Setting up DNS Servers properly?

Swakoo · 01-03-2007, 01:11 AM

Hi guys,

I have 2 DNS Servers... one a 'primary' and the other a 'secondary'

I quoted '' because i configured both identically. Exactly the same.
that is... i have the individual zone files in /var/named/zone and I've configured named.conf to point to those zone files. Manually.

I've specified these 2 servers as my DNS servers under my domain registrar, one being 'primary' the other being 'secondary'

Is that all? Will that be sufficient? Will the 'secondary' kick in if the 'primary' fail... or should I configure it explicitly as 'primary' and 'secondary'? if so, how?

also, what does it mean to have a lame nameserver? and that it does not answer authoritatively for my domain. What does it mean? I did a dns whois search on my domain and got that... it says its bad... sounds bad.

many thanks, and Happy New Year folks!

Swakoo · 01-03-2007, 01:24 AM

Some questions after getting response from DNSStuff:

1) Open DNS Server: What is it about.. and is it bad?

Quote:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

do you guys leave it alone?

2) also i am trying to get my domain to work with Google Apps. When my domain has no 'A' record for the domain itself... it won't work. (can't resolve domain name server).

Is that a stupid mistake on my part?

thanks people!

chort · 01-03-2007, 01:42 AM

Having both the servers configured identically is wrong. If you ever have to make a change, you have to make the exact same change in two places. If you screw something up on one server, you need to increment the serial number and reload the zone, which then means the serial numbers are out of sync between the two servers, so you have to go increment the serial on the other one. It's just a mess.

Configure your "secondary" server to be a slave to the primary. That way you don't make any changes on the secondary; it gets notified by the primary when something changes and it loads the new data from the primary.

As for lame servers, that means your DNS servers are not claiming to be authoritative for your domain. That's bad. You need to make sure that you SOA record points to your primary DNS server and that you have NS records for each your primary and secondary DNS servers.

As for being "open", that means your servers do recursive queries for any records in respond to queries from anyone. That's bad. You need to turn off recursion.

How to do these various steps depends on what nameserver software you're using.

Swakoo · 01-03-2007, 02:05 AM

Quote:

Originally Posted by chort

Having both the servers configured identically is wrong. If you ever have to make a change, you have to make the exact same change in two places. If you screw something up on one server, you need to increment the serial number and reload the zone, which then means the serial numbers are out of sync between the two servers, so you have to go increment the serial on the other one. It's just a mess.

Configure your "secondary" server to be a slave to the primary. That way you don't make any changes on the secondary; it gets notified by the primary when something changes and it loads the new data from the primary.

As for lame servers, that means your DNS servers are not claiming to be authoritative for your domain. That's bad. You need to make sure that you SOA record points to your primary DNS server and that you have NS records for each your primary and secondary DNS servers.

As for being "open", that means your servers do recursive queries for any records in respond to queries from anyone. That's bad. You need to turn off recursion.

How to do these various steps depends on what nameserver software you're using.

1) Primary/Secondary
Currently I am indeed doing it the manual way, increasing the serial number manually and such. My "primary" (the main dns server) is running on PLESK. The 2nd one I just update manually and copy the serial number to be the same with the 1st one. Yup its a hassle, but its a "controlled mess".

Any recommended links/articles I can look at to set this right?

2) Lame Server
If I get records in my DNS server log that I have lame server request or some sort.. does it matter?

What's SOA and... how do I set this right?

3) recursion
I have set recursion to off already after reading it up. I did it by issuing the command "recursion on" in named.conf, according to dnsstuff.com text. Correct?

So does it mean my DNS server will only response to queries for domain names that are listed within the server?

I am using bind in Redhat.

Lastly... for a pri/sec setup of DNS server, does it mean all dns request will go to the primary ONLY? And the secondary will only be checked IF and only IF, the primary is down. Am I right?

Thanks dude!

chort · 01-03-2007, 02:38 AM

Quote:

Originally Posted by Swakoo

1) Primary/Secondary
Currently I am indeed doing it the manual way, increasing the serial number manually and such. My "primary" (the main dns server) is running on PLESK. The 2nd one I just update manually and copy the serial number to be the same with the 1st one. Yup its a hassle, but its a "controlled mess".

Any recommended links/articles I can look at to set this right?

Sigh. That's an administrative "front-end" and I have no idea what options it exposes to you. You can edit the named.conf file manually and change the "master" statements to "slave" on the secondary.

Quote:

2) Lame Server
If I get records in my DNS server log that I have lame server request or some sort.. does it matter?

What's SOA and... how do I set this right?

It's a type of DNS Resource Record. Typically the top few lines of your zone file look like this:

Code:

$ORIGIN .
$TTL 3600       ; 1 hour
smtps.net       IN SOA  ns1.smtps.net. hostmaster.smtps.net. (
                                2006113002 ; serial
                                28800      ; refresh (8 hours)
                                300        ; retry
                                2419200    ; expire
                                3600       ; minimum (1 hour)
                                )
                        NS      ns1.smtps.net.
                        NS      ns2.smtps.net.
                        MX      15 am-heh.smtps.net.
                        MX      25 am-heh.smtps.net.
                        TXT     "v=spf1 mx -all"
$ORIGIN smtps.net.
                        A       64.81.243.18

See the first bolded line? That tells everyone what your Start Of Authority is, i.e. your first Authoritative nameserver is. The NS records list all of the Authoritative nameservers for your domain (in my case, just two). After I set ORIGIN to my domain, the next record is blank, which means it's exactly the value of ORIGIN (my base domain), so it creates an A record for smtps.net. I don't actually have an A record for my base domain name, but I created this example.

As long as dnsstuff.com isn't saying you have a lame server, you're OK. The messages in your log are telling you about other servers who are incorrectly configured (assuming yours passes the test). If you are getting queries to your DNS servers about other domains, where are they coming from? Do any of your applications use your DNS server to do resolution? If so, you can't completely disable recursion, you need to use an allow-recursion statement and list your IPs that should be allowed to query your servers.

Quote:

3) recursion
I have set recursion to off already after reading it up. I did it by issuing the command "recursion on" in named.conf, according to dnsstuff.com text. Correct?

So does it mean my DNS server will only response to queries for domain names that are listed within the server?

I am using bind in Redhat.

recursion should be set to "no". Run the test on dnsstuff.com again to verify that it's really off.

Quote:

Lastly... for a pri/sec setup of DNS server, does it mean all dns request will go to the primary ONLY? And the secondary will only be checked IF and only IF, the primary is down. Am I right?

Thanks dude!

No. DNS is a naturally load-balanced protocol. DNS queries about your domain will cycle through your DNS servers with roughly an equal amount of traffic going to all of them. The term "secondary" is mostly just used in reference to client settings as far as what server to use for recursive requests. When other DNS servers contact yours, they will cycle through the list.

Swakoo · 01-03-2007, 04:28 AM

Oops I mean "no" for my recursion. Ok then that settles one thing.

so hmm.. am i right to say my setup will still work for both just that setting/updating will be one big trouble?

you have a a recommended guide i can look at to reconfigure the whole thing? the one with plesk is my primary one...

thanks for the rest of the info. I'll go digest it

chort · 01-03-2007, 11:57 AM

Switching from your messy way to the "right" way should be very easy. On the secondary server, edit named.conf and change "master" to "slave" everywhere you find it.

For instance, here's one of my zones from my primary DNS server

Code:

        zone "smtps.net" {
                type master;
                file "master/db.smtps.net";
                allow-query { any; };
        };

Here's the same zone on my secondary

Code:

        zone "smtps.net" {
                type slave;
                file "slave/db.smtps.net";
                allow-query { any; };
        };

I've removed some additional statements that were necessary for my split DNS to work, but that example should work perfectly fine as long as both your DNS servers can connect to each other over their public IPs.

Swakoo · 01-22-2007, 08:54 PM

hi chort,

the settings in my master (as of now, its both servers though) is:

Code:

zone "domain.com"{
        type master;
        file "zone/domain.com";
};

Code:

allow-query { any; };

I am lacking the above, does it matter? for slave or master?

I read elsewhere that the following is used for slaves: needed?

Code:

masters {192.168.23.17;};

also, does it mean I just need to change the word master] to slave?

But I still point to the same zone file? or should I point to a new directory (as in your example) and it should create that zone file automatically?

one more thing: even if after slave is setup, I still need to update the named.conf manually everytime a new zone is added yah?

thanks

JimBass · 01-22-2007, 10:12 PM

Quote:

I read elsewhere that the following is used for slaves: needed?
Code:

masters {192.168.23.17;};

You should absolutely ditch your double master setup. It is foolish, as BIND is built to support a master/slave configuration. The slave box should be setup with the masters {192.168.23.17;};. The address of the master must be an IP address, and it must be an address that the slave can reach, which usually is a real world IP, unless both the master and slave are on the same LAN, in which case a 192.168 or 172.16 or 10.0. address can also work.

Quote:

also, does it mean I just need to change the word master] to slave?

No, the declaration of where the master is goes on the slave copy. It tells the slave where to pull the zone from. That way you only change the master copy, and when BIND recieves the notice that the master is using a newer serial number for the zone, it will pull the newer copy over to itself.

You can tell the slave to call its copy of the zone anything you want. The name of the file is unimportant, although most people call it the same on both the master and slaves. You can call it fred.flitstone, BIND won't care. And yes, fred.flintstone can server out data for your domain.

Yes, you will need to modify the named.conf on both a master and slave when a new zone is added.

Since this is confusing you, here is an example from a named.conf of both a master and the corresponding slave:

Master

Code:

zone "yourdomain.com" in {
        type master;
        file "yourdomain.com";
};

Slave

Code:

zone "yourdomain.com" in {
        type slave;
        file "yourdomain.com";
        masters {12.34.56.78;};
};

Peace,
JimBass

Swakoo · 01-22-2007, 10:34 PM

hi there

i did the above... but am faced with the following "issues":

1. when i do a service restart, and then a service status check, I get the following
Stopping named: rndc: connect failed: connection refused
Even though when I do a restart it says starting named ok...

2. in the slave setup, I specified the file location, so as to save the config in the slave for "just in case" purpose right?

When I restart, it didn't create the files. I suppose its related to the first problem.

Something wrong I did?

JimBass · 01-22-2007, 10:44 PM

I have no idea what service restart is. Must be some fedora crap they pass off as bash. Please post the results of this (must be done from the computer running BIND)

Code:

dig google.com @localhost

if we get answers, then BIND is running. If we don't, then we have to figure that out. Rndc is a piece of the BIND package. Did you remove any lines from your named.conf about rndc, or the file /etc/rndc.conf?

Peace,
JimBass

chort · 01-22-2007, 11:37 PM

The files on the slave will automatically be created when it does a zone transfer from the master. You should be able to do

Code:

# rndc refresh domain.com

and it should pull down the zone file for domain.com from the master server.

It seems like you might have a problem with your rndc configuration, though. See JimBass' questions for that.

JimBass · 01-22-2007, 11:42 PM

Yeah, if rndc is failing then everything is failing. You don't need to use rndc to pull the zones off the master, it should just happen. Something got borked in the rndc config within named.conf. Either it got erased completely or altered somehow. Rndc needs to function, without it BIND simply won't run (recent versions that is, BIND 8 didn't require it, maybe early BIND 9 too).

Peace,
JimBass

Swakoo · 01-23-2007, 12:50 AM

When I use the edited named.conf (for slave dns) purpose, running

Code:

service named restart

shows everything is fine. Ok.

Running this shows that rndc connect:fail

Code:

service named status

I then proceed to run the following, as requested:

Code:

dig google.com @localhost

I got this instead:

Quote:

connection timed out; no servers could be reached

the named.conf config for my supposed slave dns server was configured like this:

Code:

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
        recursion no;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type slave;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type slave;
        file "named.local";
        allow-update { none; };
};

include "/etc/rndc.key";

All the zone config files from here

My zone file statements were as follows:

Code:

zone "domain.com"{
        type slave;
        file "zone/domain.com";
        masters { 192.168.1.1; };
};

Is it ok?

JimBass · 01-23-2007, 01:00 AM

No. The fact that asking for the address of google.com failed shows that named is not running.

There might be a problem with the rndc key, as that is mentioned in named.conf. Please check and make sure that /etc/rndc.key exists, and that it was generated on this machine. if you just copied and pasted the named.conf from one machine to another it won't work over rndc. That key needs to be generated on the machine by the dnssec-keygen command. Does the key in /etc/rndc.key match the key in the control statement, "keys { rndckey; };"?

I don't know what service named does, but I'm guessing it is some fedora twist on normal BIND operations. Yet another reason to hate that distro passionately. Please try /etc/init.d/named stop
If that fails, maybe use top or htop to kill all running named processes and restart them.

Peace,
JimBass