LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-21-2007, 08:01 PM   #1
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Rep: Reputation: 15
configuring DNS to host domains


I have a CentOS 4.4 Linux local machine in my local network which is connected to a router with DSL line, I have to use the ISP DNS primary and secondary IPs for resolving domains. I pass all incoming requests to the Linux machine and I setup http server, I can access the server with no problem using my external IP -using proxy- and when I forward Domains to this IP from the domain registerer DNS panel the http server is able to recognize the domain and send it to the right directory.
The problem is when I try
Code:
nslookup server.mydomain.com
or 
nslookup 345.45.2.789
it searches on the ISP DNS and that's the same for sendmail and other programs although I have BIND9 setup and configured to host that domain and all nameservers on this machine.NOTE: the domain nameservers are still propagating as I set it to this ip a day ago.
here are the files I configured
hosts
Code:
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1	localhost.localdomain	localhost
345.45.2.789    server.mydomain.com    server
resolv.conf
Code:
nameserver 55.78.123.1
nameserver 55.78.123.2
nameserver 345.45.2.789
mydomain.com
using chrooted BIND9
named.conf
Code:
options {
        version "BIND";                       
        directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
        allow-transfer { none; };  
        recursion no;
};
include "/etc/rndc.key";

zone "mydomain.com"{
        type master;
        file "named.mydomain.com";
        notify yes;
};



/*zone "mydomain.com"{
        type slave;
        file "named.mydomain.com";
        notify yes;
};

zone "0.0.127.in-addr.arpa"{
        type master;
        file "named.local";
        allow-update { none; };
}; */

logging {
        channel bindlog {
                           file "/var/log/bindlog"  versions 5 size 1m; 
                           print-time yes;
                           print-category yes;
                           print-severity yes;
                        };
        category xfer-out { bindlog; };       
        category xfer-in  { bindlog; };       
        category security { bindlog; };       

};
I'm trying to use google apps for my mail server while I have sendmail on the server configured
"mail" works fine from bash but PHP5 with fcgi cannot send mail
named.mydomain.com
Code:
$TTL 604800         
mydomain.com.    IN      SOA  ns1.mydomain.com.  hostmaster.mydomain.com. (
   2000021600 ; serial     
   86400 ; refresh         
   7200 ; retry            
   1209600 ; expire        
   604800 ) ; default_ttl  
       IN A       345.45.2.789  
                               
;
; Name servers for the domain
;
       IN NS         ns1.mydomain.com.
       IN NS         ns2.mydomain.com.
;
; Mail server for domain
;
       IN MX	1	ASPMX.L.GOOGLE.COM.              
       IN MX	5  	ALT1.ASPMX.L.GOOGLE.COM.
       IN MX	5	ALT2.ASPMX.L.GOOGLE.COM. 
       IN MX	10	ASPMX2.GOOGLEMAIL.COM. 
;
; Nodes in domain
;
server  IN A          345.45.2.789    
ns1    IN A          345.45.2.789   
ns2    IN A          345.45.2.789    
//mail   IN A          345.45.2.789    
//       IN MX    5    345.45.2.789    
;
; Aliases to existing nodes in domain
;
www    IN CNAME      server             
ftp    IN CNAME      server
 
Old 03-22-2007, 01:08 AM   #2
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
ifcfg-eth0
Code:
DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.255.255.255
HWADDR=00:16:E6:3C:14:75
IPADDR=10.0.0.8
NETMASK=255.0.0.0
NETWORK=10.0.0.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
GATEWAY=10.0.0.2
 
Old 03-22-2007, 10:23 AM   #3
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
There are a couple of suggestions that I would make. First off, having a DNS server and then not using it seems like a complete waste to me. It is fine not to allow recursion to the world at large, but you should allow it within your LAN, so that you can bypass the ISP DNS machines.

I would add this to your named.conf, which will allow anything on your LAN to use your local server for DNS -
Code:
acl mydomain {10.0.0.0/8;
              127.0.0.1;
              };

options {
        version "BIND";                       
        directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
        allow-transfer { none; }; 
        allow-query { any; };
        allow-recursion { mydomain;};
};
The allow-query line will allow other DNS servers to ask your DNS server for info about your domain, but only that domain. The allow-recursion restricts who can ask for things you aren't authoritative for, like google and yahoo. Only people on your LAN will be able to do this, so you won't be an open DNS server. You can test this out at http://dnsreport.com .

Your resolv.conf is a mess. You have your ISP nameservers listed first, then your 3rd, and then you list your domain, which is useless. I would set up your resolv.conf like this -

Code:
search mydomain.com
nameserver 345.45.2.789
That means if you type something simple like, "ping ns1", it will add on your domain, effectively making it, "ping ns1.mydomain.com". Since you'll be part of the LAN, you'll still be able to resolve any domain, probably faster than you can going through your ISP, as it is one less step in the process from the root servers to you.

I also have no idea why you would list yourself both as master and slave in the same named.conf. That is a mess, and I strongly urge you to take out the slave definition. Even if you are trying to appear as 2 DNS servers, that should be done at an IP level, and still only have one zone definition running, that being the master.

2 further bits of advice -
1) nslookup is a useless tool for troubleshooting BIND. A much better tool is the program dig. A command like
Code:
dig ns1.mydomain.com @localhost
when asked at the nameserver will check with itself, and give a good output, not nslookup's garbage 0/1 style yes or no answer.

2) Trying to hide the domain doesn't help us to help you. If you check the BIND mailing list, you'll see all the time that people try to do what you did, and are told to post the full domain name, so it can be tested. DNS is not an attack vector, you posting the domain name doesn't put you at risk. The choice is yours obviously, but with a real name, we can trouble shoot much more effectively, which may be necessary if the solutions I've posted don't work.

Peace,
JimBass
 
Old 03-25-2007, 04:06 AM   #4
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
Thank you for great info
when I remove the ISP DNS from the resolv.conf I can't resolve domains! and I dont want to use my bind server to do that, is there other way for doing it?
I found that iptables was blocking the DNS server even with dropping port 53
 
Old 03-25-2007, 06:43 PM   #5
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
If you don't want your BIND server to answer, then you have to continue using your ISP nameservers. I can't see why you wouldn't want BIND to answer local clients, but that choice is yours. The configuration I gave you above would only allow machines on your LAN to get answers for domains you don't run, but it allows the whole world to ask about the domains you do run, which is the way things should be. You have to use some DNS server, or you won't get anywhere.

Port 53 has to be open, both for UDP (how most DNS queries are made) and TCP (how some zones are transferred between servers), so make sure that is taken care of.

Peace,
JimBass
 
Old 03-25-2007, 08:28 PM   #6
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
Right! I enabled resolving for local computers and it works faster that way, I just didn't want to make extra load on my local bind.
The point of configuring the server is to test configuration before setting my dedicated but I have one static ip on my local connection so I'm setting both NS on the same IP
I'm trying to move zones from my old WHM configured BIND so I'm not sure which I do need
named.conf
Code:
include "/etc/rndc.key";
options {
        version "bind";                      
        directory "/var/named";
	dump-file "data/cache_dump.db";
	statistics-file "data/named_stats.txt";
        allow-transfer { none; };  
        allow-query { any; };
        allow-recursion { internal;};
};

acl internal {10.0.0.0/10;
              127.0.0.1;
};

controls {
    inet 127.0.0.1 allow { any; } keys { "rndc-key"; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "45.2.789.in-addr.arpa" IN {
        type master;
        file "45.2.789.in-addr.arpa.zone";
        allow-update { none; };
};

zone "mydomain.com" IN {
        type master;
        file "mydomain.com.zone";
};

zone "server.mydomain.com" IN {
        type master;
        file "server.mydomain.com.zone";
};


zone "ns1.mydomain.com" IN {
        type master;
        file "ns1.mydomain.com.zone";
};

zone "ns2.mydomain.com" IN {
        type master;
        file "ns2.mydomain.com.zone";
};

logging {
        channel bindlog {
                           file "/var/log/bindlog"  versions 5 size 1m;
                           print-time yes;
                           print-category yes;
                           print-severity yes;
                        };
	category default { bindlog; };
};
file mydomain.zone
Code:
// Zone File for mydomain.com
$TTL 14400
@       86400   IN      SOA     ns1.mydomain.com. root     ( 
					2007031802;
                                        86400 ;
                                        7200 ;
                                        3600000 ;
                                        86400 ;
                                        )

mydomain.com.     86400   IN      NS      ns1.mydomain.com.
mydomain.com.     86400   IN      NS      ns2.mydomain.com.

mydomain.com.     14400   IN      A       345.45.2.789
server		   14400   IN      A       345.45.2.789
ns1                14400   IN      A       345.45.2.789
ns2                14400   IN      A       345.45.2.789

localhost.mydomain.com.   14400   IN      A       127.0.0.1

mydomain.com.     14400   IN MX 0 ASPMX.L.GOOGLE.COM.

mail    14400   IN      CNAME   mydomain.com.
www     14400   IN      CNAME   mydomain.com.
ftp     14400   IN      CNAME   mydomain.com.
but I'm getting this error on all zones
Code:
warning: dns_master_load: server.mydomain.com.zone:1: unknown RR type 'Zone'
Mar 26 02:58:21.527 general: error: zone server.mydomain.com/IN: loading master file server.mydomain.com.zone: unknown class/type
on DNS REPORT showed these red alerts
- Number of nameservers
- Lame nameservers
- Missing nameservers 2
- No NSs with CNAMEs
- SOA Record
 
Old 03-25-2007, 09:19 PM   #7
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
looks like I used wrong comment on the zone file, changing // into ; fixed it
now I all domains work fine except for the external ip zone 45.2.789.in-addr.arpa it has an error:dns_master_load: "not at top of zone", should I add it to my ifcfg-eth0 as additional ip as I'm passing all connections through the router's DMZ ?
adding these rules to iptables didn't help
Code:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT 
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
 
Old 03-25-2007, 10:07 PM   #8
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
All of this is a bad, problem causing configuration -
Quote:
zone "mydomain.com" IN {
type master;
file "mydomain.com.zone";
};

zone "server.mydomain.com" IN {
type master;
file "server.mydomain.com.zone";
};


zone "ns1.mydomain.com" IN {
type master;
file "ns1.mydomain.com.zone";
};

zone "ns2.mydomain.com" IN {
type master;
file "ns2.mydomain.com.zone";
};
All it should be is this -

Code:
zone "mydomain.com" IN {
        type master;
        file "mydomain.com.zone";
};
And then the zone file itself has the definitions for the subdomains, as you have already done -

Code:
mydomain.com.     14400   IN      A       345.45.2.789
server		   14400   IN      A       345.45.2.789
ns1                14400   IN      A       345.45.2.789
ns2                14400   IN      A       345.45.2.789
There is no need to define a different zone file for each sub. then you have massive amounts of work when IPs change. Make only one zonefile, not different ones for the subdomains.

Also, with regard to your reverse zone,
Code:
zone "45.2.789.in-addr.arpa" IN {
        type master;
        file "45.2.789.in-addr.arpa.zone";
        allow-update { none; };
};
Odds are very good you are not going to be asked for the reverse zone. You don't get to do the reverse zone for a given IP unless you are an ISP. The smallest amount of space you can control that allows you to do the reverse zone is a full class C, which means every address from 345.45.2.0 to 345.45.2.255. Try the command
Code:
whois 345.45.2.789
If the answer is anything other than you, you aren't the authoritative source for reverse mappings. BIND includes the ability to do this primarily for people who run a private domain, but below ISP class or major customer of an ISP, you don't get to do the reverses. For your home connection, there is no way you are authoritative. Nobody will ask you, as you are not in the "chain of command" for those IPs. You'll have to test the IP of the real DNS servers as well, but it isn't likely to be you either.

Peace,
JimBass
 
Old 03-27-2007, 12:43 AM   #9
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
wonderful! I wonder why WHM put all these entries but that one zone for each domain worked fine!
Thanks again
 
Old 03-27-2007, 09:13 AM   #10
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
No problem. I have no idea of what WHM is, but any of the programs that try to "make it easier" on the user also can do strange things (like making different files for each subdomain) that makes it harder on a human trying to run things.

Did you find that the reverse maps were not yours? I saw you sent me the true domain name, and the test I did said that the IP associated with the domain certainly is not controlled by you, but I would also check the IP you are going to move it to.

Peace,
JimBass
 
Old 03-29-2007, 12:02 AM   #11
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
no I don't own the IP, it's just the static ip I rent from my ISP. WHM = WebHost Manager from CPanel
 
Old 03-29-2007, 12:12 AM   #12
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
OK, then you should be able to get your ISP to create the PTR if you wanted that.

Peace,
JimBass
 
Old 03-31-2007, 11:37 PM   #13
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
is the IP PTR importance limited to email servers checking for server's authority to send mail for that domain?

Last edited by walidaly; 03-31-2007 at 11:40 PM.
 
Old 04-01-2007, 11:18 AM   #14
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
A PTR is only required for email servers, but it is a good idea to get one to match every forward map you have. It adds a sense of legitimacy to the zone. If your site doesn't have a matching reverse map, it shows that it is probably one of the many sites on a given IP, showing that it is not a "serious" site, with one IP dedicated to one zone.

They also have a use within microsoft domains, but that won't matter in your case. In any case, you can usually get the PTRs you want from your ISP, simply by requesting them by email.

Peace,
JimBass
 
Old 04-01-2007, 01:44 PM   #15
walidaly
Member
 
Registered: Mar 2007
Posts: 64

Original Poster
Rep: Reputation: 15
I'll do that, thanks again for great help!
 
  


Reply

Tags
dns, setup


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Configuring sendmail for multiple domains pikky2006 Linux - General 2 07-15-2006 01:30 AM
DNS query for all Domains dominant Linux - Networking 2 04-05-2004 11:24 AM
BIND/DNS - Two Different Domains jhewitt Linux - Networking 1 02-20-2004 07:54 PM
configuring local domains on sarge bro Debian 1 11-28-2003 10:23 PM
How do we direct Multiple Domains to the Same Mail host? eciit Linux - Networking 1 08-26-2002 05:44 AM


All times are GMT -5. The time now is 08:01 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration