Can't get my head around dns configuration.
 

Ladies & Gents,

Thanks again for this great resource. I wish I had the knowledge to be more help to other people with their questions.

I am setting up my third generation linux firewall. This time around there is no gui installed. The base os is debian lenny. I have the system locked down as best I can and have started the install of the rest of the system. My snag is with the interaction between dhcp and bind.

What I am trying to do is to get local name resolution with a fqdn. I have a small testing network set up that I can connect to. In the dhcp config file I have several static ip's set for the various machines that will eventually be connected when I bring this firewall online.

When I do a nslookup on the firewall box for the firewall it comes back with the ip:). But when I try with the name of the other box I get nothing:(. The instructions I have been using for this phase, page 3 ( http://www.debuntu.org/how-to-set-a-...es-debian-etch ) say that I should have full local name res now. I have tried to follow exactly only using my ip's and domain name and I have not gone on to page 4.

I did read in one thread that the key had to be in the file on all the machines or the authentication would fail when it tried to update the data base. I don't seam to be getting the data base updated. It occurs to me that this may be because I have set the ip's assigned by dhcp to be static. If this is the case do I need to build the data base by hand?

The last time I tried to setup dns I failed miserably and gave up, I just couldn't get my head around it:scratch:.

I wonder also if part of my problem is that the instructions are for etch and I am running lenny. I think some of my problem is that the local machine is not setup to access the setup on the firewall correctly. I know that changing things in resolve.conf get over writen on reboot, I learned that much the last time I tried this.

Thanks for what help you can give.

I am sorry that I tend to ramble.

Some more info; from the firewall nslookup www.google.com resolves, but nslookup Torah.disiple.local does not with These don't work from the other machine on this small network and it spits back [CODE};; connection timed out; noserver could be reached[/CODE]

I am not able to ping outside this testing network because I have not gotten that far yet, but I am able to ping the firewall from the other box.

From the system installs I have done I remember that the domain name has to be recorded in the system somewhere but I am not sure I am using the correct file. I did add a line in /etc/hosts I connected my laptop up to the testing network and it was assigned one of the dynamic ip's like it should have been but the dns data base files were not updated with it's info. All other commands work like they do from the desktop.

Another thing I have noticed that is not nessessarally related to this is that my linux boxes don't report their machine name to my production firewall/dhcp server. How do I change that?

Thanks for the help.

OK this is strange. I have rebooted both machines on the testing network and I ran "nslookup distraction" from the firewall and it returned two ip's that are not the ip of the desktop. I still get nothing from the desktop. So I ran nslookup again with the firewall name and it came back with the same two ip's that it gave for the desktop.

One of the ip's comes back as belonging to Verizon Business. The other one comes back to an Internet search provider. I used a local name I and I thought that it should resolve a local ip.

So I did ifdown eth0 and disable the connection to the plastic box router that gives my testing network access to my local network and now nslookup returns the same on the firewall as it does on the desktop. So it seams that I am not getting any local name res. I would post my config files but the server has no gui and getting the files off it and to another box with access to the internet is a hassel, but I will do so if it will help.

Thanks

i know how to setup dns server primary and secondary. but from the info you given i am a bit blur, first what i see is youre building internal dns server (invalid for external)

btw i will try to help, go to your DNS SERVER TERMINAL do

nslookup 192.168.7.11 localhost
--what output you get--

nslookup Torah.disiple.local localhost
--what output you get --

cat /etc/resolv.conf
--what output you get --

let us see maybe someone could help

It's impossible to help with this problem if you don't post the contents of named.conf and your zone files.

Thanks for responding.

routers


Mind you I had some spelling inconsistencies in my files and I may still have so the naming has changed a little.

Also I am entering this by hand so there may be errors hear too.

resolv.conf
These are transfered by floppy.
named.local.conf
dhcpd.conf
db.Torah_disciple.local
db.7.168.192
To clarify my objective. I want this to be a local nameserver that is also a caching nameserver. Eventually I want to bring a webserver and a mailserver online with this dns/firewall hosting my dynamic-dns as primary. But to start with I need the local part to work so that as I learn more I can add things in.

Thanks for any help you can give me.

DNS servers have to be specified by IP, not by hostname. How are you supposed to lookup the name of a DNS server to know what IP to do DNS lookups at if you don't have a DNS server IP yet?

Where's the A record for ns.Torah_disciple.local.? How do we know what IP it is?

Huh? That's not going to work at all. It needs to be a fully-qualified domain name. I'm assuming it should be ns.Torah_disciple.local.

You have two PTRs defined for 192.168.7.1, you can't do that. Also, bamod-aish and netgear must be fully-qualified. Right now 2.7.168.192.in-addr.arpa. points to netgear.7.168.192.in-addr.apra. That's nonsense.

There are probably some other problems that haven't jumped out at me yet.

Please post the full zone file for Torah_disciple.local and 7.168.192.in-addr.arpa. Also, restart named (after making the changes I pointed out) and do this:
$ sudo grep named /var/log/messages

Post the output.

PS Also put your full named.conf. If you have an rndc-key in there, you can blank it out.

DNS Server /etc/resolv.conf , this for testing nameserver
also can i have output of
# cat /etc/hosts |grep local

# netstat -tanp |grep 53

Thanks

Reposting the modified files.

named.conf.local
I have not changed this file since it was installed.

named.conf
I have a question about the line
"option routers router.Torah_disiple.local;" Should this be changed too because the name router does not exist in my setup or is this a generic name?

Also I have read somewhere that I need to generate a rndc key and place it (or a link to it) in these files in place of "rndc-key" on the dns/router and on the machines that will be dynamically updating the data base. That seamed like more work than to just assign static ip's to all the machines that are regularly connected to my network, so I opted to use the static method. Should I comment out (remove) those lines?

dhcpd.conf
db.Torah_disciple.local
db.7.168.192
netstat.ls
The 192.168.3.1 ip is to the 3rd nic in this machine to connect my future mail/webserver to.

grep named /var/log/messages returns nothing

hosts
I have commented out my isp's nameservers in resolv.conf

Still getting the same responses from nslookup

Thanks

That should be bamod-aish.Torah_disciple.local. The SOA record points to the authoritative DNS server.

You need periods at the end of your PTR records. All names need to be fully qualified, including the final period. The reason you can use unqualified names on the left side is because it will automatically append the name of the zone. In the case of forward zones, that would append .Torah_disciple.local., in the case of reverse zones it will append .7.168.192.in-addr.arpa. .

I don't have time to look at the rest of it right now. I'll follow up in a bit.

PS you still didn't do this:

Come to think of it, I don't think BIND accepts "_" as a valid character in domain names. Try replacing every instance of Torah_disciple.local with Torah-disciple.local. Try that in addition to the other fixes I recommended. If it still doesn't work, please remember to attach the output of $ sudo grep named /var/log/messages. BIND is probably telling you exactly what the problem is, but you've been ignoring it.

Thanks

I am working on it.

Will post asap.

I did do the grep thing on messages but it returned nothing. I did find some output in syslog that I am working my way through.

thanks

Thanks

I have made the changes but now on bind9 restart I get "Starting domain name service..: bind9 failed. I greped dmesg but got nothing.

After some looking around I found this in syslog

The instructions I was following said to put the db. files in /var/cache/bind/. That didn't seam to be working for me so I put a copy in /etc/bind with the rest of the config files and it seamed to be working at one time. The files in /var/cache/bind were the unmodified versions so I replaced them with the current ones and these two errors are gone.

I do have a different error
I went ahead and changed router.Torah_disciple.local to bamod-aish.Torah_disciple.local. It seams that something is calling for the name router but I can't find anything in the config file. OK found it. It was right at the start of the dhcpd.conf

syslog after the most recient restart of bind
If 8H is not a valid number why doesn't it complain about the 2H in the next line?

I am at a loss, but still working at it.

Which folder should my db files be in? /etc/bind or /var/cache/bind I do plan on chrooting bind after i get it working and I know that normally that is done in /var