|
Bind Forward and DLZ
I have a DNS server that I am planning on phasing out. To do this, I want to forward all of the domains (one at a time) to the new one. The new server is running Bind DLZ. I don't fiddle with DNS often so some of my assumptions may be wrong.
I have a couple of domains configured on the NEW server, but whenever I turn on the forwarding the sites crash. At this time I have a single website setup for a domain I am not currently using (so it isn't the end of the world if it doesn't work). The NEW server seems to be operating correctly: Code:
# dig @208.88.4.232 sharoncave.caCode:
zone "sharoncave.ca" {Code:
# dig @208.88.5.245 www.sharoncave.caThe last step is to check how the site is viewed in "The Wild"... I hit it with a web request, and nothing happens. I get a "domain cannot resolve" error. I'm sure this is close. Is there something wrong with the way the servers are responding that I'm not getting? BTW: I currently have a completely different set of DNS hosts activated just to get the caches of the world set to something reasonable. Though that doesn't seem to be working either. |
Hi,
From here, I get a SERVFAIL running dig www.sharoncave.ca, meaning that the authoritative nameserver(s) for this domain is/are misconfigured. Doing a trace to find those servers, gives: Code:
; <<>> DiG 9.9.1-P3 <<>> sharoncave.ca +traceNote also that when using your dns servers, I get a correct answer from the "old" server (208.88.4.232) and a REFUSED answer from the new one (208.88.5.245). Regards |
It's actually the other way around, the IPs are getting confusing. The new server (better to call it the DlZ server?) is responding correctly, and the forwarding server is giving the REFUSE. Ns1&2 are the forwarding server.
I know that server responds correctly for non-forwarded domains, so I have to assume my forwarding is mis-configured. Except the original DIGs I posted are clean, they do however come from a computer inside the network. This is behaving like a multi-variable problem. I am unsure how to proceed, any suggestions? |
Just an idea.
There is an option that allows certain client to make certain request. Maybe you have it active somewhere. So that the old server only allows forward-look-ups from your internal network... |
I'm confused about the new and the old server.
Anyway, the fact is that none of the authoritative nameservers gives an answer, but they both respond REFUSED as you can see here Perhaps you can post the full named.conf and the zone file to see why that happens. Regards |
2 Attachment(s)
zhjim
Interesting... is that something you would have to turn on, or off. I don't see anything in my options section that would account for that Code:
options {bathory: Sorry, posted this prior to seeing your post. The named.conf I have attached is for the authoritative server. Hope it clears up what my configuration looks like. |
Normaly you have to turn it on. Mind that my BIND knowledge is a bit rusty so take it with a grain of salt.
The allow-recursion option under the section options says who is allowed to use the dns server recursivly (so that the server does all the work). You allowed your localnetwork and the ip of the "new" DNS Server. Within the zone "sharoncave.ca" you define that all queries for that domain are to be forwarded to the new server. I'd say that this is a recursive dns query? If so you would need to configure the "old" server to allow the forwarded/recursive queries to be allowed from everywhere. If that is not the case, (forwarding is no recursive query) than I'm out of ideas. I read up on this stuff a bit and I always came upon the forward only option within the zone section or options sections. Maybe you have to fiddle with this a bit. I saw that you had it uncommented in your configuration. Can you raise the debug level and tail the logs when querying the "old" server for the "new" zone? |
You need to allow recursion (and probably queries) to the old server. So check if you have an "allow-query ..." statement and change it accordingly. For recursion use:
Code:
allow-recursion { |
I am looking into the recursion/query/forwarders settings more, and seeing if I have some setting wrong in that area.
Just to clarify discussion to this point: the problem appears to be with the configuration of the forwarding. The DLZ server appears to be sending valid responses but the queries are not being forwarded to the DLZ server correctly. If I am misunderstanding, please correct me. |
Solved... Recursion was restricted. Am working on a full report.
|
[Solution]
The objective was to create a means of setting up a new DNS server, while slowly phasing out the old DNS server. To do this, it is necessary to maintain the facade of the old server by proxying new information through it. The old server is using configuration files setup by CPanel, while the new server is using DLZ configured by me.
I should have just drawn a diagram to begin with: Code:
0Code:
zone "sharoncave.ca" in {Code:
options {The Big Clue ... that I missed. The error message received when running dig: Code:
; <<>> DiG 9.7.0-P1 <<>> @ns1.plaidsheep.ca sharoncave.ca APoint of interest... if I dig my nameserver, everything seems to be fine. If I dig The Wild, I get a bad response. I am assuming this is because someone out there has bad information cached. |
Not as solved as I thought it was. I am still not getting valid responses from "other" domain servers. Is this just a question of waiting for the data to replicate? I would have thought that would have happened by now.
|
Quote:
When doing a dig +trace sharoncave.ca I get a Code:
sharoncave.ca. 86400 IN NS ns2.plaidsheep.ca.Just a dig sharoncave.ca gives a SERVFAIL under status. I got some work to do. But I'll check back later. |
@OP
Quote:
@zhjim Quote:
|
bathory: if I don't allow recursion, forwarding doesn't work? Forwarding appears to be predicated on recursion, and recursion does not appear to do what all the documents say it does.
http://www.zytrax.com/books/dns/ch4/...tml#forwarding Zytrax states that the forwarding server will contact the other server, get the domain information, cache it, and then send the information on to the client. Based on the DIG trace response, it does not do that; instead it tells the client where it can actually find the information and the client is expected to contact the other server directly. Is this my problem? Am I using the wrong zone config type? Would a slave configuration be more what I am striving for? If so, what is the point to a forwarding config? |
You need recursion, but only for specific clients. If you use "recursion yes;", then as I've told you, anyone in the world can use your server as a resolver, resulting in cache poisoning, DOS etc
Quote:
|
This leaves the questions standing: If I'm not supposed to use recursion, but I need it for forwarding, what am I supposed to do?
Does forwarding act as a proxy agent (my assumption), or does it act as a redirecting agent (what it looks like at this point)? How would "hint" achieve the desired effect? For that matter... what does hint do? |
Last night, I started configuring it as a master/slave. The reason I chose forwarding was because I didn't want any caching whatsoever and forwarding appeared to achieve that. Forwarding doesn't act as a proxy though.... so there isn't much point in using it.
Slave zones appear closer to what I want. Of course they aren't working either. |
Quote:
Regarding your problem, the only difference I can see from here, is that resolving sharoncave.ca using 208.88.5.245 gives a SERVFAIL, not a REFUSED as it did earlier |
Is recursion a prerequisite for forwarding?
At this point, I'm actually questioning if forwarding is what I want. |
Quote:
You need recursion if you want to use your dns as a caching nameserver (resolver) you your clients. Have a look here for more details. |
So I can have both non-recursion and forwarding. Do I want forwarding?
As I now understand it, based on
Forwarding behaves like this (not the behaviour I am trying to achieve): Code:
0This is the behaviour I am trying to achieve this: Code:
0 |
Quote:
The authoritatives nameservers for your domain are 208.88.5.245 208.88.6.207, that both give a SERVFAIL (instead of REDUSED previously) Anyway looking closer at named.conf you've posted, you have Quote:
|
Quote:
I want the behaviour identified here. If that is called "forwarding", then "yes", otherwise "no". |
I'm not sure if I understand well your figures, so I'm trying to explain how your dns is supposed to work.
When a client on the internet wants to visit sharoncave.ca, it queries his dns. His dns looks a way to resolve the domain and somehow it finds that the authoritative nameservers are 208.88.5.245 208.88.6.207, so it has to ask one of them. Say it queries 208.88.5.245.If this server was working correctly, it will forward the query to 208.88.4.232, get the A RR and give the answer to the client. This is dns forwarding, so make sure that this is what you're trying to achieve. Now both the authoritative nameservers fail because of some misconfiguration (see my previous post if that's the case), so no one can do its job to resolve your domain. |
I think it would be best if I used a master/slave configuration (slave=208.88.5.245, master=208.88.4.232). I believe this behaviour best matches my desired results. I will spend a few days tinkering with that on my own.
One last question: Does 208.88.4.232 appear to be working correctly at this point (it does to me)? |
Quote:
The fact is, that now I cannot connect to 208.88.4.232 so I can use it as a resolver for your domain, but I can ping it. Quote:
Regards |
I seem to have this problem now:
http://www.google.ca/url?sa=t&rct=j&...pdZGO5smSLhbrQ Thanks for your help but suddenly I am dealing with more fundamental problems. |
| All times are GMT -5. The time now is 08:04 PM. |