LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   BIND - reverse dns queries only working locally, forward dns works fine. (https://www.linuxquestions.org/questions/linux-networking-3/bind-reverse-dns-queries-only-working-locally-forward-dns-works-fine-899375/)

SloS13 08-25-2011 07:29 AM
BIND - reverse dns queries only working locally, forward dns works fine.
 
I'm in way over my head here. I help run a very small hosting company. We recently moved from Windows 2000 DNS to BIND on Ubuntu, configuring with Webmin.

I'm more comfortable with Windows so I'm using NSLOOKUP to test the rDNS.

A,CNAME,MX records are working fine outside and inside the network, but PTR records are only working internally. The only reason I need a PTR record working is because AOL rejects email servers without one. I really appreciate any expertise you can lend. I've been struggling with this for over a week :(


Here are the results from NSLOOKUP
Code:
> server 67.33.14.19
Default Server:  [67.33.14.19]
Address:  67.33.14.19

> 67.33.14.7
Server:  [67.33.14.19]
Address:  67.33.14.19

Name:    femailex.futrtech.com
Address:  67.33.14.7

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 67.33.14.7
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** google-public-dns-a.google.com can't find 67.33.14.7: Server failed
>
Thanks for looking

bathory 08-25-2011 08:52 AM
Hi,

Are you using views? Chances are that you have the reverse zone defined only in the view for the internal network.
Could you post named.conf and the reverse zone file (masking any sensitive info)?
Was the zone working on windows 2000 dns?

Regards

SloS13 08-25-2011 09:18 AM
Thanks for the reply. Please let me know if there's any more information that might be helpful!

I don't think I'm using views. Sorry for the horrible answer. Everything was working fine on the Windows 2000 server. For some reason though reverse zones did not come over when I set up the Ubuntu as slave so I put in PTR records for everything and experimented with a reverse zone with one particular ip/domain.

As a side question, In the Webmin menu, you can have "Reverse master zones" and "Forward zones with PTR records". Are these the same thing?


Here is my named.conf
Code:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

server [slave ip address protected] {
        transfers 1000;
        transfer-format many-answers;
        };
key rndc-key {
        algorithm hmac-md5;
        secret "[PROTECTED]";
        };
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
        };

trusted-keys {
        dlv.isc.org. 257 3 5 "[PROTECTED]";
        };
named.conf.options
Code:

options {
        directory "/var/cache/bind";

allow-recursion-on { any; };
    allow-query { any; };
    allow-query-cache { any; };


        forwarders {
                12.127.17.71;
                12.127.17.72;
                8.8.8.8;
                8.8.4.4;
                };
        forward first;
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside . trust-anchor dlv.isc.org.;
};

I have a named.conf.local with all of my domains in it.

Code:
//include "/etc/bind/zones.rfc1918";

................................. (boring stuff removed)
zone "somedomain.com" {
        type master;
        file "/var/lib/bind/somedomain.com.hosts";
        also-notify {
                [slave server IP];
                };
        notify yes;
        };
zone "1.2.3.4.in-addr.arpa" {
        type master;
        file "/var/lib/bind/1.2.3.4.rev";  [contents of this file next code block]
        also-notify {
                [slave server IP];
                };
        notify yes;
        };
................................. (boring stuff removed)


/var/lib/bind/1.2.3.4.rev [IP PROTECTED]

Code:
$ttl 38400
4.3.2.1.in-addr.arpa.        IN        SOA        ns1.[mydomain].com. dnsadmin.[mydomain].com. (
                        1313590355
                        10800
                        3600
                        604800
                        38400 )
4.3.2.1.in-addr.arpa.        IN        NS        ns1.[mydomain].com.
4.3.2.1.in-addr.arpa.        IN        NS        ns2.[mydomain].com.
4.3.2.1.in-addr.arpa.        IN        PTR        [webdomain].com.

bathory 08-25-2011 12:46 PM
Hi,
Quote:
As a side question, In the Webmin menu, you can have "Reverse master zones" and "Forward zones with PTR records". Are these the same thing?
Unfortunately I don't use webmin, so I don't know what that means.

For the rest:
You don't need forwarders as you're running an authoritative name server. I guess that you have the hint zone included, so it can be used for resolving the rest of the domains.
Remove the forward and forwarders options, restart bind and see if it works before proceeding further. It should work as it works from inside your network.

Regarding the reverse zone, the zone name is different in named.conf.local and in the SOA in the zone file (1.2.3.4.in-addr.arpa. vs 4.3.2.1.in-addr.arpa.). Maybe it's a typo again, but in general a reverse zone uses only the first 3 octets of the IP address in reverse order, like 2.3.4.in-addr.arpa.

Using dig and info from your 1st post I think that your ISP has assigned you only a subnet (128 IPs) of the whole 4.3.2.0/24 network. That's why I asked you if it was working before on windows. To verify if the subnet delegation is already done.
That said, you may need to use 0/25.2.3.4.in-addr.arpa as a zone name. You maybe need to contact ISP to verify this.

There is also an error (I guess it's a typo) in named.conf.options:
Quote:
allow-recursion-on { any; };
should be:
Code:
allow-recursion  { any; };
BTW better control who can use recursion on your dns server.


All times are GMT -5. The time now is 06:06 AM.