Can't get my head around dns configuration.

rbees · 02-11-2009, 04:47 PM

Ladies & Gents,

Thanks again for this great resource. I wish I had the knowledge to be more help to other people with their questions.

I am setting up my third generation linux firewall. This time around there is no gui installed. The base os is debian lenny. I have the system locked down as best I can and have started the install of the rest of the system. My snag is with the interaction between dhcp and bind.

What I am trying to do is to get local name resolution with a fqdn. I have a small testing network set up that I can connect to. In the dhcp config file I have several static ip's set for the various machines that will eventually be connected when I bring this firewall online.

When I do a nslookup on the firewall box for the firewall it comes back with the ip

. But when I try with the name of the other box I get nothing

. The instructions I have been using for this phase, page 3 ( http://www.debuntu.org/how-to-set-a-...es-debian-etch ) say that I should have full local name res now. I have tried to follow exactly only using my ip's and domain name and I have not gone on to page 4.

I did read in one thread that the key had to be in the file on all the machines or the authentication would fail when it tried to update the data base. I don't seam to be getting the data base updated. It occurs to me that this may be because I have set the ip's assigned by dhcp to be static. If this is the case do I need to build the data base by hand?

The last time I tried to setup dns I failed miserably and gave up, I just couldn't get my head around it

.

I wonder also if part of my problem is that the instructions are for etch and I am running lenny. I think some of my problem is that the local machine is not setup to access the setup on the firewall correctly. I know that changing things in resolve.conf get over writen on reboot, I learned that much the last time I tried this.

Thanks for what help you can give.

rbees · 02-12-2009, 04:30 PM

I am sorry that I tend to ramble.

Some more info; from the firewall nslookup www.google.com resolves, but nslookup Torah.disiple.local does not with

Code:

** server can't find Torah.disiple.local: NXDOMAIN

These don't work from the other machine on this small network and it spits back [CODE};; connection timed out; noserver could be reached[/CODE]

I am not able to ping outside this testing network because I have not gotten that far yet, but I am able to ping the firewall from the other box.

From the system installs I have done I remember that the domain name has to be recorded in the system somewhere but I am not sure I am using the correct file. I did add a line in /etc/hosts

Code:

192.168.7.11 Torah.disiple.local distraction

I connected my laptop up to the testing network and it was assigned one of the dynamic ip's like it should have been but the dns data base files were not updated with it's info. All other commands work like they do from the desktop.

Another thing I have noticed that is not nessessarally related to this is that my linux boxes don't report their machine name to my production firewall/dhcp server. How do I change that?

Thanks for the help.

rbees · 02-12-2009, 05:01 PM

OK this is strange. I have rebooted both machines on the testing network and I ran "nslookup distraction" from the firewall and it returned two ip's that are not the ip of the desktop. I still get nothing from the desktop. So I ran nslookup again with the firewall name and it came back with the same two ip's that it gave for the desktop.

One of the ip's comes back as belonging to Verizon Business. The other one comes back to an Internet search provider. I used a local name I and I thought that it should resolve a local ip.

So I did ifdown eth0 and disable the connection to the plastic box router that gives my testing network access to my local network and now nslookup returns the same on the firewall as it does on the desktop. So it seams that I am not getting any local name res. I would post my config files but the server has no gui and getting the files off it and to another box with access to the internet is a hassel, but I will do so if it will help.

Thanks

routers · 02-12-2009, 10:11 PM

i know how to setup dns server primary and secondary. but from the info you given i am a bit blur, first what i see is youre building internal dns server (invalid for external)

btw i will try to help, go to your DNS SERVER TERMINAL do

nslookup 192.168.7.11 localhost
--what output you get--

nslookup Torah.disiple.local localhost
--what output you get --

cat /etc/resolv.conf
--what output you get --

let us see maybe someone could help

chort · 02-13-2009, 01:13 AM

It's impossible to help with this problem if you don't post the contents of named.conf and your zone files.

rbees · 02-14-2009, 08:14 PM

Thanks for responding.

routers

Code:

#nslookup 192.168.7.11 localhost
;;Got SERVFAIL reply form 127.0.0.1, trying next server
;;Got SERVFAIL reply form 127.0.0.1, trying next server
Server:		localhost
Address:	::1#53

**server can't find 11.7.168.192.in-addr.arpa: SERVFAIL

Mind you I had some spelling inconsistencies in my files and I may still have so the naming has changed a little.

Code:

# nslookup Torah_disciple.local localhost
;; Got SERVFAIL reply from 127.0.0.1q trying next server
Server:		localhost
Address:	::#:53

** server can'd find Torah_disciple.local: NXDOMAIN

Also I am entering this by hand so there may be errors hear too.

resolv.conf

Code:

domain Torah_disciple.local
search Torah_disciple.local
nameserver 192.168.7.1
nameserver 24.247.15.53
nameserver 24.247.24.53

These are transfered by floppy.
named.local.conf

Code:

# allow dns updates from localhost with key "rndc-key"
include "/etc/bind/rndc.key";
controls {
	inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

# defines Torah_disciple.local
zone "Torah_disciple.local" {
	type master;
		file "db.Torah_disciple.local";
		allow-update { key "rndc-key"; };
};

# defines our local subnet 192.168.7.0/24
zone "7.168.192.in-addr.arpa" {
	type master;
	notify no;
	file "db.7.168.192";
	allow-update { key "rndc-key"; };
};
# end added section

dhcpd.conf

Code:

server-identifier router;
authoritative;
ddns-update-style interim;
include "/etc/bind/rndc.key";

zone Torah_disiple.local. {
	primary 127.0.0.1;
	key "rndc-key";
}

option domain-name "Torah_disiple.local";
option domain-name-servers ns.Torah_disiple.local, 24.247.15.53, 24.247.24.53;
default-lease-time 21600;
max-lease-time 43200;
log-facility local7;

subnet 192.168.7.0 netmask 255.255.255.0 {
	range 192.168.7.20 192.168.7.23;
	option routers router.Torah_disiple.local;
#	option ip-forwarding off;
	zone 7.168.192.in-addr.arpa. {
		primary ns.Torah_disiple.local;
		key "rndc-key";
	}
	zone	Torah_disiple.local. {
		primary ns.Torah_disiple.local;
		key "rndc-key";
	}
}

# static addresses
	host Netgear-wireless {
	hardware ethernet 00:18:4d:22:c8:63;
	fixed-address 192.168.7.2;
	}
more static addresses

db.Torah_disciple.local

Code:

;
; Zone file for Torah_disciple.local
;
; The full zone file
;
$TTL 3D
@	IN	SOA	ns.Torah_disciple.local. (
	20090212; serial, todays date + todays serial #
	8H	; refresh, seconds
	2H	; retry, seconds
	4W	; expire, seconds
	1D )	; minimum, seconds
;
@	IN	NS	ns.Torah_disciple.local.
@	IN	A	192.168.7.1	; IP address
;
bamod-aish	IN	A	192.168.7.1
netgear		IN	A	192.168.7.2
rest of database

db.7.168.192

Code:

$TTL 3D
@	IN 	SOA	Torah_disciple.local.
	20090212; serial, todays date + todays serial #
	8H	; refresh, seconds
	2H	; retry, seconds
	4W	; expire, seconds
	1D	; minimum, seconds
;
@	IN	NS	ns.
1	IN	PTR	Torah_disciple.local.
;
1	IN	PTR	bamod-aish
2	IN	PTR	netgear
rest of database

To clarify my objective. I want this to be a local nameserver that is also a caching nameserver. Eventually I want to bring a webserver and a mailserver online with this dns/firewall hosting my dynamic-dns as primary. But to start with I need the local part to work so that as I learn more I can add things in.

Thanks for any help you can give me.

chort · 02-14-2009, 09:25 PM

Quote:

option domain-name-servers ns.Torah_disiple.local, 24.247.15.53, 24.247.24.53;

DNS servers have to be specified by IP, not by hostname. How are you supposed to lookup the name of a DNS server to know what IP to do DNS lookups at if you don't have a DNS server IP yet?

Quote:

@ IN NS ns.Torah_disciple.local.
@ IN A 192.168.7.1 ; IP address
;
bamod-aish IN A 192.168.7.1
netgear IN A 192.168.7.2
rest of database

Where's the A record for ns.Torah_disciple.local.? How do we know what IP it is?

Quote:

@ IN NS ns.

Huh? That's not going to work at all. It needs to be a fully-qualified domain name. I'm assuming it should be ns.Torah_disciple.local.

Quote:

1 IN PTR Torah_disciple.local.
;
1 IN PTR bamod-aish
2 IN PTR netgear
rest of database

You have two PTRs defined for 192.168.7.1, you can't do that. Also, bamod-aish and netgear must be fully-qualified. Right now 2.7.168.192.in-addr.arpa. points to netgear.7.168.192.in-addr.apra. That's nonsense.

There are probably some other problems that haven't jumped out at me yet.

Please post the full zone file for Torah_disciple.local and 7.168.192.in-addr.arpa. Also, restart named (after making the changes I pointed out) and do this:
$ sudo grep named /var/log/messages

Post the output.

chort · 02-14-2009, 09:27 PM

PS Also put your full named.conf. If you have an rndc-key in there, you can blank it out.

routers · 02-14-2009, 09:37 PM

DNS Server /etc/resolv.conf , this for testing nameserver

Code:

domain Torah_disciple.local
search Torah_disciple.local
nameserver 127.0.0.1
#nameserver 24.247.15.53
#nameserver 24.247.24.53

also can i have output of
# cat /etc/hosts |grep local

# netstat -tanp |grep 53

rbees · 02-15-2009, 09:39 AM

Thanks

Reposting the modified files.

named.conf.local

Code:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
# Should I enable this line?
//include "/etc/bind/zones.rfc1918";

# ****** the following added per instructions ******

# allow dns updates from localhost with key "rndc-key"
include "/etc/bind/rndc.key";
controls {
	inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

# defines Torah_disciple.local
zone "Torah_disciple.local" {
	type master;
		file "db.Torah_disciple.local";
		allow-update { key "rndc-key"; };
};

# defines our local subnet 192.168.7.0/24
zone "7.168.192.in-addr.arpa" {
	type master;
	notify no;
	file "db.7.168.192";
	allow-update { key "rndc-key"; };
};
# end added section

I have not changed this file since it was installed.

named.conf

Code:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

I have a question about the line
"option routers router.Torah_disiple.local;" Should this be changed too because the name router does not exist in my setup or is this a generic name?

Also I have read somewhere that I need to generate a rndc key and place it (or a link to it) in these files in place of "rndc-key" on the dns/router and on the machines that will be dynamically updating the data base. That seamed like more work than to just assign static ip's to all the machines that are regularly connected to my network, so I opted to use the static method. Should I comment out (remove) those lines?

dhcpd.conf

Code:

server-identifier router;
authoritative;
ddns-update-style interim;
include "/etc/bind/rndc.key";

zone Torah_disiple.local. {
	primary 127.0.0.1;
	key "rndc-key";
}

option domain-name "Torah_disiple.local";
option domain-name-servers 192.168.7.1, 24.247.15.53, 24.247.24.53;
default-lease-time 21600;
max-lease-time 43200;
log-facility local7;

subnet 192.168.7.0 netmask 255.255.255.0 {
	range 192.168.7.20 192.168.7.23;
	option routers router.Torah_disiple.local;
#	option ip-forwarding off;
	zone 7.168.192.in-addr.arpa. {
		primary bamod-aish.Torah_disiple.local;
		key "rndc-key";
	}
	zone	Torah_disiple.local. {
		primary bamod-aish.Torah_disiple.local;
		key "rndc-key";
	}
}

# static addresses
	host Netgear-wireless { # Do these names have to match the names in the other files,
# and do they have to match the actual name of the machine?
	hardware ethernet 00:18:4d:22:c8:63;
	fixed-address 192.168.7.2;
	}
rest of assigned static ip's just like the assignment above except for my comment line question.

db.Torah_disciple.local

Code:

;
; Zone file for Torah_disciple.local
;
; The full zone file
;
$TTL 3D
@	IN	SOA	bamod-aish.Torah_disciple.local. (
	20090212; serial, todays date + todays serial #
	8H	; refresh, seconds
	2H	; retry, seconds
	4W	; expire, seconds
	1D )	; minimum, seconds
;
bamod-aish	IN	A	192.168.7.1
netgear		IN	A	192.168.7.2
rest of database just like the lines above

db.7.168.192

Code:

$TTL 3D
@	IN 	SOA	Torah_disciple.local.
	20090212; serial, todays date + todays serial #
	8H	; refresh, seconds
	2H	; retry, seconds
	4W	; expire, seconds
	1D	; minimum, seconds
;
1	IN	PTR	bamod-aish.Torah_disciple.local
2	IN	PTR	netgear.Torah_disciple.local
rest of database just like the lines above

netstat.ls

Code:

tcp        0      0 192.168.3.1:53          0.0.0.0:*               LISTEN      2791/named      
tcp        0      0 192.168.7.1:53          0.0.0.0:*               LISTEN      2791/named      
tcp        0      0 192.168.1.101:53        0.0.0.0:*               LISTEN      2791/named      
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2791/named      
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2791/named      
tcp6       0      0 :::53                   :::*                    LISTEN      2791/named

The 192.168.3.1 ip is to the 3rd nic in this machine to connect my future mail/webserver to.

grep named /var/log/messages returns nothing

hosts

Code:

127.0.0.1	localhost.localdomain localhost
127.0.1.1	bamod-aish
192.168.7.1	Torah_disiple.local	bamod-aish

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

I have commented out my isp's nameservers in resolv.conf

Still getting the same responses from nslookup

Thanks

chort · 02-15-2009, 02:02 PM

PHP Code:



$TTL 3D
@    IN     SOA    Torah_disciple.local.

That should be bamod-aish.Torah_disciple.local. The SOA record points to the authoritative DNS server.

PHP Code:



    20090212; serial, todays date + todays serial #
    8H    ; refresh, seconds
    2H    ; retry, seconds
    4W    ; expire, seconds
    1D    ; minimum, seconds
;
1    IN    PTR    bamod-aish.Torah_disciple.local
2    IN    PTR    netgear.Torah_disciple.local

You need periods at the end of your PTR records. All names need to be fully qualified, including the final period. The reason you can use unqualified names on the left side is because it will automatically append the name of the zone. In the case of forward zones, that would append .Torah_disciple.local., in the case of reverse zones it will append .7.168.192.in-addr.arpa. .

I don't have time to look at the rest of it right now. I'll follow up in a bit.

chort · 02-15-2009, 02:03 PM

PS you still didn't do this:

PHP Code:



$ sudo grep named /var/log/messages

chort · 02-15-2009, 03:26 PM

Come to think of it, I don't think BIND accepts "_" as a valid character in domain names. Try replacing every instance of Torah_disciple.local with Torah-disciple.local. Try that in addition to the other fixes I recommended. If it still doesn't work, please remember to attach the output of $ sudo grep named /var/log/messages. BIND is probably telling you exactly what the problem is, but you've been ignoring it.

rbees · 02-15-2009, 03:39 PM

Thanks

I am working on it.

Will post asap.

I did do the grep thing on messages but it returned nothing. I did find some output in syslog that I am working my way through.

thanks

rbees · 02-15-2009, 04:32 PM

Thanks

I have made the changes but now on bind9 restart I get "Starting domain name service..: bind9 failed. I greped dmesg but got nothing.

Quote:

The 192.168.3.1 ip is to the 3rd nic in this machine to connect my future mail/webserver to.

grep named /var/log/messages returns nothing

hosts

After some looking around I found this in syslog

Code:

Feb 15 09:26:08 bamod-aish named[2855]: dns_rdata_fromtext: db.7.168.192:2: near eol: unexpected end of input
Feb 15 09:26:08 bamod-aish named[2855]: zone 7.168.192.in-addr.arpa/IN: loading from master file db.7.168.192 failed: unexpected end of input
Feb 15 09:26:08 bamod-aish named[2855]: zone 255.in-addr.arpa/IN: loaded serial 1
Feb 15 09:26:08 bamod-aish named[2855]: zone Torah_disciple.local/IN: loading from master file db.Torah_disciple.local failed: file not found
Feb 15 09:26:08 bamod-aish named[2855]: zone localhost/IN: loaded serial 2
Feb 15 09:26:08 bamod-aish named[2855]: running

The instructions I was following said to put the db. files in /var/cache/bind/. That didn't seam to be working for me so I put a copy in /etc/bind with the rest of the config files and it seamed to be working at one time. The files in /var/cache/bind were the unmodified versions so I replaced them with the current ones and these two errors are gone.

I do have a different error

Code:

Feb 15 09:26:08 bamod-aish named[2855]: zone localhost/IN: loaded serial 2
Feb 15 09:26:08 bamod-aish named[2855]: running
Feb 15 09:45:11 bamod-aish dhcpd: router: host unknown.
Feb 15 09:45:11 bamod-aish dhcpd: dhcp.c(3958): non-null pointer
Feb 15 09:45:11 bamod-aish dhcpd: DHCPREQUEST for 192.168.7.11 from 00:13:20:54:30:db via eth1
Feb 15 09:45:11 bamod-aish dhcpd: router.Torah_disiple.local: host unknown.
Feb 15 09:45:11 bamod-aish dhcpd: DHCPACK on 192.168.7.11 to 00:13:20:54:30:db via eth1

I went ahead and changed router.Torah_disciple.local to bamod-aish.Torah_disciple.local. It seams that something is calling for the name router but I can't find anything in the config file. OK found it. It was right at the start of the dhcpd.conf

syslog after the most recient restart of bind

Code:

Feb 15 10:42:53 bamod-aish named[3233]: starting BIND 9.5.0-P2 -u bind
Feb 15 10:42:53 bamod-aish named[3233]: found 1 CPU, using 1 worker thread
Feb 15 10:42:53 bamod-aish named[3233]: loading configuration from '/etc/bind/named.conf'
Feb 15 10:42:53 bamod-aish named[3233]: listening on IPv6 interfaces, port 53
Feb 15 10:42:53 bamod-aish named[3233]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 15 10:42:53 bamod-aish named[3233]: listening on IPv4 interface eth0, 192.168.1.101#53
Feb 15 10:42:53 bamod-aish named[3233]: listening on IPv4 interface eth1, 192.168.7.1#53
Feb 15 10:42:53 bamod-aish named[3233]: listening on IPv4 interface eth2, 192.168.3.1#53
Feb 15 10:42:53 bamod-aish named[3233]: default max-cache-size (33554432) applies
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 254.169.IN-ADDR.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: D.F.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 8.E.F.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: 9.E.F.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: A.E.F.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: automatic empty zone: B.E.F.IP6.ARPA
Feb 15 10:42:53 bamod-aish named[3233]: default max-cache-size (33554432) applies: view _bind
Feb 15 10:42:53 bamod-aish named[3233]: command channel listening on 127.0.0.1#953
Feb 15 10:42:53 bamod-aish named[3233]: zone 0.in-addr.arpa/IN: loaded serial 1
Feb 15 10:42:53 bamod-aish named[3233]: zone 127.in-addr.arpa/IN: loaded serial 1
Feb 15 10:42:53 bamod-aish named[3233]: dns_rdata_fromtext: db.7.168.192:2: near eol: unexpected end of input
Feb 15 10:42:53 bamod-aish named[3233]: zone 7.168.192.in-addr.arpa/IN: loading from master file db.7.168.192 failed: unexpected end of input
Feb 15 10:42:53 bamod-aish named[3233]: zone 255.in-addr.arpa/IN: loaded serial 1
Feb 15 10:42:53 bamod-aish named[3233]: dns_rdata_fromtext: db.Torah-disciple.local:8: near '8H': not a valid number
Feb 15 10:42:53 bamod-aish named[3233]: zone Torah-disciple.local/IN: loading from master file db.Torah-disciple.local failed: not a valid number
Feb 15 10:42:53 bamod-aish named[3233]: zone localhost/IN: loaded serial 2
Feb 15 10:42:53 bamod-aish named[3233]: running

If 8H is not a valid number why doesn't it complain about the 2H in the next line?

I am at a loss, but still working at it.

Which folder should my db files be in? /etc/bind or /var/cache/bind I do plan on chrooting bind after i get it working and I know that normally that is done in /var