Please help me get out of a BIND! I am suffering a bad case of DNS outage -
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Please help me get out of a BIND! I am suffering a bad case of DNS outage -
I have tried to do everything right but I know how famously tricky BIND is and how a simple '.' or absence thereof can completely screw an otherwise coherent setup.
Here is the scenario (complete with the critical complication) Thanks to any DNS expert who can give me some guidance - it is desperately needed!
1 I had a perfectly working Gentoo Linux Server running Bind as a primary Nameserver on eth0 and secondary bound to eth1.
2 I was serving a range of virtual hosts from the apache server on the box for a very long time this way.
3 when I setup a new site I made a zone file and apache vhost to use the local nameserver and then insured that the nameserver was properly populated at the registrar.
so far so good
4 My co-lo host needed me to change IPs from a few nodes within a large class c network to a dedicated subnet.
eth0 was 119.63.202.186
eth1 was 119.63.202.187
subnet mask was 255.255.255.0
gateway was 119.63.202.1
now I am configured to:
eth0 202.130.34.115
eth1 202.130.34.116
subnet mask 255.255.255.248
gateway 202.130.34.113
Happily I can ssh into both these IPs
and iLO is working on the new subnet.
so I have server access and a fallback
Please note that I was encouraged to do this by binding the new IPs to the ethernet adapters and running both the new and legacy addresses in tandem until propagation had gone through; then remove the legacy address before they became inactive.
I tried this and although I could configure my adapters to respond to both IPs I could not get my default routes to work adequetely so I elected to live with an outage while the DNS propagation happened - and now the fear begins:
5 Having access the the server at all times and now running on the new subnet I began working on the zone files and named config to bind it all to the new addresses.
6 I believe I have done all this correctly and for a time last night after a long period of outage the sites began to go live! This morning however none of them work. Something has gone very wrong.
7 The only thing I may not have in place is the reverse DNS records on the gateway - I am calling the Co-Lo into action as I write this, in case that is all it is...
8 I really need an expert to quickly run me through a few tests to see what is working and where the problem lies.
9 What I know is this:
The zones all resolve from the localhost
The apache server is pointing to the new IP as the virtual host
named and apache2 have been restarted.
Any and all help is appreciated. I insisted on doing this myself because I am hell bent on learning my way around DNS (apache and mail and MySQL and on and on and on - for some reason :shock: )
Greetingz!
Thanks for the detailed listing, however, it's a bit difficult to determine your exact problem. From reading and re-reading your post, it seems like your DNS server(s) are online and answering DNS queries when you run them on the DNS server itself, however none of your virtual sites are showing up; possibly due to a routing issue on your DNS server, preventing it from answering queries from outside it's network.
Assuming I have that right, here's what I would suggest;
1) Run a query against your DNS server (202.130.34.115 and 202.130.34.116) from an outside source.
When I try it, this is what I get;
2) Ping-test them (assuming whatever firewall / IPfilters you have in place allows ICMP packets).
Here's what I get when I try your DNS servers (New IPs);
First things first; check your routes!
Two commands that should print out your routing table;
route -nNvee
netstat -r
(NOTE: the 'netstat' command may not support this option in your Linux distribution, the version that Gentoo deploys escapes me a the moment. I have 'net-tools 1.60' which comes with 'netstat 1.42')
If you need to add a default route, using the route command;
route add default gw 1.2.3.4 eth#
To drop an old gateway route you see listed in the output of one of the aforementioned commands;
route del default gw 1.2.3.4 eth#
WARNING: I strongly suggest that you read the man pages that come with your Linux distribution. If you drop the wrong route before a correct route is setup, you may lose access to your server. However, if you have "console" access (via a serial port perhaps) to your server, then you should be fine.
Once you've hammered out the issue, you'll need to make sure your new configuration can survive a reboot. This means updating the correct configuration files.
If I recall correctly, Gentoo has a quaint little file (/etc/conf.d/net) that you'll have to update with all the correct information.
Hope this helps!
P.S: If all else fails, try the Gentoo docs for networking.
Thank you that is great support - and much needed encouragement.
I have had a dig around (excuse the pun) and in conversing with a colleague it seems that the glue is missing for the primary nameservers!
My registrar does not provide me with a control to update the primary and secondary authoritative name servers and therefore I cannot tell the tld what IP is authoritative for my domains - therefore none of the virtual domains know that they must update the world...
Maybe you can confirm this line of thinking with me:
Thanks Nick. Things have begun to resolve themselves since it seems to have all been about propagation and stale caches. I still can't see half my sites from my work network but at home on optusnet cable it is fine - people I know with optusnet adsl can't see it but the cable network is fine...
BTW there must be some confusion becasuse there is no ns1.sourcepoint.com.au.arcplane.com.au.
There is arcplane.com.au which is name served by ns1.sourcepoint.com.au and archeli.com.au etc
the problem seems to have ended up being a lack of glue for the new IPs and ns1.sourcepoint.com.au - being a registrar customer of a planet domain reseller I couldn't update the glue records and therefore no way of telling the world that my ns1 and ns2 had new IPs... We tried to fix this (more or less successfully) by making the serversaustralia name servers authoritative for ns1 and ns2 sourcepoint.com.au
Not sure why wider propagation has not gone down but I am hoping that it will in good time.
Thanks Nick. Things have begun to resolve themselves since it seems to have all been about propagation and stale caches. I still can't see half my sites from my work network but at home on optusnet cable it is fine - people I know with optusnet adsl can't see it but the cable network is fine...
Yeah the state of DNS is pretty bad all around. You can use a reverse proxy on the old ips to pass the traffic through to the new ips if you want. Since your not moving machines just having apache listen on both the old and new ips would be the easiest thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.