LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   BIND 9.7.3 not working properly? (http://www.linuxquestions.org/questions/linux-server-73/bind-9-7-3-not-working-properly-4175437069/)

keungz 11-14-2012 04:04 AM

BIND 9.7.3 not working properly?
 
Heyas!

I'm migrating to a new server, so I need the new server to take over the responsibilities the old one had. For now I have to run BIND with master/slave all by itself (while later the old server is slated to become the slave), but I've been hitting quite a few roadblocks along the way. First and foremost, I cannot resolve anything using my nameserver. I have it set up to run on two ip's (not internal ones - all ip's are external), and while named seems to run fine and produces no apparent errors related to this issue, it won't resolve google.com for example.

My second problem is that while the first zonefile I added seemed to work nicely, others I've added have seemingly broke everything. Now none of the domains is resolving at all.

I've run iptables -F in desperation, but that didn't do anything.

I'm a little paranoid, so I prefer masking my ip's and domains. Hopefully that won't be problematic! ip1.ip1.ip1.ip1 is the ip of ns1, ip2.ip2.ip2.ip2 is the ip of ns2, ip3.ip3.ip3.ip3 is the main ip of my server, ip4.ip4.ip4.ip4 is my mailserver ip. They are all attached to the new server. mymaindomain.net is the domain which the nameservers "belong" to.

Various information

Code:

# netstat -tunapl|grep 53
tcp        0      0 ip2.ip2.ip2.ip2:53      0.0.0.0:*              LISTEN      27579/named
tcp        0      0 ip1.ip1.ip1.ip1:53      0.0.0.0:*              LISTEN      27579/named
tcp        0      0 127.0.0.1:953          0.0.0.0:*              LISTEN      27579/named
tcp6      0      0 ::1:953                :::*                    LISTEN      27579/named
udp        0      0 ip2.ip2.ip2.ip2:53      0.0.0.0:*                          27579/named
udp        0      0 ip1.ip1.ip1.ip1:53      0.0.0.0:*                          27579/named

Code:

# named-checkconf -p
options {
        directory "/var/cache/bind";
        listen-on port 53 {
                ip1.ip1.ip1.ip1/32;
                ip2.ip2.ip2.ip2/32;
        };
        listen-on-v6 {
                "none";
        };
        version "none";
        allow-recursion {
                "any";
        };
        auth-nxdomain no;
        allow-query {
                "any";
        };
};
view "internal" {
        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };
        zone "localhost" {
                type master;
                file "/etc/bind/db.local";
        };
        zone "127.in-addr.arpa" {
                type master;
                file "/etc/bind/db.127";
        };
        zone "0.in-addr.arpa" {
                type master;
                file "/etc/bind/db.0";
        };
        zone "255.in-addr.arpa" {
                type master;
                file "/etc/bind/db.255";
        };
};
view "external" {
        match-clients {
                "any";
        };
        zone "." {
                type hint;
                file "/etc/bind/db.root";
        };
        zone "mymaindomain.net" {
                type master;
                file "/etc/bind/domains/mymaindomain.net";
        };
        zone "someotherdomain.net" {
                type master;
                file "/etc/bind/domains/someotherdomain.net";
        };
        zone "lastdomain.org" {
                type master;
                file "/etc/bind/domains/lastdomain.org";
        };
};
server 0.0.0.0/0 {
        edns no;
};

; ^- allow-recursion, allow-query, server have been added for debugging purposes

Code:

# cat /etc/bind/db.root

; <<>> DiG 9.7.3 <<>> @192.33.4.12 . ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25104
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                      518400  IN      NS      b.root-servers.net.
.                      518400  IN      NS      a.root-servers.net.
.                      518400  IN      NS      k.root-servers.net.
.                      518400  IN      NS      c.root-servers.net.
.                      518400  IN      NS      f.root-servers.net.
.                      518400  IN      NS      d.root-servers.net.
.                      518400  IN      NS      h.root-servers.net.
.                      518400  IN      NS      g.root-servers.net.
.                      518400  IN      NS      j.root-servers.net.
.                      518400  IN      NS      e.root-servers.net.
.                      518400  IN      NS      l.root-servers.net.
.                      518400  IN      NS      m.root-servers.net.
.                      518400  IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net.    3600000 IN      A      198.41.0.4
a.root-servers.net.    3600000 IN      AAAA    2001:503:ba3e::2:30
b.root-servers.net.    3600000 IN      A      192.228.79.201
c.root-servers.net.    3600000 IN      A      192.33.4.12
d.root-servers.net.    3600000 IN      A      128.8.10.90
d.root-servers.net.    3600000 IN      AAAA    2001:500:2d::d
e.root-servers.net.    3600000 IN      A      192.203.230.10
f.root-servers.net.    3600000 IN      A      192.5.5.241
f.root-servers.net.    3600000 IN      AAAA    2001:500:2f::f
g.root-servers.net.    3600000 IN      A      192.112.36.4
h.root-servers.net.    3600000 IN      A      128.63.2.53
h.root-servers.net.    3600000 IN      AAAA    2001:500:1::803f:235
i.root-servers.net.    3600000 IN      A      192.36.148.17
i.root-servers.net.    3600000 IN      AAAA    2001:7fe::53

;; Query time: 15 msec
;; SERVER: 192.33.4.12#53(192.33.4.12)
;; WHEN: Mon Nov 12 16:48:34 2012
;; MSG SIZE  rcvd: 512

Code:

# cat /etc/resolv.conf
search mymaindomain.net
ip1.ip1.ip1.ip1
ip2.ip2.ip2.ip2

Code:

# cat /etc/bind/domains/mymaindomain.net
$TTL 86400
@      IN SOA  ns1.mymaindomain.net. admin.mymaindomain.net. (
                                                2012111202      ; Serial
                                                8H              ; Refresh
                                                2H              ; Retry
                                                4W              ; Expire
                                                2D              ; Minimum
                                                )
; Include NS and MX record
$INCLUDE /etc/bind/domains/share/NSMX-records

@              IN      A      ip3.ip3.ip3.ip3

; Server main hostnames
newserver        IN      A      ip3.ip3.ip3.ip3
ns1            IN      A      ip1.ip1.ip1.ip1
ns2            IN      A      ip2.ip2.ip2.ip2

; Canonicals
www            IN      CNAME  newserver
bind9test          IN      CNAME  newserver

Code:

# cat /etc/bind/domains/someotherdomain.net
$TTL 86400
@      IN SOA  ns1.mymaindomain.net. admin.mymaindomain.net. (
                                                2012111202      ; Serial
                                                8H              ; Refresh
                                                2H              ; Retry
                                                4W              ; Expire
                                                2D              ; Minimum
                                                )
; Include NS and MX record
$INCLUDE /etc/bind/domains/share/NSMX-records

@              IN      A      ip3.ip3.ip3.ip3

; Canonicals
www            IN      CNAME  @
resources      IN      CNAME  @
beta            IN      CNAME  @
forumbeta      IN      CNAME  @
xs              IN      CNAME  @

Code:

# cat /etc/bind/domains/share/NSMX-records
@              IN      NS      ns1.mymaindomain.net.
                IN      NS      ns2.mymaindomain.net.
                IN      MX      10 mail

mail            IN      A      ip4.ip4.ip4.ip4

And finally:
Code:

# named-checkzone someotherdomain.net /etc/bind/domains/someotherdomain.net
zone someotherdomain.net/IN: loaded serial 2012111201
OK

As you can see, I'm experimenting a bit with these zonefiles. Another question while I'm on the subject, is IN CNAME @ allowed at all?

Any help appreciated! I've fallen and I can't get up!

bathory 11-14-2012 05:45 AM

Quote:

First and foremost, I cannot resolve anything using my nameserver. I have it set up to run on two ip's (not internal ones - all ip's are external), and while named seems to run fine and produces no apparent errors related to this issue, it won't resolve google.com for example.
What you get when you run:
Code:

dig google.com @ ip1.ip1.ip1.ip1
Quote:

My second problem is that while the first zonefile I added seemed to work nicely, others I've added have seemingly broke everything. Now none of the domains is resolving at all.
Again try to dig those domain(s) and post the results

Regrrds

keungz 11-14-2012 09:04 AM

Code:

# dig google.com @ ip1.ip1.ip1.ip1
dig: couldn't get address for '': not found

# dig mymaindomain.net @ ip1.ip1.ip1.ip1
dig: couldn't get address for '': not found


bathory 11-14-2012 10:55 AM

Quote:

Originally Posted by keungz (Post 4829226)
Code:

# dig google.com @ ip1.ip1.ip1.ip1
dig: couldn't get address for '': not found

# dig mymaindomain.net @ ip1.ip1.ip1.ip1
dig: couldn't get address for '': not found


Oups sorry. The dns ip must come right after the '@". Don't know how the blank space came out. This is the correct syntax:
Code:

dig google.com @ip1.ip1.ip1.ip1

keungz 11-14-2012 02:43 PM

Not that I use dig that often, but I should have been able to see that mistake myself, especially after getting an obvious error like that :redface:

Here's the correct output:
Code:

# dig google.com @ip1.ip1.ip1.ip1

; <<>> DiG 9.7.3 <<>> google.com @ip1.ip1.ip1.ip1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48300
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.            300    IN      A      173.194.32.7
google.com.            300    IN      A      173.194.32.8
google.com.            300    IN      A      173.194.32.9
google.com.            300    IN      A      173.194.32.14
google.com.            300    IN      A      173.194.32.0
google.com.            300    IN      A      173.194.32.1
google.com.            300    IN      A      173.194.32.2
google.com.            300    IN      A      173.194.32.3
google.com.            300    IN      A      173.194.32.4
google.com.            300    IN      A      173.194.32.5
google.com.            300    IN      A      173.194.32.6

;; AUTHORITY SECTION:
google.com.            93189  IN      NS      ns2.google.com.
google.com.            93189  IN      NS      ns4.google.com.
google.com.            93189  IN      NS      ns3.google.com.
google.com.            93189  IN      NS      ns1.google.com.

;; Query time: 37 msec
;; SERVER: ip1.ip1.ip1.ip1#53(ip1.ip1.ip1.ip1)
;; WHEN: Wed Nov 14 21:45:27 2012
;; MSG SIZE  rcvd: 276

Code:

# dig mymaindomain.net @ip1.ip1.ip1.ip1

; <<>> DiG 9.7.3 <<>> mymaindomain.net @ip1.ip1.ip1.ip1
;; global options: +cmd
;; connection timed out; no servers could be reached


bathory 11-14-2012 04:33 PM

Doesn't make sense.
You can connect to your dns to resolve google. but you can't connect when you're trying to resolve your domain!!!
Are you sure your network is ok and there is no firewall blocking udp/tcp port 53? You could also try the 2nd ip of your dns, to see what you get.

keungz 11-14-2012 05:54 PM

Code:

# dig google.com @ip2.ip2.ip2.ip2

; <<>> DiG 9.7.3 <<>> google.com @ip2.ip2.ip2.ip2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49656
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.            59      IN      A      173.194.32.6
google.com.            59      IN      A      173.194.32.7
google.com.            59      IN      A      173.194.32.8
google.com.            59      IN      A      173.194.32.9
google.com.            59      IN      A      173.194.32.14
google.com.            59      IN      A      173.194.32.0
google.com.            59      IN      A      173.194.32.1
google.com.            59      IN      A      173.194.32.2
google.com.            59      IN      A      173.194.32.3
google.com.            59      IN      A      173.194.32.4
google.com.            59      IN      A      173.194.32.5

;; AUTHORITY SECTION:
google.com.            172559  IN      NS      ns1.google.com.
google.com.            172559  IN      NS      ns4.google.com.
google.com.            172559  IN      NS      ns3.google.com.
google.com.            172559  IN      NS      ns2.google.com.

;; Query time: 0 msec
;; SERVER: ip2.ip2.ip2.ip2#53(ip2.ip2.ip2.ip2)
;; WHEN: Thu Nov 15 00:34:34 2012
;; MSG SIZE  rcvd: 276

Code:

# dig mymaindomain.net @ip2.ip2.ip2.ip2

; <<>> DiG 9.7.3 <<>> mymaindomain.net @ip2.ip2.ip2.ip2
;; global options: +cmd
;; connection timed out; no servers could be reached

Code:

# nslookup google.com
;; connection timed out; no servers could be reached

While restarting named:
Code:

# tail -f /var/log/syslog
Nov 15 00:40:17 server named[21250]: received control channel command 'stop -p'
Nov 15 00:40:17 server named[21250]: shutting down: flushing changes
Nov 15 00:40:17 server named[21250]: stopping command channel on 127.0.0.1#953
Nov 15 00:40:17 server named[21250]: stopping command channel on ::1#953
Nov 15 00:40:17 server named[21250]: no longer listening on ip1.ip1.ip1.ip1#53
Nov 15 00:40:17 server named[21250]: no longer listening on ip2.ip2.ip2.ip2#53
Nov 15 00:40:17 server named[21250]: exiting
Nov 15 00:40:18 server named[22068]: starting BIND 9.7.3 -u bind
Nov 15 00:40:18 server named[22068]: built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes' '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=' 'CPPFLAGS='
Nov 15 00:40:18 server named[22068]: adjusted limit on open files from 1024 to 1048576
Nov 15 00:40:18 server named[22068]: found 2 CPUs, using 2 worker threads
Nov 15 00:40:18 server named[22068]: using up to 4096 sockets
Nov 15 00:40:18 server named[22068]: loading configuration from '/etc/bind/named.conf'
Nov 15 00:40:18 server named[22068]: reading built-in trusted keys from file '/etc/bind/bind.keys'
Nov 15 00:40:18 server named[22068]: using default UDP/IPv4 port range: [1024, 65535]
Nov 15 00:40:18 server named[22068]: using default UDP/IPv6 port range: [1024, 65535]
Nov 15 00:40:18 server named[22068]: listening on IPv4 interface eth0:2, ip1.ip1.ip1.ip1#53
Nov 15 00:40:18 server named[22068]: listening on IPv4 interface eth0:3, ip2.ip2.ip2.ip2#53
Nov 15 00:40:18 server named[22068]: generating session key for dynamic DNS
Nov 15 00:40:18 server named[22068]: set up managed keys zone for view internal, file '3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys'
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 254.169.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 2.0.192.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 100.51.198.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 113.0.203.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 255.255.255.255.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: D.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 8.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 9.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: A.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: B.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view internal: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 15 00:40:18 server named[22068]: set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys'
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 0.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 127.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 254.169.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 2.0.192.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 100.51.198.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 113.0.203.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 255.255.255.255.IN-ADDR.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: D.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 8.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 9.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: A.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: B.E.F.IP6.ARPA
Nov 15 00:40:18 server named[22068]: automatic empty zone: view external: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 15 00:40:18 server named[22068]: command channel listening on 127.0.0.1#953
Nov 15 00:40:18 server named[22068]: command channel listening on ::1#953
Nov 15 00:40:18 server named[22068]: zone 0.in-addr.arpa/IN/internal: loaded serial 1
Nov 15 00:40:18 server named[22068]: zone 127.in-addr.arpa/IN/internal: loaded serial 1
Nov 15 00:40:18 server named[22068]: zone 255.in-addr.arpa/IN/internal: loaded serial 1
Nov 15 00:40:18 server named[22068]: zone localhost/IN/internal: loaded serial 2
Nov 15 00:40:18 server named[22068]: managed-keys-zone ./IN/internal: loading from master file 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed: file not found
Nov 15 00:40:18 server named[22068]: managed-keys-zone ./IN/internal: loaded serial 0
Nov 15 00:40:18 server named[22068]: zone someotherdomain.net/IN/external: loaded serial 2012111201
Nov 15 00:40:18 server named[22068]: zone mymaindomain.net/IN/external: loaded serial 2012111501
Nov 15 00:40:18 server named[22068]: zone lastdomain.org/IN/external: loaded serial 2012111201
Nov 15 00:40:18 server named[22068]: managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found
Nov 15 00:40:18 server named[22068]: managed-keys-zone ./IN/external: loaded serial 0
Nov 15 00:40:18 server named[22068]: zone mymaindomain.net/IN/external: sending notifies (serial 2012111501)
Nov 15 00:40:18 server named[22068]: zone someotherdomain.net/IN/external: sending notifies (serial 2012111201)
Nov 15 00:40:18 server named[22068]: zone lastdomain.org/IN/external: sending notifies (serial 2012111201)
Nov 15 00:40:18 server named[22068]: running
Nov 15 00:40:18 server named[22068]: client ip2.ip2.ip2.ip2#9094: view internal: received notify for zone 'mymaindomain.net': not authoritative
Nov 15 00:40:18 server named[22068]: client ip2.ip2.ip2.ip2#59646: view internal: received notify for zone 'someotherdomain.net': not authoritative
Nov 15 00:40:18 server named[22068]: client ip2.ip2.ip2.ip2#59646: view internal: received notify for zone 'lastdomain.org': not authoritative

Why would it say not authoritative? Also, those master files does indeed not exist and I cannot find where they are called from. Could these messages prove useful? For some reason bind has not outputted anything to syslog until just now :confused:

Code:

# iptables -L
Chain INPUT (policy ACCEPT)
target    prot opt source              destination

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

My old server is in the same network, and I did not have any issues with it. At least not as severe as what I'm experiencing on the new server :(

bathory 11-15-2012 12:32 AM

Quote:

nslookup google.com
;; connection timed out; no servers could be reached
What's in /etc/resolv.conf?


Quote:

Nov 15 00:40:18 server named[22068]: client ip2.ip2.ip2.ip2#9094: view internal: received notify for zone 'mymaindomain.net': not authoritative
...
It says not authoritative, because you don't have anything about your zones in the internal view. Also thee is no ACL for the hosts that belong to this view (usually they are on the same network as the server). Maybe you need to add something like:
Code:

acl internal {ip1.ip1.ip1.ip1; ip2.ip2.ip2.ip2; 127.0.0.1;};
Add those hosts/networks that belong to your LAN. Then use:
Code:

view "internal" {
        match-clients { internal; };
...

Also better change
Quote:

listen-on port 53 {
ip1.ip1.ip1.ip1/32;
ip2.ip2.ip2.ip2/32;
};
to
Code:

        listen-on port 53 {
                ip1.ip1.ip1.ip1;
                ip2.ip2.ip2.ip2;
};

or use "any" intead of the s IPs

Anyway, still doesn't make sense why resolving third part domains works, while resolving its own domains results in no connection!!!

keungz 11-15-2012 12:42 PM

I added this to the configuration:

Code:

acl internal {

        ip1.ip1.ip1.ip1;
        ip2.ip2.ip2.ip2;

        ip3.ip3.ip3.ip3;
        ip4.ip4.ip4.ip4;
        ip5.ip5.ip5.ip5;

        127.0.0.1;

};

Code:

view "internal" {

        match-clients {

                internal;

        };

However I still get

Code:

Nov 15 19:12:57 server named[28945]: client ip2.ip2.ip2.ip2#25627: view internal: received notify for zone 'mymaindomain.net': not authoritative
Nov 15 19:12:58 server named[28945]: client ip2.ip2.ip2.ip2#33224: view internal: received notify for zone 'someotherdomain.net': not authoritative
Nov 15 19:12:58 server named[28945]: client ip2.ip2.ip2.ip2#33224: view internal: received notify for zone 'lastdomain.org': not authoritative

Code:

# cat /etc/resolv.conf
search mymaindomain.net
ip1.ip1.ip1.ip1
ip2.ip2.ip2.ip2

Also the /32's are added by `named-checkconf -p`. This is my listen-on in my configuration:

Code:

listen-on port 53 { ip1.ip1.ip1.ip1; ip2.ip2.ip2.ip2; };

I changed this to:
listen-on port 53 { any; };

Right now I can resolve google.com, as 127.0.0.1 is automatically the server queried:

Code:

# nslookup google.com
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:  google.com
Address: 173.194.32.14
Name:  google.com
Address: 173.194.32.0
Name:  google.com
Address: 173.194.32.1
Name:  google.com
Address: 173.194.32.2
Name:  google.com
Address: 173.194.32.3
Name:  google.com
Address: 173.194.32.4
Name:  google.com
Address: 173.194.32.5
Name:  google.com
Address: 173.194.32.6
Name:  google.com
Address: 173.194.32.7
Name:  google.com
Address: 173.194.32.8
Name:  google.com
Address: 173.194.32.9

However, resolving mymaindomain.net doesn't work:

Code:

# nslookup mymaindomain.net
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; connection timed out; no servers could be reached

And now I get new messages in my syslog:

Code:

Nov 15 19:23:41 server named[29157]: lame server resolving 'mymaindomain.net' (in 'mymaindomain.net'?): ip1.ip1.ip1.ip1#53
Nov 15 19:23:41 server named[29157]: lame server resolving 'mymaindomain.net' (in 'mymaindomain.net'?): ip2.ip2.ip2.ip2#53
Nov 15 19:23:42 server named[29157]: lame server resolving 'ns1.mymaindomain.net' (in 'mymaindomain.net'?): ip1.ip1.ip1.ip1#53
Nov 15 19:23:42 server named[29157]: lame server resolving 'ns1.mymaindomain.net' (in 'mymaindomain.net'?): ip2.ip2.ip2.ip2#53
Nov 15 19:23:42 server named[29157]: lame server resolving 'ns2.mymaindomain.net' (in 'mymaindomain.net'?): ip2.ip2.ip2.ip2#53
Nov 15 19:23:42 server named[29157]: lame server resolving 'ns2.mymaindomain.net' (in 'mymaindomain.net'?): ip1.ip1.ip1.ip1#53

Maybe there's something very wrong with my config files?

Code:

# cat /etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";

//include "/etc/bind/named.conf.default-zones";

include "/etc/bind/named.conf.internal-zones";
include "/etc/bind/named.conf.external-zones";

Code:

# cat /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
//      listen-on port 53 { ip1.ip1.ip1.ip1; ip2.ip2.ip2.ip2; };
        listen-on port 53 { any; };

        allow-query { any; };
        allow-recursion { any; };

        version "none";
};

Code:

# cat /etc/bind/named.conf.local

server 0.0.0.0/0 {
edns no;
};

acl internal {

        ip1.ip1.ip1.ip1;
        ip2.ip2.ip2.ip2;

        ip3.ip3.ip3.ip3;
        ip4.ip4.ip4.ip4;
        ip5.ip5.ip5.ip5;

        127.0.0.1;

};

Code:

# cat /etc/bind/named.conf.internal-zones

view "internal" {

        match-clients {

                internal;

        };

        zone "." {

                type hint;
                file "/etc/bind/db.root";

        };

        zone "localhost" {

                type master;
                file "/etc/bind/db.local";

        };

        zone "127.in-addr.arpa" {

                type master;
                file "/etc/bind/db.127";

        };

        zone "0.in-addr.arpa" {

                type master;
                file "/etc/bind/db.0";

        };

        zone "255.in-addr.arpa" {

                type master;
                file "/etc/bind/db.255";

        };

};

Code:

# cat /etc/bind/named.conf.external-zones

view "external" {

        match-clients {

                any;

        };

        zone "." {

                type hint;
                file "/etc/bind/db.root";

        };

        // mymaindomain.net

        zone "mymaindomain.net" {

                type master;
                file "/etc/bind/domains/mymaindomain.net";

        };

        zone "someotherdomain.net" {

                type master;
                file "/etc/bind/domains/someotherdomain.net";

        };

        zone "lastdomain.org" {

                type master;
                file "/etc/bind/domains/lastdomain.org";

        };

};


bathory 11-15-2012 04:18 PM

You can ditch the internal view and the related zones as they are superfluous with your current config.

Quote:

Right now I can resolve google.com, as 127.0.0.1 is automatically the server queried:
How is it possible to use 127.0.0.1 as the default resolver, when you're supposed to have ns1 and ns2 in /etc/resolv.conf? And still the question remains: why it can't resolve its own domains?


Quote:

Nov 15 19:23:41 server named[29157]: lame server resolving 'mymaindomain.net' (in 'mymaindomain.net'?): ip1.ip1.ip1.ip1#53
...
The client (server) asked ns1 for mymaindomain.net thinking it's authoritative for that domain, but ns1 answered not authoritatively.
You can run
Code:

named-checkconf -z
to see all the master zones in your dns.

keungz 11-15-2012 09:37 PM

Quote:

Originally Posted by bathory (Post 4830364)
You can ditch the internal view and the related zones as they are superfluous with your current config.

Okay, I commented the include out of named.conf. As you could probably guess, I'm not that familiar with BIND configuration. The views setup was something I picked up from a website a few weeks ago.

But! As I commented that line out and restarted the server, it's now resolving as expected!

Code:

# nslookup www.mymaindomain.net
Server:        127.0.0.1
Address:        127.0.0.1#53

www.mymaindomain.net    canonical name = server.mymaindomain.net.
Name:  server.mymaindomain.net
Address: ip3.ip3.ip3.ip3

# nslookup ut.lastdomain.org
Server:        127.0.0.1
Address:        127.0.0.1#53

Name:  ut.lastdomain.org
Address: ip5.ip5.ip5.ip5

# nslookup linuxquestions.org
Server:        127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:  linuxquestions.org
Address: 75.126.162.205

However, I'm a sucker for details. It seems that if I have listen-on port 53 { any; }; every time I run an nslookup something overrides /etc/resolv.conf and queries 127.0.0.1. If I uncomment listen-on port 53 { ip1.ip1.ip1.ip1; ip2.ip2.ip2.ip2; }; I cannot resolve anything locally, though I can still resolve hostnames belonging to either mymaindomain.net, someotherdomain.net and lastdomain.org externally. From my laptop:

Code:

C:\Users\keungz>nslookup mail.someotherdomain.net
Server:  UnKnown
Address:  192.168.1.1

Ikke-autoritativt svar:
Navn:    mail.someotherdomain.net
Address:  ip4.ip4.ip4.ip4

For the non-authoritative issue:
Code:

# named-checkconf -z
zone mymaindomain.net/IN: loaded serial 2012111501
zone someotherdomain.net/IN: loaded serial 2012111201
zone lastdomain.org/IN: loaded serial 2012111201

It doesn't seem like I'm getting any not-authoritative messages anymore. It might have been the internal view causing trouble there, as well.

bathory 11-16-2012 12:23 AM

Quote:

But! As I commented that line out and restarted the server, it's now resolving as expected!
Cool. It's the internal view that was useless in your case, that was the culprit.

Quote:

It doesn't seem like I'm getting any not-authoritative messages anymore. It might have been the internal view causing trouble there, as well.
Same here. You were getting no authoritative (lame) messages any more, because they were for the internal view.

Quote:

. It seems that if I have listen-on port 53 { any; }; every time I run an nslookup something overrides /etc/resolv.conf and queries 127.0.0.1. If I uncomment listen-on port 53 { ip1.ip1.ip1.ip1; ip2.ip2.ip2.ip2; }; I cannot resolve anything locally, though I can still resolve hostnames belonging to either mymaindomain.net, someotherdomain.net and lastdomain.org externally.
Note that /etc/resolv.conf is overwritten when the box get its IP by dhcp, that I don't it's the case here.
Also when using the default "any", named listens also on the local loopback interface.

keungz 11-16-2012 02:54 AM

My server doesn't use DHCP, though. Do you have any ideas why it will only resolve on 127.0.0.1 - and NOT the specified ips in /etc/resolv.conf? For some reason it seems to ignore it altogether. I'm completely in the dark on that one.

Code:

# cat /etc/resolv.conf
search mymaindomain.net
ip1.ip1.ip1.ip1
ip2.ip2.ip2.ip2
# nslookup linuxquestions.org
;; connection timed out; no servers could be reached

# nslookup linuxquestions.org ip1.ip1.ip1.ip1
Server:        ip1.ip1.ip1.ip1
Address:        ip1.ip1.ip1.ip1#53

Non-authoritative answer:
Name:  linuxquestions.org
Address: 75.126.162.205

Thanks for all the help you have provided so far! Much appreciated. :-)

bathory 11-16-2012 04:27 AM

You miss the nameserver keyword in /etc/resolv.conf. It should look like that:
Code:

search mymaindomain.net
nameserver ip1.ip1.ip1.ip1
nameserver ip2.ip2.ip2.ip2


keungz 11-16-2012 12:12 PM

Oh my... :doh:

Looks like it's all good now, thanks again!


All times are GMT -5. The time now is 07:19 AM.