Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You need recursion, but only for specific clients. If you use "recursion yes;", then as I've told you, anyone in the world can use your server as a resolver, resulting in cache poisoning, DOS etc
Quote:
Is this my problem? Am I using the wrong zone config type? Would a slave configuration be more what I am striving for? If so, what is the point to a forwarding config?
I don't like forwarders, so I use the hint zone, so my dns servers are both authoritative and caching.
Last night, I started configuring it as a master/slave. The reason I chose forwarding was because I didn't want any caching whatsoever and forwarding appeared to achieve that. Forwarding doesn't act as a proxy though.... so there isn't much point in using it.
Slave zones appear closer to what I want. Of course they aren't working either.
This leaves the questions standing: If I'm not supposed to use recursion, but I need it for forwarding, what am I supposed to do?
I don't tell you not to use recursion. What I'm telling to you, is to specify the clients (hosts/networks) that can do recursive queries to your sever using the "allow-recursion" option, for security reasons.
Regarding your problem, the only difference I can see from here, is that resolving sharoncave.ca using 208.88.5.245 gives a SERVFAIL, not a REFUSED as it did earlier
Recursion is not mandatory for an authoritative nameserver. Your dns is authoritative even though it forwards queries to another dns.
You need recursion if you want to use your dns as a caching nameserver (resolver) you your clients. Have a look here for more details.
Do you?
The authoritatives nameservers for your domain are 208.88.5.245 208.88.6.207, that both give a SERVFAIL (instead of REDUSED previously)
Anyway looking closer at named.conf you've posted, you have
Quote:
forwarders{208.88.4.232;};
You need to add a blank space after forwarders. I guess that this is because it fails
I'm not sure if I understand well your figures, so I'm trying to explain how your dns is supposed to work.
When a client on the internet wants to visit sharoncave.ca, it queries his dns.
His dns looks a way to resolve the domain and somehow it finds that the authoritative nameservers are 208.88.5.245 208.88.6.207, so it has to ask one of them.
Say it queries 208.88.5.245.If this server was working correctly, it will forward the query to 208.88.4.232, get the A RR and give the answer to the client. This is dns forwarding, so make sure that this is what you're trying to achieve.
Now both the authoritative nameservers fail because of some misconfiguration (see my previous post if that's the case), so no one can do its job to resolve your domain.
I think it would be best if I used a master/slave configuration (slave=208.88.5.245, master=208.88.4.232). I believe this behaviour best matches my desired results. I will spend a few days tinkering with that on my own.
One last question: Does 208.88.4.232 appear to be working correctly at this point (it does to me)?
I think it would be best if I used a master/slave configuration (slave=208.88.5.245, master=208.88.4.232). I believe this behaviour best matches my desired results. I will spend a few days tinkering with that on my own.
One last question: Does 208.88.4.232 appear to be working correctly at this point (it does to me)?
I second that. It's better to use a master/slave dns combination, so if one of them fails, the other can still answer authoritatively for your domain(s).
The fact is, that now I cannot connect to 208.88.4.232 so I can use it as a resolver for your domain, but I can ping it.
Quote:
; <<>> DiG 9.9.1-P3 <<>> sharoncave.ca @208.88.4.232
;; global options: +cmd
;; connection timed out; no servers could be reached
Check if bind is running and there is no firewall blocking port 53 udp/tcp and things like that.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.