LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-30-2012, 06:44 PM   #1
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Rep: Reputation: 16
Bind Forward and DLZ


I have a DNS server that I am planning on phasing out. To do this, I want to forward all of the domains (one at a time) to the new one. The new server is running Bind DLZ. I don't fiddle with DNS often so some of my assumptions may be wrong.

I have a couple of domains configured on the NEW server, but whenever I turn on the forwarding the sites crash. At this time I have a single website setup for a domain I am not currently using (so it isn't the end of the world if it doesn't work).

The NEW server seems to be operating correctly:
Code:
# dig @208.88.4.232 sharoncave.ca

; <<>> DiG 9.7.0-P1 <<>> @208.88.4.232 sharoncave.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10666
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;sharoncave.ca.                 IN      A

;; ANSWER SECTION:
sharoncave.ca.          60      IN      A       208.88.4.232

;; AUTHORITY SECTION:
sharoncave.ca.          60      IN      NS      ns.plaidsheep.ca.

;; Query time: 6 msec
;; SERVER: 208.88.4.232#53(208.88.4.232)
;; WHEN: Sun Sep 30 19:18:39 2012
;; MSG SIZE  rcvd: 75
So I set up forwarding on the OLD server:
Code:
zone "sharoncave.ca" {
        type forward;
        forwarders{208.88.4.232;};
};
I then query the old server, expecting the same results I received from the new server:
Code:
# dig @208.88.5.245 www.sharoncave.ca

; <<>> DiG 9.7.0-P1 <<>> @208.88.5.245 www.sharoncave.ca
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53342
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.sharoncave.ca.             IN      A

;; ANSWER SECTION:
www.sharoncave.ca.      86400   IN      CNAME   sharoncave.ca.
sharoncave.ca.          86400   IN      A       208.88.4.232

;; AUTHORITY SECTION:
sharoncave.ca.          86400   IN      NS      ns.plaidsheep.ca.

;; ADDITIONAL SECTION:
ns.plaidsheep.ca.       86400   IN      A       208.88.5.245

;; Query time: 82 msec
;; SERVER: 208.88.5.245#53(208.88.5.245)
;; WHEN: Sun Sep 30 13:57:05 2012
;; MSG SIZE  rcvd: 109
And I receive the exact same results. So far so good.

The last step is to check how the site is viewed in "The Wild"... I hit it with a web request, and nothing happens. I get a "domain cannot resolve" error.

I'm sure this is close. Is there something wrong with the way the servers are responding that I'm not getting?

BTW: I currently have a completely different set of DNS hosts activated just to get the caches of the world set to something reasonable. Though that doesn't seem to be working either.
 
Old 10-01-2012, 01:33 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
Hi,

From here, I get a SERVFAIL running dig www.sharoncave.ca, meaning that the authoritative nameserver(s) for this domain is/are misconfigured.
Doing a trace to find those servers, gives:
Code:
; <<>> DiG 9.9.1-P3 <<>> sharoncave.ca +trace
<-snip->
sharoncave.ca.          86400   IN      NS      ns2.plaidsheep.ca.
sharoncave.ca.          86400   IN      NS      ns1.plaidsheep.ca.
Both those nameservers give a REFUSE answer when trying to resolve your domain. So you need to fix this at a first place.

Note also that when using your dns servers, I get a correct answer from the "old" server (208.88.4.232) and a REFUSED answer from the new one (208.88.5.245).

Regards
 
Old 10-01-2012, 06:00 AM   #3
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
It's actually the other way around, the IPs are getting confusing. The new server (better to call it the DlZ server?) is responding correctly, and the forwarding server is giving the REFUSE. Ns1&2 are the forwarding server.

I know that server responds correctly for non-forwarded domains, so I have to assume my forwarding is mis-configured. Except the original DIGs I posted are clean, they do however come from a computer inside the network. This is behaving like a multi-variable problem.

I am unsure how to proceed, any suggestions?
 
Old 10-01-2012, 06:57 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,446
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Just an idea.
There is an option that allows certain client to make certain request. Maybe you have it active somewhere. So that the old server only allows forward-look-ups from your internal network...
 
Old 10-01-2012, 07:49 AM   #5
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
I'm confused about the new and the old server.
Anyway, the fact is that none of the authoritative nameservers gives an answer, but they both respond REFUSED as you can see here
Perhaps you can post the full named.conf and the zone file to see why that happens.

Regards
 
Old 10-01-2012, 08:05 AM   #6
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
zhjim
Interesting... is that something you would have to turn on, or off. I don't see anything in my options section that would account for that
Code:
options {
    allow-recursion {
        localnets;
        208.88.4.232/24;
    };
    directory "/var";
    auth-nxdomain no;
    pid-file "/var/run/named/named.pid";

//    forward only;
//    forwarders {
//        127.0.0.1;
//    };
};
I am also attaching the full named.conf for reference.

bathory: Sorry, posted this prior to seeing your post. The named.conf I have attached is for the authoritative server. Hope it clears up what my configuration looks like.
Attached Files
File Type: txt named.txt (1.9 KB, 8 views)

Last edited by kavius; 10-01-2012 at 08:11 AM.
 
Old 10-01-2012, 08:27 AM   #7
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,446
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Normaly you have to turn it on. Mind that my BIND knowledge is a bit rusty so take it with a grain of salt.
The allow-recursion option under the section options says who is allowed to use the dns server recursivly (so that the server does all the work). You allowed your localnetwork and the ip of the "new" DNS Server.
Within the zone "sharoncave.ca" you define that all queries for that domain are to be forwarded to the new server. I'd say that this is a recursive dns query? If so you would need to configure the "old" server to allow the forwarded/recursive queries to be allowed from everywhere. If that is not the case, (forwarding is no recursive query) than I'm out of ideas.

I read up on this stuff a bit and I always came upon the forward only option within the zone section or options sections. Maybe you have to fiddle with this a bit. I saw that you had it uncommented in your configuration.

Can you raise the debug level and tail the logs when querying the "old" server for the "new" zone?
 
1 members found this post helpful.
Old 10-01-2012, 10:06 AM   #8
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
You need to allow recursion (and probably queries) to the old server. So check if you have an "allow-query ..." statement and change it accordingly. For recursion use:
Code:
    allow-recursion {
        localnets;
        208.88.4.232/24;
        208.88.5.245;
};
Note that 208.88.4.232/24 is not a valid subnet notation, so check with your network guys and use the correct one. Same goes for for 208.88.5.245, if you want to allow recursion for more hosts in this subnet
 
1 members found this post helpful.
Old 10-01-2012, 12:08 PM   #9
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
I am looking into the recursion/query/forwarders settings more, and seeing if I have some setting wrong in that area.

Just to clarify discussion to this point: the problem appears to be with the configuration of the forwarding. The DLZ server appears to be sending valid responses but the queries are not being forwarded to the DLZ server correctly.

If I am misunderstanding, please correct me.
 
Old 10-01-2012, 02:11 PM   #10
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
Solved... Recursion was restricted. Am working on a full report.
 
Old 10-01-2012, 02:56 PM   #11
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
Lightbulb [Solution]

The objective was to create a means of setting up a new DNS server, while slowly phasing out the old DNS server. To do this, it is necessary to maintain the facade of the old server by proxying new information through it. The old server is using configuration files setup by CPanel, while the new server is using DLZ configured by me.

I should have just drawn a diagram to begin with:
Code:
           0
          -+-           <--- Me/You/Someonelse
           |
    ______/_\______
        |     /\
        |     |
        \/    |
   {~~~~~~~~~~~~~~~}
   {    Internet   }    <--- The Wild
   {~~~~~~~~~~~~~~~}
        |     /\
+-Local-|-----|-------+
|       \/    |       |
|  +---------------+  |
|  | Bind (CPanel) |  | <--- Old
|  +---------------+  |
|      |      /\      |
|      |      |       |
|      \/     |       |
|  +---------------+  |
|  |  Bind (DLZ)   |  | <--- New
|  +---------------+  |
|                     |
+---------------------+
Most documentation online is for setting the whole server up as a forwarder. I want to do it one domain at a time. To do this you need to setup the forwarder for the zone, I had configured the zones correctly.
Code:
zone "sharoncave.ca" in {
    type forward;
    forwarders{208.88.4.232;};
};
The problem was in the options section, in particular with the "allow-recursion". Originally, I hand misinterpreted allow-recursion to refer to computers it was allowed to recurse to. Instead it is a list of clients that the server is allowed to recurse for. In order for forwarding to work recursion needed to be configured correctly:
Code:
options {
    /*****************
    * this is on by default, so you do 
    * not *need* to explicitly set it.
    ******************/
    recursion yes;
    /*****************/
	
	
    /*****************
    * Allow recursion explicitly sets the 
    * clients that this server will recurse
    * on behalf of. Since we want it to
    * recurse for everybody, this should
    * either be left empty, or set to
    * some mask that will resolve to everyone
    ******************/
    //allow-recursion {
    //    localnets;
    //    208.88.4.232/24;
    //};
    /*****************/
	
	
	
    /*****************
    * This section is for GLOBAL forwarding, 
    * NOT what we are trying to achieve. So
    * leave it out
    ******************/
    //forward only;
    //forwarders {
    //	127.0.0.1;
    //};
    /*****************/
};
This explains why it was working when I ran dig from inside the network, the computer I was querying from was inside the "localnets" list, and therefore explicitly allowed. When I commented out that section, outside computers performing the query suddenly started getting correct responses.

The Big Clue
... that I missed. The error message received when running dig:
Code:
; <<>> DiG 9.7.0-P1 <<>> @ns1.plaidsheep.ca sharoncave.ca A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 36094
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available  <============================ !!!!!!!!!!!!
;; QUESTION SECTION:
;sharoncave.ca.	 IN	A
;; Query time: 17 msec
;; SERVER: 208.88.5.245#53(208.88.5.245)
;; WHEN: Mon Oct 1 19:11:30 2012
;; MSG SIZE rcvd: 31
Thank-you for the help.

Point of interest... if I dig my nameserver, everything seems to be fine. If I dig The Wild, I get a bad response. I am assuming this is because someone out there has bad information cached.

Last edited by kavius; 10-01-2012 at 03:12 PM.
 
Old 10-01-2012, 04:29 PM   #12
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
Not as solved as I thought it was. I am still not getting valid responses from "other" domain servers. Is this just a question of waiting for the data to replicate? I would have thought that would have happened by now.
 
Old 10-02-2012, 01:16 AM   #13
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,446
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
Quote:
Originally Posted by bathory View Post
Note that 208.88.4.232/24 is not a valid subnet notation, so check with your network guys and use the correct one. Same goes for for 208.88.5.245, if you want to allow recursion for more hosts in this subnet
Why is 208.88.4.232/24 not a valid subnet notation? It sure is not the right subnet to use doubting that one holds a whole /24 public ip set but still a valid notation... Isn't it?

When doing a dig +trace sharoncave.ca I get a
Code:
sharoncave.ca.		86400	IN	NS	ns2.plaidsheep.ca.
sharoncave.ca.		86400	IN	NS	ns1.plaidsheep.ca.
;; Received 78 bytes from 198.182.167.1#53(j.ca-servers.ca) in 28 ms

ca.			136263	IN	NS	z.ca-servers.ca.
ca.			136263	IN	NS	tld.isc-sns.net.
ca.			136263	IN	NS	sns-pb.isc.org.
ca.			136263	IN	NS	a.ca-servers.ca.
ca.			136263	IN	NS	c.ca-servers.ca.
ca.			136263	IN	NS	e.ca-servers.ca.
ca.			136263	IN	NS	f.ca-servers.ca.
ca.			136263	IN	NS	j.ca-servers.ca.
ca.			136263	IN	NS	k.ca-servers.ca.
ca.			136263	IN	NS	l.ca-servers.ca.
;; BAD REFERRAL
;; Received 227 bytes from 208.88.5.245#53(ns1.plaidsheep.ca) in 125 ms
BAD REFERRAL. Dunno what this means but I'd say the "next hop" is not configured right.

Just a dig sharoncave.ca gives a SERVFAIL under status.

I got some work to do. But I'll check back later.
 
Old 10-02-2012, 09:08 AM   #14
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,910

Rep: Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326Reputation: 1326
@OP
Quote:
recursion yes;
Don't use that, as it will allow your dns server to be used as a resolver for anyone. You have to specify the hosts/networks that are allowed to do recursive queries to your server by using the "allow-recursion ..." option instead.

@zhjim
Quote:
Why is 208.88.4.232/24 not a valid subnet notation? It sure is not the right subnet to use doubting that one holds a whole /24 public ip set but still a valid notation... Isn't it?
A /24 network starts with a "0" in the last octet. So just as you said if OP owns the whole /24 network, he should 208.88.4.0/24. In other cases he should use the IP/subnet assigned him by his ISP.
 
Old 10-02-2012, 11:15 AM   #15
kavius
Member
 
Registered: Feb 2003
Location: Annapolis Royal, NS, CAN
Distribution: Slackware 10.1, Ubuntu
Posts: 70

Original Poster
Rep: Reputation: 16
bathory: if I don't allow recursion, forwarding doesn't work? Forwarding appears to be predicated on recursion, and recursion does not appear to do what all the documents say it does.

http://www.zytrax.com/books/dns/ch4/...tml#forwarding

Zytrax states that the forwarding server will contact the other server, get the domain information, cache it, and then send the information on to the client. Based on the DIG trace response, it does not do that; instead it tells the client where it can actually find the information and the client is expected to contact the other server directly.

Is this my problem? Am I using the wrong zone config type? Would a slave configuration be more what I am striving for? If so, what is the point to a forwarding config?

Last edited by kavius; 10-03-2012 at 05:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can bind dlz work with the mysql stored procedure? oranix Linux - Server 1 01-22-2011 06:58 AM
Information about bind dlz‏ coffee777 Linux - Server 2 09-18-2009 01:01 AM
Run two instances of a dlz engine in BIND 9.5? fmillion Linux - Networking 3 06-14-2008 01:48 AM
BIND forward AD zones to DC psychobyte Linux - Networking 1 09-24-2006 11:46 AM
bind forward lookup problems blanny Linux - Networking 2 08-14-2006 04:50 PM


All times are GMT -5. The time now is 11:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration