[SOLVED] DNS 9.9 on CENTOS 7 Multiple domain/MX set up

ddench · 07-26-2014, 05:07 PM

Hi i was wondering if people more experienced than I would be able to check over the DNS config I have put together - it's just me here and don't have anyone to confirm the work with. I have been reading zytrax material on DNS config.

The set up consists of fixed ip on a fresh centos 7 install running bind 9.9. There are two domains example1.co and example2.co . example1.co points to a web app. It is the hostname of the server. example2.co points to a variety of web services (drupal, moodle, owncloud) and roundcubemail (which isn't working at mo due to a dependency issue).

My current set up comes from a hosted centos 6.5 where the domain name is example2.co.

I have set up the DNS as follows. My hosting contract runs out this week, and before it does I wanted to check that I was along the right track as I feel I have missed something in the zone file.

The server should direct requests for example1.co and example2.co to the static IP and httpd should then manage the redirects (ie example1.co = /usr/share/shop example2.co = /var/www/html/site). The mail should run on mail.example2.co

Resolv.conf

Code:

# Generated by NetworkManager
nameserver ROUTER_IP
nameserver 8.8.8.8

hosts -

Code:

IP.ADDR.IN.HERE www.example1.co example1.co  
IP.ADDR.IN.HERE example2.co www.example2.co mail.example2.co
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

named.conf

Code:

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


zone "example1.co" {
        type master;
        file "/var/named/example1.co.hosts";
        };
zone "rev.ip.addr.in-addr.arpa" {
        type master;
        file "/var/named/an.rev.ip.addr.rev";
        };

example1.co.hosts

Code:

$ttl 259200						;3 days
$ORIGIN example1.co.
@		IN	SOA	example1.co.	myemail.address.co. (
                        1362617207			;serial number
                        10800				;refresh
                        3600				;update retry
                        604800				;expiry
                        38400				;minimum
                        )
		IN	NS		example1.co.
		IN	NS		8.8.8.8
                IN      NS              router.ip.here
example1.co.	IN	A		IP
example2.co.	IN	CNAME		IP
		IN	MX	1	mail.example2.co.
example2.co.	IN	CNAME		mail
mail		IN	A		IP

Something dosen't feel right about the NS and CNAME records, but I can't see what.

Any help is greatly appreciated!

bathory · 07-29-2014, 01:04 AM

Hi,

You need to add the definition of zone example2.co in named.conf and then of course create the respective zone file.

Quote:

<snip>
IN NS example1.co.
IN NS 8.8.8.8
IN NS router.ip.here
example1.co. IN A IP
example2.co. IN CNAME IP
IN MX 1 mail.example2.co.
example2.co. IN CNAME mail
mail IN A IP

The above is terribly wrong:
You cannot use google dns (8.8.8.8) as an authoritative dns for your domain
Also you cannot use an IP in a NS record
Same goes for CNAME. You cannot use a IP in a CNAME record
And you cannot mix example1.co and example2.co in example1.co zonefile. Remove any example2.co records and add them in the example2.co zonefile

Regards

ddench · 08-07-2014, 03:31 AM

Hi Bathory,

Thanks for your advice. I spotted the 8.8.8.8 NS error after posting, and you definitely helped with the separation of zone files, thanks. What I have now is as follows:

/etc/named.conf ends

Code:

zone "example1.co" {
        type master;
        file "/var/named/example1.co.hosts";
        };
zone "rev.ip.addr.in-addr.arpa" {
        type master;
        file "/var/named/rev.ip.addr.here.rev";
        };
zone "example2.co" {
        type master;
        file "/var/named/example2.co.hosts";
        };

/var/named/example1.co.hosts :

Code:

$ttl 259200                                             ;3 days
$ORIGIN example1.co.
@               IN      SOA     example1.co.    name.example2.co. (
                        1362671000                      ;serial number
                        10800                           ;refresh
                        3600                            ;update retry
                        604800                          ;expiry
                        38400                           ;minimum
                        )
                IN      NS              example1.co.
example1.co.    IN      A               static.ip.addr.here

/var/named/example2.co.hosts :

Code:

$ttl    259200                                          ;3 days
$ORIGIN example2.co.
@               IN      SOA     example2.co.     name.example2.co. (
                        1362671000                      ;serial number
                        10800                           ;refresh
                        3600                            ;update retry
                        604800                          ;expiry
                        38400                           ;minimum
                        )
                IN      NS              example1.co.
example2.co.     IN      A               static.ip.addr.here
                IN      MX      10      mail
mail            IN      A               static.ip.addr.here

/var/named/rev.ip.addr.here.rev :

Code:

$ttl 38400
rev.ip.addr.in-addr.arpa.       IN      SOA     example1.co. name.example2.co. (
                        1362671000
                        10800
                        3600
                        604800
                        38400 )
rev.ip.addr.in-addr.arpa.       IN      NS      example1.co.

ip                              IN      PTR     example1.co.

named is complaining about A records:

Code:

systemctl status named

Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.ord.sns-pb.isc.org/AAAA/IN': 2001:500:71::30#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/A/IN': 2001:500:2c::254#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/AAAA/IN': 2001:500:2c::254#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.ord.sns-pb.isc.org/AAAA/IN': 2001:4f8:0:2::19#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/A/IN': 2001:500:71::30#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/AAAA/IN': 2001:500:71::30#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/A/IN': 2001:4f8:0:2::19#53
Aug 02 12:30:47 example1.co named[3266]: error (network unreachable) resolving 'dlv.sfba.sns-pb.isc.org/AAAA/IN': 2001:4f8:0:2::19#53
Aug 02 13:30:44 example1.co named[3266]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:2d::d#53
Aug 02 13:30:44 example1.co named[3266]: error (network unreachable) resolving './NS/IN': 2001:500:2d::d#53

I'm fairly sure that most of the syntact is correct now, except for the example2 zone file. For example should the final line read:

mail IN A example2.co.

When I restart named I do not get any errors, but if I run the status 10 min later I get the above issues. The domains were being hosted on another server, and if I dig the domains I get the old servers IP address in response:

Code:

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> example2.co
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 412
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;example2.co.			IN	A

;; ANSWER SECTION:
example2.co.		600	IN	A	old.ip.addr.here

;; Query time: 38 msec
;; SERVER: router.ip.addr.here#53(router.ip.addr.here)
;; WHEN: Thu Aug 07 09:20:56 BST 2014
;; MSG SIZE  rcvd: 55

If I dig the current IP I get the following

Code:

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> cur.ip.addr.here
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52263
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;cur.ip.addr.here.			IN	A

;; AUTHORITY SECTION:
.			600	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2014080601 1800 900 604800 86400

;; Query time: 40 msec
;; SERVER: router.ip.addr.here#53(router.ip.addr.here)
;; WHEN: Thu Aug 07 09:22:58 BST 2014
;; MSG SIZE  rcvd: 118

Thanks for any help your able to give.

bathory · 08-07-2014, 08:30 AM

Quote:

named is complaining about A records:
<snip>

This is normal. Not all authoritative nameservers are reachable sometimes

Quote:

I'm fairly sure that most of the syntact is correct now, except for the example2 zone file. For example should the final line read:

mail IN A example2.co.

No an A record, should always point to an IP address

Quote:

The domains were being hosted on another server, and if I dig the domains I get the old servers IP address in response:

Either the domain data is not propagated yes, or most likely you should use your domain registrar's tools to change the authoritative dns to your server.

Quote:

If I dig the current IP I get the following

As above. You should inform your ISP to make sure it delegates you the IP/subnet you own, so you can use your dns to resolve the PTR records.

ddench · 08-07-2014, 08:44 AM

Bathory,

You have been very helpful. The domains are hosted with two different registrars, one of whom allows for DNS management - i tried that shortly after posting, the older company doesn't though (not without a fee anyway). I can now access the site via at least one domain.

Thank you again - I am investigating DNS troubleshooting tools and will probably invest in an O'Reilly book soon, as this is likely to be a core part of my future work.

Cheers again.