Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have 2 DNS Servers... one a 'primary' and the other a 'secondary'
I quoted '' because i configured both identically. Exactly the same.
that is... i have the individual zone files in /var/named/zone and I've configured named.conf to point to those zone files. Manually.
I've specified these 2 servers as my DNS servers under my domain registrar, one being 'primary' the other being 'secondary'
Is that all? Will that be sufficient? Will the 'secondary' kick in if the 'primary' fail... or should I configure it explicitly as 'primary' and 'secondary'? if so, how?
also, what does it mean to have a lame nameserver? and that it does not answer authoritatively for my domain. What does it mean? I did a dns whois search on my domain and got that... it says its bad... sounds bad.
Some questions after getting response from DNSStuff:
1) Open DNS Server: What is it about.. and is it bad?
Quote:
ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:
do you guys leave it alone?
2) also i am trying to get my domain to work with Google Apps. When my domain has no 'A' record for the domain itself... it won't work. (can't resolve domain name server).
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Having both the servers configured identically is wrong. If you ever have to make a change, you have to make the exact same change in two places. If you screw something up on one server, you need to increment the serial number and reload the zone, which then means the serial numbers are out of sync between the two servers, so you have to go increment the serial on the other one. It's just a mess.
Configure your "secondary" server to be a slave to the primary. That way you don't make any changes on the secondary; it gets notified by the primary when something changes and it loads the new data from the primary.
As for lame servers, that means your DNS servers are not claiming to be authoritative for your domain. That's bad. You need to make sure that you SOA record points to your primary DNS server and that you have NS records for each your primary and secondary DNS servers.
As for being "open", that means your servers do recursive queries for any records in respond to queries from anyone. That's bad. You need to turn off recursion.
How to do these various steps depends on what nameserver software you're using.
Having both the servers configured identically is wrong. If you ever have to make a change, you have to make the exact same change in two places. If you screw something up on one server, you need to increment the serial number and reload the zone, which then means the serial numbers are out of sync between the two servers, so you have to go increment the serial on the other one. It's just a mess.
Configure your "secondary" server to be a slave to the primary. That way you don't make any changes on the secondary; it gets notified by the primary when something changes and it loads the new data from the primary.
As for lame servers, that means your DNS servers are not claiming to be authoritative for your domain. That's bad. You need to make sure that you SOA record points to your primary DNS server and that you have NS records for each your primary and secondary DNS servers.
As for being "open", that means your servers do recursive queries for any records in respond to queries from anyone. That's bad. You need to turn off recursion.
How to do these various steps depends on what nameserver software you're using.
1) Primary/Secondary
Currently I am indeed doing it the manual way, increasing the serial number manually and such. My "primary" (the main dns server) is running on PLESK. The 2nd one I just update manually and copy the serial number to be the same with the 1st one. Yup its a hassle, but its a "controlled mess".
Any recommended links/articles I can look at to set this right?
2) Lame Server
If I get records in my DNS server log that I have lame server request or some sort.. does it matter?
What's SOA and... how do I set this right?
3) recursion
I have set recursion to off already after reading it up. I did it by issuing the command "recursion on" in named.conf, according to dnsstuff.com text. Correct?
So does it mean my DNS server will only response to queries for domain names that are listed within the server?
I am using bind in Redhat.
Lastly... for a pri/sec setup of DNS server, does it mean all dns request will go to the primary ONLY? And the secondary will only be checked IF and only IF, the primary is down. Am I right?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally Posted by Swakoo
1) Primary/Secondary
Currently I am indeed doing it the manual way, increasing the serial number manually and such. My "primary" (the main dns server) is running on PLESK. The 2nd one I just update manually and copy the serial number to be the same with the 1st one. Yup its a hassle, but its a "controlled mess".
Any recommended links/articles I can look at to set this right?
Sigh. That's an administrative "front-end" and I have no idea what options it exposes to you. You can edit the named.conf file manually and change the "master" statements to "slave" on the secondary.
Quote:
2) Lame Server
If I get records in my DNS server log that I have lame server request or some sort.. does it matter?
What's SOA and... how do I set this right?
It's a type of DNS Resource Record. Typically the top few lines of your zone file look like this:
See the first bolded line? That tells everyone what your Start Of Authority is, i.e. your first Authoritative nameserver is. The NS records list all of the Authoritative nameservers for your domain (in my case, just two). After I set ORIGIN to my domain, the next record is blank, which means it's exactly the value of ORIGIN (my base domain), so it creates an A record for smtps.net. I don't actually have an A record for my base domain name, but I created this example.
As long as dnsstuff.com isn't saying you have a lame server, you're OK. The messages in your log are telling you about other servers who are incorrectly configured (assuming yours passes the test). If you are getting queries to your DNS servers about other domains, where are they coming from? Do any of your applications use your DNS server to do resolution? If so, you can't completely disable recursion, you need to use an allow-recursion statement and list your IPs that should be allowed to query your servers.
Quote:
3) recursion
I have set recursion to off already after reading it up. I did it by issuing the command "recursion on" in named.conf, according to dnsstuff.com text. Correct?
So does it mean my DNS server will only response to queries for domain names that are listed within the server?
I am using bind in Redhat.
recursion should be set to "no". Run the test on dnsstuff.com again to verify that it's really off.
Quote:
Lastly... for a pri/sec setup of DNS server, does it mean all dns request will go to the primary ONLY? And the secondary will only be checked IF and only IF, the primary is down. Am I right?
Thanks dude!
No. DNS is a naturally load-balanced protocol. DNS queries about your domain will cycle through your DNS servers with roughly an equal amount of traffic going to all of them. The term "secondary" is mostly just used in reference to client settings as far as what server to use for recursive requests. When other DNS servers contact yours, they will cycle through the list.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Switching from your messy way to the "right" way should be very easy. On the secondary server, edit named.conf and change "master" to "slave" everywhere you find it.
For instance, here's one of my zones from my primary DNS server
Code:
zone "smtps.net" {
type master;
file "master/db.smtps.net";
allow-query { any; };
};
Here's the same zone on my secondary
Code:
zone "smtps.net" {
type slave;
file "slave/db.smtps.net";
allow-query { any; };
};
I've removed some additional statements that were necessary for my split DNS to work, but that example should work perfectly fine as long as both your DNS servers can connect to each other over their public IPs.
I read elsewhere that the following is used for slaves: needed?
Code:
masters {192.168.23.17;};
You should absolutely ditch your double master setup. It is foolish, as BIND is built to support a master/slave configuration. The slave box should be setup with the masters {192.168.23.17;};. The address of the master must be an IP address, and it must be an address that the slave can reach, which usually is a real world IP, unless both the master and slave are on the same LAN, in which case a 192.168 or 172.16 or 10.0. address can also work.
Quote:
also, does it mean I just need to change the word master] to slave?
No, the declaration of where the master is goes on the slave copy. It tells the slave where to pull the zone from. That way you only change the master copy, and when BIND recieves the notice that the master is using a newer serial number for the zone, it will pull the newer copy over to itself.
You can tell the slave to call its copy of the zone anything you want. The name of the file is unimportant, although most people call it the same on both the master and slaves. You can call it fred.flitstone, BIND won't care. And yes, fred.flintstone can server out data for your domain.
Yes, you will need to modify the named.conf on both a master and slave when a new zone is added.
Since this is confusing you, here is an example from a named.conf of both a master and the corresponding slave:
Master
Code:
zone "yourdomain.com" in {
type master;
file "yourdomain.com";
};
Slave
Code:
zone "yourdomain.com" in {
type slave;
file "yourdomain.com";
masters {12.34.56.78;};
};
i did the above... but am faced with the following "issues":
1. when i do a service restart, and then a service status check, I get the following Stopping named: rndc: connect failed: connection refused
Even though when I do a restart it says starting named ok...
2. in the slave setup, I specified the file location, so as to save the config in the slave for "just in case" purpose right?
When I restart, it didn't create the files. I suppose its related to the first problem.
I have no idea what service restart is. Must be some fedora crap they pass off as bash. Please post the results of this (must be done from the computer running BIND)
Code:
dig google.com @localhost
if we get answers, then BIND is running. If we don't, then we have to figure that out. Rndc is a piece of the BIND package. Did you remove any lines from your named.conf about rndc, or the file /etc/rndc.conf?
Yeah, if rndc is failing then everything is failing. You don't need to use rndc to pull the zones off the master, it should just happen. Something got borked in the rndc config within named.conf. Either it got erased completely or altered somehow. Rndc needs to function, without it BIND simply won't run (recent versions that is, BIND 8 didn't require it, maybe early BIND 9 too).
When I use the edited named.conf (for slave dns) purpose, running
Code:
service named restart
shows everything is fine. Ok.
Running this shows that rndc connect:fail
Code:
service named status
I then proceed to run the following, as requested:
Code:
dig google.com @localhost
I got this instead:
Quote:
connection timed out; no servers could be reached
the named.conf config for my supposed slave dns server was configured like this:
Code:
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursion no;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type slave;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type slave;
file "named.local";
allow-update { none; };
};
include "/etc/rndc.key";
All the zone config files from here
My zone file statements were as follows:
Code:
zone "domain.com"{
type slave;
file "zone/domain.com";
masters { 192.168.1.1; };
};
No. The fact that asking for the address of google.com failed shows that named is not running.
There might be a problem with the rndc key, as that is mentioned in named.conf. Please check and make sure that /etc/rndc.key exists, and that it was generated on this machine. if you just copied and pasted the named.conf from one machine to another it won't work over rndc. That key needs to be generated on the machine by the dnssec-keygen command. Does the key in /etc/rndc.key match the key in the control statement, "keys { rndckey; };"?
I don't know what service named does, but I'm guessing it is some fedora twist on normal BIND operations. Yet another reason to hate that distro passionately. Please try /etc/init.d/named stop
If that fails, maybe use top or htop to kill all running named processes and restart them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.