noob configuring BIND/DNS

sneakyimp · 01-21-2010, 09:11 PM

I apologize for this lengthy post, but I'm hardly a DNS expert.

I was having some problems connecting and did a few dig commands to see if DNS was responding ok and got different responses depending on which computer I used to ping a given subdomain our machine. There was some IP in there that looked totally foreign so I asked tech support at our hosting provider to fix it. There's still some stuff that looks fishy to me, but I am by no means a DNS expert. I have changed domains and IP addresses to protect the innocent.

Can someone tell me, shouldn't ns1.mydomain.com have a different IN ip than ns2.mydomain.com? What's the point of specifying two different nameservers if they both go to the same IP? I've been told that the person who registered this particular domain used 111.111.111.232 for ns1 and 111.111.111.233 for ns2. Also, it troubles me a bit to see two related domains having 111.111.111.235 in their A records. I don't believe this IP is attached to my machine at all.

If any DNS god can look this over and comment, I'd be very grateful.

If I try digging mydomain.com from the localhost, i get the following:

Code:

[root@host.mydomain.com] ~ >> dig @localhost mydomain.com ANY

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> @localhost mydomain.com ANY
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34499
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;mydomain.com.                 IN      ANY

;; ANSWER SECTION:
mydomain.com.          3600    IN      SOA     ns1.mydomain.com. dv.devcompany.com. 2010012121 3600 7200 3600000 3600
mydomain.com.          3600    IN      NS      ns2.mydomain.com.
mydomain.com.          3600    IN      NS      ns1.mydomain.com.
mydomain.com.          3600    IN      MX      0 mydomain.com.
mydomain.com.          3600    IN      A       111.111.111.232

;; ADDITIONAL SECTION:
ns1.mydomain.com.      3600    IN      A       111.111.111.233
ns2.mydomain.com.      3600    IN      A       111.111.111.233
mydomain.com.          3600    IN      A       111.111.111.232

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 21 21:44:52 2010
;; MSG SIZE  rcvd: 200

if i try digging ns1.mydomain.com, i get this:

Code:

[root@host.mydomain.com] ~ >> dig @localhost ns1.mydomain.com ANY

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> @localhost ns1.mydomain.com ANY
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15238
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;ns1.mydomain.com.             IN      ANY

;; ANSWER SECTION:
ns1.mydomain.com.      3600    IN      SOA     ns1.mydomain.com. devnull.sourcedns.com. 2010012121 3600 7200 3600000 3600
ns1.mydomain.com.      3600    IN      NS      ns1.mydomain.com.
ns1.mydomain.com.      3600    IN      NS      ns2.mydomain.com.
ns1.mydomain.com.      3600    IN      MX      0 ns1.mydomain.com.
ns1.mydomain.com.      3600    IN      A       111.111.111.233

;; ADDITIONAL SECTION:
ns1.mydomain.com.      3600    IN      A       111.111.111.233
ns2.mydomain.com.      3600    IN      A       111.111.111.233

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 21 21:45:57 2010
;; MSG SIZE  rcvd: 185

finally, if i try digging ns2.mydomain.com, i get this:

Code:

[root@host.mydomain.com] ~ >> dig @localhost ns2.mydomain.com ANY

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> @localhost ns2.mydomain.com ANY
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19083
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;ns2.mydomain.com.             IN      ANY

;; ANSWER SECTION:
ns2.mydomain.com.      3600    IN      SOA     ns1.mydomain.com. devnull.sourcedns.com. 2010012121 3600 7200 3600000 3600
ns2.mydomain.com.      3600    IN      NS      ns2.mydomain.com.
ns2.mydomain.com.      3600    IN      NS      ns1.mydomain.com.
ns2.mydomain.com.      3600    IN      MX      0 ns2.mydomain.com.
ns2.mydomain.com.      3600    IN      A       111.111.111.233

;; ADDITIONAL SECTION:
ns1.mydomain.com.      3600    IN      A       111.111.111.233
ns2.mydomain.com.      3600    IN      A       111.111.111.233

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 21 21:46:55 2010
;; MSG SIZE  rcvd: 185

lastly i have two related domains hosted on this server that reference 111.111.235...i don't believe that IP is associated with my machine, but I can't be sure.

Code:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.1 <<>> @localhost someotherdomain.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61974
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;someotherdomain.com.                IN      A

;; ANSWER SECTION:
someotherdomain.com. 3600    IN      A       111.111.111.235

;; AUTHORITY SECTION:
someotherdomain.com. 3600    IN      NS      ns1.mydomain.com.
someotherdomain.com. 3600    IN      NS      ns2.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.com.      3600    IN      A       111.111.111.233
ns2.mydomain.com.      3600    IN      A       111.111.111.233

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 21 22:07:56 2010
;; MSG SIZE  rcvd: 134

chort · 01-21-2010, 10:21 PM

Can you get access to the actual zone file contents? It looks like someone used some bad copying & pasting to generate those.

sneakyimp · 01-21-2010, 11:25 PM

Ok so these zone files are generated from WebHost Manager (it's like Please or CPanel). I've railed against these beasts but to no avail.

In the folder /var/named, I found what I think are the relevant zone files that have been generated. I have included three important looking ones here (with domains and ip's changed to protect the innocent). 2 more to follow.

sneakyimp · 01-21-2010, 11:26 PM

two more...

chort · 01-21-2010, 11:32 PM

From my quick scan I don't see a problem with mydomain.txt. The question is why have ns1 and ns2 been defined as separate zones? Do they each have their own zone definition in named.conf? While technically it's not an error, it's unnecessary and confusing.

sneakyimp · 01-21-2010, 11:42 PM

I truly appreciate your response.

The answer is that I do not know why they are separate zones. This was all set up by the hosting company on our dedicated server. This is from named.conf and YES the filenames in named.conf do match the actual zone filenames.

Code:

zone "ns1.mydomain.com" {
        type master;
        file "/var/named/ns1.mydomain.com.db";
};


zone "ns2.mydomain.com" {
        type master;
        file "/var/named/ns2.mydomain.com.db";
};

chort · 01-21-2010, 11:44 PM

As for the zone file that has the .235 address, well it would have been impossible to know what was wrong with that if you hadn't slipped up and left your domain name in one post. From that I was able to figure out that the .235 IP is pointing to a web server that says the site has moved and redirects to the same domain name. The thing is, that site's WHOIS information lists a different set of DNS servers as being authoritative (not yours) and they resolve it to a different IP. Your servers think they're still authoritative for that site, though. It looks like that site isn't a customer of yours any more and you should remove their DNS zone if that's the case.

chort · 01-21-2010, 11:51 PM

Oh, I see why queries directly to your nameservers report ns1 and ns2 as having the same IP: The ns2 zonefile (ns2.mydomain.com.db) has the wrong IP and that overrides what's in mydomain.com.db.

I'd just get rid of the zones for ns1.mydomain.com and ns2.mydomain.com in your named.conf. You can comment them out in case you need to reverse the change. Comments in named.conf are usually least confusing when you start each line with // . Comments in zonefiles must start with ; (different formats for comments is one of my biggest gripes with BIND).

PS I wouldn't have been able to figure this out if you hadn't left your domain in a post by mistake. For future reference, you'll get a lot better help if you don't try to redact IPs/domain names. There's really no point to hiding the information: Your sites are on the Internet, they're going to get attacked regardless of whether you post about them. I would think it's a lot more embarrassing to have broken sites for a long time than to have people know which sites you're asking about, but having them fixed quickly.

PPS your nameservers are allowing zone file transfers right now. While that helped me figure out the problems, some people view this as a bad security practice. I don't think it's especially harmful, but best practice is to not allow-transfer for any IPs other than your own nameservers.

sneakyimp · 01-22-2010, 02:09 PM

I really appreciate your insight.

I agree that it's kind of naive to hope I could hide anything by concealing ip's and domains, but my client/boss would probably be unhappy if he knew I was checking into this in a public forum. I appreciate your honoring my desire for anonymity in your post. Making sure this is secure is very important to this project.

I'd like to edit named.conf directly, but it would probably just be over-written by WebhostManager or CPanel as soon as someone makes any changes to the DNS control panel. I think it's possible to delete them using Webhost Manager but I'll need to check.

I was hoping you could tell me more about the conflict between ns2 zonefile and mydomain zonefile? I may need this as ammunition if I'm to implement your recommendations over the protests of our hosting providers. They have not been cooperative.

I have checked a few things according to this article and our machine isn't responding to recursive lookups of outside domains so this is good. It does however, corroborate your assertion that we have zone transfers enabled. Specifically, that the following command will cause it to cough up the entire dns record:

Code:

dig @ns1.mydomain.com mydomain.com AXFR

Are there any circumstances that would require zone transfer? A friend of mine claimed that you had to do this if you wanted reverse DNS. Seems like everyone has an opinion and no one has any realy understanding of DNS.

chort · 01-22-2010, 04:11 PM

The reason to allow zone transfers is to allow secondary DNS servers to get updates from the primary (this is the one listed in your SOA record). Any server that isn't a secondary DNS server for you should not be allowed to get zone transfers.

Zone transfers have absolutely nothing to do with reverse DNS. Reverse DNS is handled by whoever owns the IPs you use (Liquidweb). It's not something you can setup for yourself without contacting the IP owners and specifically requesting that they delegate the DNS to you. Generally this is not done for blocks smaller than /24, because it's not easy to make reverse DNS zones classless. There are some tricks that can be employed, but they're not for the faint of heart.

As for the conflict between zone files, BIND is going to go with the record in the most specific zone. If you have the following zones:
c.d.
b.c.d.
a.b.c.d.

and you have duplicate records (say c.d. has a record for foo.b.c.d., and b.c.d. also has a record for foo.b.c.d.) then it's going to return the answer from the b.c.d. zone. If all three zones had a record for bar.a.b.c.d., BIND is going to use the one from a.b.c.d.

As you can see this gets really confusing, and unless the zones are organizationally separate, or they are thousands of records, there's no reason to not have them in the same file. In particular there is no need to have MX and web servers for ns1.yourdomain.com. Who is going to send mail to you as user@ns1.yourdomain.com? Who is going to try to visit www.ns1.yourdomain.com? Why do you need to define nameservers for ns1.yourdomain.com, especially when they're self-referential? That's totally unnecessary. Even if someone did try to send you e-mail as user@ns1.yourdomain.com, if there isn't an MX record for ns1.yourdomain.com every mail server is going to check to see if there is an MX record for yourdomain.com before it gives up, and of course that does exist so you'd still get the e-mail.

You only need to have A records for ns1 and ns2, and those already exist in the base zone. There's no reason to create separate zones for them. It only causes confusing problems, such as the very one you're puzzling over.

sneakyimp · 01-22-2010, 04:37 PM

OK my long-dormant dns brain cells are awaking again.

Zone transfers might be necessary in a really complex DNS system, right? Where we have a load balancer situation or something like that. The duty of bind in my simple situation is simply to a) inform the world at large of the names connected to mydomain.com and b) to act as a local DNS server for spamassassin or clamav or postfix or any local daemon that needs fast, cached DNS service. Given that this is not a super-high traffic situation, there's really no reason to have any DNS slaves that listen to my dns info.

I won't say that I fully understand the conditions that would introduce a need for an ns1.mydomain.com zone file, but I do understand that my ns1 and ns2 zone files contribute nothing to what's in the main mydomain zone file under normal usage. They basically serve no purpose for my situation.

I hate to ask again, but you said:

Quote:

Originally Posted by chort

Oh, I see why queries directly to your nameservers report ns1 and ns2 as having the same IP: The ns2 zonefile (ns2.mydomain.com.db) has the wrong IP and that overrides what's in mydomain.com.db.

Could you elaborate? Like I said, I'd like to be well-armed when talking to the tech support guys at my hosting co.

chort · 01-22-2010, 05:22 PM

mydomain.com.db:

Code:

ns2     3600    IN      A       111.111.111.233
ns1     3600    IN      A       111.111.111.232

ns1.mydomain.com.db:

Code:

ns1.mydomain.com.              IN      A       111.111.111.233

It looks like ns1.mydomain.com.db was copied from ns2.mydomain.com.db

Also the SOA e-mail address differs between mydomain.com.db:

Code:

mydomain.com.          3600    IN  SOA  ns1.mydomain.com. dv.devcompany.com. (

and ns1 and ns2:

Code:

@               3600    IN  SOA  ns1.mydomain.com. devnull.sourcedns.com.

Technically that's allowable. It's basically creating one SOA e-mail address for mydomain.com, with a different e-mail address for ns1 and ns2, but again that's just pointless and confusing. Obviously all three zones are controlled by the same party, there should be only one e-mail address. This problem goes away if you nuke the ns1 and ns2 zones.

You only need to allow transfers to your nameservers. You can create an ACL in named.conf for this:

Code:

acl "MY_NS" {
  { 111.111.111.233; };
};

...

options {
  allow-transfer { MY_NS; };
  ...
};

Instead of putting the allow-transfer in the options { }; section you could put it in each individual zone, but that's a bit of extra work and usually not necessary.

sneakyimp · 01-22-2010, 07:04 PM

I'm truly grateful for your assistance, chort.

Armed with the info you have given me, I was able to get a knowledgeable tech support guy and I believe he has resolved the problems. We have removed the ns1 and ns2 zones as you described and also closed zone transfer -- except to 'trusted' ips.

Thanks so so much for your help.