups from that also work fine, so there must be some odd configuration issue that's causing ns-uk-1 to timeout.

In addition, I can't get reverse lookups to work either. I have created the appropriate zone files, and if I run a reverse lookup from my PC against ns-uk-2 or ns3 then I get the expected result. ns-uk-1 just times out.

Running reverse lookups from somewhere like mxtoolbox I either get timeout errors or 'loop detected' errors.

I'm not sure which config files you might want to nosey at, so here's a selection:
The external part of /etc/bind/named.conf

Code:

# Publicly accessible DNS
#
view "internet" {

	# This view applies to all the other machines
	match-clients   { any; };
	allow-query { any; };
        allow-transfer { 62.232.156.60; 62.232.156.61; };
        notify yes;
        also-notify { 62.232.156.60; 62.232.156.61; };
	recursion no;
	additional-from-cache no;
#	additional-from-auth no;

	include "master/named.conf.zones";
	include "master/named.conf.default.zones";

};

include "/etc/bind/rndc.key";

/var/lib/named/master/named.conf.zones

Code:

zone "156.232.62.in-addr.arpa" IN {
    type master;
    file "master/156.232.62.in-addr.arpa";
    allow-update { none; };
};

zone "aminocom.com" IN {
    type master;
    file "master/aminocom.com";
    allow-update { none; };
};

Part of /var/lib/named/master/aminocom.com

Code:

; Public DNS zone file for aminocom.com
$TTL 1d;

@		 IN	SOA	ns-uk-1.aminocom.com. it.aminocom.com. (
			2013040906	; today's date and serial number
			28800		; Refresh
			7200		; Retry
			259200		; Expire in 1 days
			10800)		; Minimum

		IN	NS		ns-uk-1.aminocom.com.
		IN	NS		ns-uk-2.aminocom.com.
		IN	NS		ns3.aminocom.com.

		IN	MX		10 mx-swa-1.aminocom.com.
		IN	MX		20 mx-swa-2.aminocom.com.

ns-uk-1		IN	A		62.232.156.60
ns-uk-2		IN	A		62.232.156.59
ns3		IN	A		62.232.156.61

download	IN	A		62.232.156.58

ftp		IN	CNAME		download

/var/lib/named/master/156.232.62.in-addr.arpa

Code:

$TTL 1d;

@      IN	SOA	aminocom.com. it.aminocom.com. (
			2013040902	; today's date and serial number
			28800		; Refresh
			7200		; Retry
			259200		; Expire in 1 days
			10800)		; Minimum


	IN	NS	ns-uk-1.aminocom.com.
	IN	NS	ns-uk-2.aminocom.com.
	IN	NS	ns3.aminocom.com.

59	IN	PTR	mail2.aminocom.com.
60	IN	PTR	mail.aminocom.com.

Sorry for the wall of text, but I've been looking at this for a few days now, and I can't see anything obviously wrong. I suspect I've gone number blind though!

bathory · 04-10-2013, 05:30 AM

Hi,

I can use your nameserver (actually all of them) from here to resolve hosts in your domain.
So I guess the problem is somewhere in the routing/forwarding of the external to the internal interface, or something like that.

Regards

bursar · 04-10-2013, 05:43 AM

Thanks.

The forward lookups are fine (or else I'd really be in trouble!). It's the reverse lookups that are causing me grief. I've mailed the ISP to ensure that delegation has been set, and then I guess I'll have to hammer it out with them

bathory · 04-10-2013, 06:30 AM

Quote:

Originally Posted by bursar

Thanks.

The forward lookups are fine (or else I'd really be in trouble!). It's the reverse lookups that are causing me grief. I've mailed the ISP to ensure that delegation has been set, and then I guess I'll have to hammer it out with them

FYI reverse lookups work too from here, so I guess your ISP has delegated you the subnet you own.

Regards

bursar · 04-10-2013, 07:02 AM

Excellent - thanks. I'll run some more tests from this end then.

bursar · 04-10-2013, 07:15 AM

Can I ask how you're running reverse lookups please? Everything I've tried throws up an error. I've used several web based lookup tools, as well as asking people on home connections or in other businesses to run lookups and they all fail.

bathory · 04-10-2013, 07:33 AM

Quote:

Originally Posted by bursar

Can I ask how you're running reverse lookups please? Everything I've tried throws up an error. I've used several web based lookup tools, as well as asking people on home connections or in other businesses to run lookups and they all fail.

Using dig:

Code:

dig -x 62.232.156.59 @62.232.156.60

; <<>> DiG 9.9.3b2 <<>> -x 62.232.156.59 @62.232.156.60
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26916
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;59.156.232.62.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
59.156.232.62.in-addr.arpa. 86400 IN    PTR     mail2.aminocom.com.

;; AUTHORITY SECTION:
156.232.62.in-addr.arpa. 86400  IN      NS      ns-uk-2.aminocom.com.
156.232.62.in-addr.arpa. 86400  IN      NS      ns-uk-1.aminocom.com.
156.232.62.in-addr.arpa. 86400  IN      NS      ns3.aminocom.com.

;; ADDITIONAL SECTION:
ns3.aminocom.com.       86400   IN      A       62.232.156.61
ns-uk-1.aminocom.com.   86400   IN      A       62.232.156.60
ns-uk-2.aminocom.com.   86400   IN      A       62.232.156.59

;; Query time: 61 msec
;; SERVER: 62.232.156.60#53(62.232.156.60)
;; WHEN: Wed Apr 10 15:32:36 EEST 2013
;; MSG SIZE  rcvd: 197

bursar · 04-10-2013, 08:27 AM

The result you see, is what I see - so that's good, but the problem comes when trying to do rDNS from elsewhere.

Let's assume that your mail server is configured to require a valid rDNS lookup in order to receive email. When your mail server runs the lookup, it will use it's own name servers, and that's what's failing.

From mxtoolbox.com, if I run a reverse lookup on 62.232.156.60 it should come back as mail.aminocom.com, but it doesn't. I either get 'loop detected' or 'timeout' errors (apparently depending on which way the wind is blowing).

It's entirely possible that I just don't understand what it is I need to do, but everything I've found online seems to suggest that what I've done should be OK.

bursar · 04-10-2013, 08:48 AM

I've just run a test using Google's name server and I get the following:

Code:

> 62.232.156.60
Server:  [8.8.8.8]
Address:  8.8.8.8

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 23, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        60.156.232.62.in-addr.arpa, type = PTR, class = IN
    AUTHORITY RECORDS:
    ->  156.232.62.in-addr.arpa
        ttl = 702 (11 mins 42 secs)
        primary name server = auth1.dns.gxn.net
        responsible mail addr = hostmaster.gxn.net
        serial  = 2012121914
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
*** [8.8.8.8] can't find 60.156.232.62.in-addr.arpa.: Non-existent domain

auth1.dns.gxn.net belongs to my ISP, so it looks like they might not have delegated the addresses properly, as they should pass the request to our name server which will return the actual result.

Back to the ISP I go.

bathory · 04-10-2013, 09:02 AM

Quote:

Originally Posted by bursar

The result you see, is what I see - so that's good, but the problem comes when trying to do rDNS from elsewhere.

Let's assume that your mail server is configured to require a valid rDNS lookup in order to receive email. When your mail server runs the lookup, it will use it's own name servers, and that's what's failing.

From mxtoolbox.com, if I run a reverse lookup on 62.232.156.60 it should come back as mail.aminocom.com, but it doesn't. I either get 'loop detected' or 'timeout' errors (apparently depending on which way the wind is blowing).

It's entirely possible that I just don't understand what it is I need to do, but everything I've found online seems to suggest that what I've done should be OK.

Ah, now I see what you mean. You should talk to your ISP, so he delegates you the subnet you own.
You can find details here about classless in-addr.arpa delegation

bursar · 04-12-2013, 10:08 AM

All sorted now. A little tweak to my zone file, and getting the delegations set with the ISP seems to have fixed it.