Weird, DNS propagation too long or my zone file is not right
hi, everyone,
I would like to setup a name server on the redhat ENT WS3 within my home network though a cable modem internet connection. The named.conf and zone file look fine, and rndc.conf is also ok. The named service is up and listening to port 53. If I use localhost as name server, I can dig every domain successfully, my desired NS, MX, A record can be also resolved. The ports (80, 110, 22, 21, 53 and 953 etc.) forwarding for this linux host in my router have been enabled. The domain register has been updated with my own name server, and that name server can be resolved by my ISP name server or others. I waited for 72 hours for the DNS propagation, but it still cannot be found by my ISP name server and other web-based DNS checker. Could you please help me out? Thank you very much! |
Do:
Code:
dig yoursite.com +trace Running DNS from a dynamic connection is a very bad idea. You can have a dyndns service, but your nameserver needs to be tied to a static IP. What you are doing will fail at various times. Peace, JimBass |
The IP is almost static IP if I do not change the modem
I am trying to find out whatever I can do for it. But still not working.
1. double checked the zone file and eveything is ok, changed the serial number to systemdate. 2. "rndc status" shows everything is runging. 3. dig my own name sever registered by my register, i can find it within my home network. But look like cannot find it in my work network, using other online tool, it shows some NS has already known this NS. Don't know. 4. My IP is static IP. What else should I do? |
You should do the command I gave you,
Code:
dig yoursite.com +trace Peace, JimBass |
Thanks. I think, you are right. The server might be never asked.
If i use localhost to resolve name, everything can be resolved. I just dig mysite.com + trace using my ISP Ns. It's said "no server can be reached" And then what's next? Thanks! Really helped me to understand more about DNS and BIND. |
When you do dig +trace it tries to get down to the roots then climb up to the authoritative server. Since it is unreachable, that means what I suggested in my original post is correct.
You need to go to your registrar (godaddy, netsol, whoever it is) and check on your nameservers. Just because it says ns1.yoursite.com is the nameserver doesn't mean it actually is asking for your version of ns1.yoursite.com. You need to reset the IP of your primary nameserver on the registrars page. It is usually buried in the nameserver functions. Another possibility is that your router isn't forwarding requests to your linux box. I know you said it is configured to do that, but you should check that from a remote machine. Also, you haven't helped yourself by hiding the domain name. If you had posted your domain in the first post, I could have confirmed all this in one post as opposed to 3. Whenever you need help with DNS, it is much better to use the real domain name. Peace, JimBass |
Thanks, Jim.
The IP for NS is correctly configured at register. But another domain also has a record pointing to the same IP at the register. I am wondering if this causes problems, I am trying to reset that domain configuration. Again, the IP is static and the server is up. The port forwarding is working, because I can ping NS at any place. I am still a beginner of Linux, for security reason, I left the domain hidden. Hard to understand why NS can be reached but it cannot resolve any record in the zone file? |
You could have any number of domains pointed at the same IP, that makes no difference.
Pinging tells you nothing about port forwarding. You'd need to telnet to port 53 to see if it is forwarding correctly, or a much better way to try is to issue a command like: Code:
dig yourdomain.com @4.3.2.1 Security by obscurity is no type of security at all. Beyond that, DNS is not an attack vector. Regardless of how poorly a DNS server is set up, people can't write data into it. People also can't steal the ability to resolve your domain, because that is controlled by your registrar. You want your domain to be resolved by the entire world. If you don't want people poking around your website then set the firewall/router to only allow traffic from specific IPs thats fine, but DNS needs to be open to everybody. To make a long story short, you're welcome for the help so far, but without a domain name to lookup, there is nothing more I can do for you. Peace, JimBass |
I tried to use dig xxx@ip
says: 1 server found, but no server can be reached. There are several tools online which can check if the port is ok. http://www.canyouseeme.org/ says, the port 53 @ my ip is open. |
Ok, from the ground up -
Code:
jim@jimsworktop:~$ dig +trace murou.com Further investigation - is your static IP correctly identified by the registrar? Code:
jim@jimsworktop:~$ dig ns1.murou.com +trace Code:
jim@jimsworktop:~$ dig murou.com @12.205.160.148 Your slave server at least has named running, but it can't answer the query either - Code:
jim@jimsworktop:~$ dig murou.com @slv1.1and1.com Code:
WARNING: recursion requested but not available So it comes back to either not forwarding correctly from the router to the linux machine, or you have the wrong address registered with the registrar. I suppose your ISP could be blocking you as well, but that port test tool should have revealed that to you. Your home machine, supposedly at 12.205.160.148 doesn't answer at all, and your secondary is at least running on the IP it is supposed to be at, but it doesn't think it is a nameserver for your domain. Peace, JimBass |
Every setting by register is fine. If the name server and other server on the same IP, they call it glue DNS. They suggested to build a subdomain like ns1.mydomain.com first with a record of public IP. And then the primary NS is pointing to the subdomain. If you dig the ns1.murou.com, you will find everything is fine. I guess, the register does not allow me to DIY because they offered a bundle DNS/mail/web/etc. service.
|
I am waiting for the result, called the register, they said, probably I cannot use their NS as slave NS, if I choose my own NS, I can only use my own NS. Maybe it's true. Let's try.
|
That is not what glue means in a DNS sense.
http://en.wikipedia.org/wiki/Domain_...d_glue_records Quote:
Code:
jim@jimsworktop:~$ dig ns1.murou.com Code:
jim@jimsworktop:~$ dig murou.com @12.205.160.148 You say 12.205.160.148 is correct, so that is out. You claimed earlier that named is running on your machine, although you haven't posted anything that confirms that. Since I get no answer when I ask 12.205.160.148 directly, you have some obvious problem. Peace, JimBass |
Actually I already eliminate the three reasons you listed.
Are u saying you cannot ping the IP? Can you ping ns1.murou.com? I guess, you can. That's the IP I am using for everything. So IP is not the problem. I checked "named" with "rndc status", double checked with "ps aux", it's running. so Named is runing. I will publish zone file here tonight. The only thing left is the port forwarding. I think, it's also ok, because I tried port 80, it is working, also confirmed pop3 port, ssh port, although didnot try with port 53. Router should do the same thing if i setup it in the same way , regardless port number. A kind of confirmation (? I will double check and enable telnet in linux and try 53) Really exhaust me... |
If you had eliminated the 3 reasons I gave, you wouldn't have a problem!
Ping is absolutely useless in this case. I haven't used any tool besides dig, which is the only DNS specific tool worth using. What I said was that when I specifically ask the IP address 12.205.160.148 for DNS info about murou.com, it doesn't answer at all. Again, that means: 1) 12.205.160.148 is not your IP address or your registrar claims it is when it isn't 2) Named is not running 3) Your router is not forwarding port 53 on IP 12.205.160.148 to port 53 on the server's LAN IP. So far you've shown me nothing that proves that 1 could not be true, the rndc and ps aux | grep named indicate that point 2 isn't the problem, and you've also not done anything to disprove point 3. By the way, ns1.murou.com doens't ping, although that isn't surprising for a home cable modem - Code:
jim@jimsworktop:~$ ping ns1.murou.com You don't need to open telnet to your linux box, you need to open 53 for named. If it is open for named, you can try and get in there with any tool pointed at port 53, be it dig, telnet, or anything else you can direct at a specific port. Ah, here's something finally. I tried ssh, and after about 45 seconds (way the hell too long) it finally replied - Code:
jim@jimsworktop:~$ ssh ns1.murou.com If the port is forwarded correctly according to your router, then named itself has a problem. If you post anything, post the full named.conf file(s) and the zone file for murou.com. If anything I say isn't clear, ask about it. Your last post seems to show you don't really understand what I am doing to solve the DNS issues you're having. Peace, JimBass |
All times are GMT -5. The time now is 07:03 PM. |