How to make DNS master server?? Problems!!!

kayasaman · 09-21-2008, 11:41 AM

Hi,

I am a new member and this is my first time posting here so hello to everyone!

Ok now for my issue; Uptill yesterday I was using my Cisco router as a DNS server for my local network, however it put too much stress on the system as CPU usage went skye high and eventually the whole system started timing out. So I decided to create a DNS master from my main server.

I am running Debian Etch with Bind9 for this and so far passive DNS transferrs work fine, fast and smoothe.

Now I don't claim to be an expert at DNS but after Google'ing around a bit and the use of HowtoForge as refference I managed to create a local zone file.

This page was were I began: http://howtoforge.com/perfect_setup_debian_etch_p4

and this page: http://linux.justinhartman.com/DNS_I...up_using_BIND9

I've checked the zone files using: named-checkzone and they all come out as ok.

However from the result of other tests my server keeps trying to use the domain servers from my domain provider and ofcourse my router doesn't let me access my internal domain that way. "Connection Refused" Error comes up.

I have tried creating a key by using this command I got from:http://www.tacktech.com/display.cfm?ttid=323 since I thought it would turn my server into an authoritive server.

rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256

However it is for BSD and not sure if linux is a bit different even though it did create the correct files. But now I get an error when trying to reload rndc:

rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.

I am really stuck now as I have no idea what I am doing anymore!!!

I wonder if anyone can help me out at all, I would really apprieciate it. Thanks

kayasaman · 09-21-2008, 02:52 PM

I don't know if theres any additional information I can provide so that someone can help me with this issue?

Zone files, rndc.conf file?? I can provide it all as long as it helps!

In the mean time I configured my router back to master dns so now I have 2 masters on my network and my machines obviously are getting confused.

(

Windows doesn't seem to care (typically) as long as router IP goes as primary DNS and server as secondary.

Linux systems are struggling though since they can either access the internet or the intranet but not both, and this is very bad news since I am running 3 servers.

Also my workstation now is using secondary DNS from the primary in the router and browsing is becoming painfull! Speed is rediculously slow.

Uh what to do what to do???

Mr. C. · 09-21-2008, 04:34 PM

Let's step back - there is too much going on at once. It is best to take one step at a time.

Show your named.conf and zone files. Once we get named working, we'll test it with dig.

kayasaman · 09-21-2008, 05:10 PM

Thanks MR C.

for replying to start with!

ZONE FILES

File 192.168.1.rev

Code:

$TTL 1d ;
$ORIGIN 254.168.192.IN-ADDR.ARPA.
@       IN      SOA     ns1.optiplex-networks.com.   info.optiplex-networks.com. (
                                       2008092003
                                       7200
                                       120
                                       2419200
                                       604800
)
        IN      NS      ns1.optiplex-networks.com.
        IN      NS      ns2.optiplex-networks.com.
        IN      NS      resolver1.systems.pipex.net.
        IN      NS      resolver4.systems.pipex.net.
1       IN      PTR     ns1.optiplex-networks.com.
2       IN      PTR     ns2.optiplex-networks.com.
3       IN      PTR     resolver1.systems.pipex.net.
4       IN      PTR     resolver4.systems.pipex.net

File optiplex-networks.db

Code:

;
; BIND data file for example.com
;
$TTL    604800
@       IN      SOA     ns1.optiplex-networks.com. info.optiplex-networks.com. (                            2008092102         ; Serial
                                  7200         ; Refresh
                                   120         ; Retry
                               2419200         ; Expire
                                604800)        ; Default TTL
;
@       IN      NS      ns1.optiplex-networks.com.
@       IN      NS      ns2.optiplex-networks.com.
@       IN      NS      resolver1.systems.pipex.net.
@       IN      NS      resolver4.systems.pipex.net.
optiplex-networks.com.    IN      MX      10      mail.optiplex-networks.com.
optiplex-networks.com.    IN      A       192.168.1.50
gx110.optiplex-networks.com.    IN     A      192.168.1.51
www.optiplex-networks.com       IN      A       192.168.1.50
mail                    IN      A       192.168.1.50
ftp.optiplex-networks.com       IN      A       192.168.1.51
ferrari3200.optiplex-networks.com       IN      A       192.168.1.5
optiplex-networks.com.   IN      TXT     "v=spf1 ip4:192.168.1.50 a mx ~all"
mail                    IN      TXT     "v=spf1 a -all"

------------------------------------------------------------------

NAMED conf file

Code:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };

// From the release notes:
//  Because many of our users are uncomfortable receiving undelegated answers
//  from root or top level domains, other than a few for whom that behaviour
//  has been trusted and expected for quite some length of time, we have now
//  introduced the "root-delegations-only" feature which applies delegation-only//  logic to all top level domains, and to the root domain.  An exception list
//  should be specified, including "MUSEUM" and "DE", and any other top level
//  domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };

# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
       algorithm hmac-md5;
       secret "BijVPxU2yw3DUWDjgaQFPg==";
 };

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf

--------------------------------------------------------------------

NAMED LOCAL file

Code:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "optiplex-networks.com" {
       type master;
       file "/var/named/optiplex-netowrks.db";
};

zone "1.168.192.IN-ADDR.ARPA" {
       type master;
       file "/var/named/192.168.1.rev";
};

-----------------------------------------------------------------------

I have file rndc.conf and rndc.key too!!!!

output of dig @localhost optiplex-networks.com is:

Code:

; <<>> DiG 9.3.4-P1.1 <<>> @localhost optiplex-networks.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44664
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;optiplex-networks.com.         IN      A

;; ANSWER SECTION:
optiplex-networks.com.  314     IN      A       81.178.2.118

;; AUTHORITY SECTION:
com.                    150804  IN      NS      D.GTLD-SERVERS.NET.
com.                    150804  IN      NS      E.GTLD-SERVERS.NET.
com.                    150804  IN      NS      F.GTLD-SERVERS.NET.
com.                    150804  IN      NS      G.GTLD-SERVERS.NET.
com.                    150804  IN      NS      H.GTLD-SERVERS.NET.
com.                    150804  IN      NS      I.GTLD-SERVERS.NET.
com.                    150804  IN      NS      J.GTLD-SERVERS.NET.
com.                    150804  IN      NS      K.GTLD-SERVERS.NET.
com.                    150804  IN      NS      L.GTLD-SERVERS.NET.
com.                    150804  IN      NS      M.GTLD-SERVERS.NET.
com.                    150804  IN      NS      A.GTLD-SERVERS.NET.
com.                    150804  IN      NS      B.GTLD-SERVERS.NET.
com.                    150804  IN      NS      C.GTLD-SERVERS.NET.

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 01:09:49 2008
;; MSG SIZE  rcvd: 279

Mr. C. · 09-21-2008, 05:16 PM

Typo in named.conf:

file "/var/named/optiplex-netowrks.db";

Mr. C. · 09-21-2008, 05:17 PM

Btw. dig indicating in the AUTHORITY SECTION that all the root servers are authoritative is a clue that your server does not think it is authoritative for a domain.

kayasaman · 09-21-2008, 05:21 PM

Quote:

Btw. dig indicating in the AUTHORITY SECTION that all the root servers are authoritative is a clue that your server does not think it is authoritative for a domain.

Yeah I figured but why I wonder? I am no expert with bind or DNS but it should be authoritive by default no?

Typo fixed and bind restarted:

Code:

Stopping domain name service...: bindrndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
 failed!
Starting domain name service...: bind.

Mr. C. · 09-21-2008, 05:29 PM

If I am understanding your question... Querying the root server's will be the default until you setup your server to be authoritative for a domain. Then the root servers will not be queried, as bind knows which zones for which it is authoritative.

We'll assume your key is invalid. Until you get bind working, use stop/start and not restart, or start named manually. Then work on the key issues.

kayasaman · 09-21-2008, 05:34 PM

My question to put it in basic terms is that before I used my Cisco router as a DNS server so any local domain queries were done from there, still with the master DNS servers of my domain vendor providing DNS for WAN.

However I would like to use my main server for this as too much load is being put on the router and CPU usage going high to time the machine out.

With regards to the key I have no idea what or how to do as I've changed permissions to 777 even but still it's coming up with the same thing.

I tried removing the key and rndc complained that there was no key?? However before there was no key and rndc worked fine??????

I am lost!

kayasaman · 09-21-2008, 05:38 PM

Also if I try to stop bind by running /etc/init.d/bind9 stop

I get the same result:

Code:

Stopping domain name service...: bindrndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
 failed!

Mr. C. · 09-21-2008, 05:41 PM

Again, one step at a time. You're drinking through a fire hose!

Until the name server is functioning properly, it cannot be used for queries. Forget about the Cisco box for now, and other systems using your new DNS.

Are you able to bring up named and run dig successfully, with dig both returning the correct results, and showing your server as authoritative?

Mr. C. · 09-21-2008, 05:48 PM

See this thread to resolve your key problem: http://www.linuxquestions.org/questi...light=bind+key

kayasaman · 09-21-2008, 06:19 PM

Quote:

Again, one step at a time. You're drinking through a fire hose!

Until the name server is functioning properly, it cannot be used for queries. Forget about the Cisco box for now, and other systems using your new DNS.

Are you able to bring up named and run dig successfully, with dig both returning the correct results, and showing your server as authoritative?

Hehe sorry I guess I am a bit excited now that you're helping me!!!

Thanks for the link!!!

Right ok started DNS /etc/init.d/bind9 start and no problems at all

So far dig shows:

Code:

; <<>> DiG 9.3.4-P1.1 <<>> @localhost optiplex-networks.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6896
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;optiplex-networks.com.         IN      A

;; ANSWER SECTION:
optiplex-networks.com.  3600    IN      A       81.178.2.118

;; AUTHORITY SECTION:
optiplex-networks.com.  10800   IN      NS      ns1.active-dns.com.
optiplex-networks.com.  10800   IN      NS      ns2.active-dns.com.

;; Query time: 473 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 02:12:37 2008
;; MSG SIZE  rcvd: 102

And that is correct active-dns.com is DNS for WAN side, no problems there.

kayasaman · 09-21-2008, 06:25 PM

Hmm wierd thing is if I try to reload rndc; I get:

Code:

rndc: error: /etc/bind/rndc.key:6: unknown option 'options'
rndc: could not load rndc configuration

Bind managed to start without any errors and I did everything to the Ubuntu users post??

cat rndc.key shows

Code:

key "rndc-key" {
        algorithm hmac-md5;
        secret "JJqB3jsb8+VJIJOfwSdySw==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};

Maybe this should be in rndc.conf?? or at least just the options part?

kayasaman · 09-21-2008, 06:33 PM

I tried to stop bind to see what happens and again produced this error:

Code:

Stopping domain name service...: bindrndc: error: /etc/bind/rndc.key:6: unknown option 'options'
rndc: could not load rndc configuration
 failed!

However there is no problem to start the service??