Weird, DNS propagation too long or my zone file is not right
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Weird, DNS propagation too long or my zone file is not right
hi, everyone,
I would like to setup a name server on the redhat ENT WS3 within my home network though a cable modem internet connection. The named.conf and zone file look fine, and rndc.conf is also ok. The named service is up and listening to port 53. If I use localhost as name server, I can dig every domain successfully, my desired NS, MX, A record can be also resolved. The ports (80, 110, 22, 21, 53 and 953 etc.) forwarding for this linux host in my router have been enabled. The domain register has been updated with my own name server, and that name server can be resolved by my ISP name server or others.
I waited for 72 hours for the DNS propagation, but it still cannot be found by my ISP name server and other web-based DNS checker.
Could you please help me out? Thank you very much!
That will go all the way down to the root servers and go back up the tree to the authoritative DNS servers. I will bet that the problem is you have to register the IP address of your DNS server with your registrar. Since you're on a cable modem, you have a dynamic address which can change. Maybe when you registered you had one address, but that is no longer the case.
Running DNS from a dynamic connection is a very bad idea. You can have a dyndns service, but your nameserver needs to be tied to a static IP. What you are doing will fail at various times.
The IP is almost static IP if I do not change the modem
I am trying to find out whatever I can do for it. But still not working.
1. double checked the zone file and eveything is ok, changed the serial number to systemdate.
2. "rndc status" shows everything is runging.
3. dig my own name sever registered by my register, i can find it within my home network. But look like cannot find it in my work network, using other online tool, it shows some NS has already known this NS. Don't know.
obviously replacing yoursite.com with the real domain name. The problem is not likely to be something wrong with your server, the problem is that your server is most likely never being asked. That is what the +trace does, it follows the DNS chain from the root up to the authoritative server.
Thanks. I think, you are right. The server might be never asked.
If i use localhost to resolve name, everything can be resolved.
I just dig mysite.com + trace using my ISP Ns. It's said "no server can be reached" And then what's next? Thanks!
Really helped me to understand more about DNS and BIND.
When you do dig +trace it tries to get down to the roots then climb up to the authoritative server. Since it is unreachable, that means what I suggested in my original post is correct.
You need to go to your registrar (godaddy, netsol, whoever it is) and check on your nameservers. Just because it says ns1.yoursite.com is the nameserver doesn't mean it actually is asking for your version of ns1.yoursite.com. You need to reset the IP of your primary nameserver on the registrars page. It is usually buried in the nameserver functions.
Another possibility is that your router isn't forwarding requests to your linux box. I know you said it is configured to do that, but you should check that from a remote machine.
Also, you haven't helped yourself by hiding the domain name. If you had posted your domain in the first post, I could have confirmed all this in one post as opposed to 3. Whenever you need help with DNS, it is much better to use the real domain name.
Thanks, Jim.
The IP for NS is correctly configured at register. But another domain also has a record pointing to the same IP at the register. I am wondering if this causes problems, I am trying to reset that domain configuration. Again, the IP is static and the server is up.
The port forwarding is working, because I can ping NS at any place.
I am still a beginner of Linux, for security reason, I left the domain hidden.
Hard to understand why NS can be reached but it cannot resolve any record in the zone file?
You could have any number of domains pointed at the same IP, that makes no difference.
Pinging tells you nothing about port forwarding. You'd need to telnet to port 53 to see if it is forwarding correctly, or a much better way to try is to issue a command like:
Code:
dig yourdomain.com @4.3.2.1
where 4.3.2.1 is your public IP address.
Security by obscurity is no type of security at all. Beyond that, DNS is not an attack vector. Regardless of how poorly a DNS server is set up, people can't write data into it. People also can't steal the ability to resolve your domain, because that is controlled by your registrar. You want your domain to be resolved by the entire world. If you don't want people poking around your website then set the firewall/router to only allow traffic from specific IPs thats fine, but DNS needs to be open to everybody.
To make a long story short, you're welcome for the help so far, but without a domain name to lookup, there is nothing more I can do for you.
jim@jimsworktop:~$ dig +trace murou.com
; <<>> DiG 9.4.1-P1 <<>> +trace murou.com
;; global options: printcmd
. 166295 IN NS h.root-servers.net.
. 166295 IN NS i.root-servers.net.
. 166295 IN NS j.root-servers.net.
. 166295 IN NS k.root-servers.net.
. 166295 IN NS l.root-servers.net.
. 166295 IN NS m.root-servers.net.
. 166295 IN NS a.root-servers.net.
. 166295 IN NS b.root-servers.net.
. 166295 IN NS c.root-servers.net.
. 166295 IN NS d.root-servers.net.
. 166295 IN NS e.root-servers.net.
. 166295 IN NS f.root-servers.net.
. 166295 IN NS g.root-servers.net.
;; Received 436 bytes from 207.69.188.187#53(207.69.188.187) in 39 ms
com. 172800 IN NS L.GTLD-SERVERS.NET.
com. 172800 IN NS G.GTLD-SERVERS.NET.
com. 172800 IN NS J.GTLD-SERVERS.NET.
com. 172800 IN NS K.GTLD-SERVERS.NET.
com. 172800 IN NS E.GTLD-SERVERS.NET.
com. 172800 IN NS I.GTLD-SERVERS.NET.
com. 172800 IN NS F.GTLD-SERVERS.NET.
com. 172800 IN NS C.GTLD-SERVERS.NET.
com. 172800 IN NS M.GTLD-SERVERS.NET.
com. 172800 IN NS B.GTLD-SERVERS.NET.
com. 172800 IN NS D.GTLD-SERVERS.NET.
com. 172800 IN NS H.GTLD-SERVERS.NET.
com. 172800 IN NS A.GTLD-SERVERS.NET.
;; Received 499 bytes from 192.33.4.12#53(c.root-servers.net) in 53 ms
murou.com. 172800 IN NS ns1.murou.com.
murou.com. 172800 IN NS slv1.1and1.com.
;; Received 102 bytes from 192.33.14.30#53(B.GTLD-SERVERS.NET) in 270 ms
;; Received 27 bytes from 217.160.224.4#53(slv1.1and1.com) in 61 ms
So we don't get an answer at all. Your primary nameserver (ns1.murou.com) doesn't reply at all, and the secondary DNS (slv1.1and1.com) tries to answer put doesn't know what the IP address is.
Further investigation - is your static IP correctly identified by the registrar?
Code:
jim@jimsworktop:~$ dig ns1.murou.com +trace
; <<>> DiG 9.4.1-P1 <<>> ns1.murou.com +trace
;; global options: printcmd
. 98716 IN NS J.ROOT-SERVERS.NET.
. 98716 IN NS K.ROOT-SERVERS.NET.
. 98716 IN NS L.ROOT-SERVERS.NET.
. 98716 IN NS M.ROOT-SERVERS.NET.
. 98716 IN NS A.ROOT-SERVERS.NET.
. 98716 IN NS B.ROOT-SERVERS.NET.
. 98716 IN NS C.ROOT-SERVERS.NET.
. 98716 IN NS D.ROOT-SERVERS.NET.
. 98716 IN NS E.ROOT-SERVERS.NET.
. 98716 IN NS F.ROOT-SERVERS.NET.
. 98716 IN NS G.ROOT-SERVERS.NET.
. 98716 IN NS H.ROOT-SERVERS.NET.
. 98716 IN NS I.ROOT-SERVERS.NET.
;; Received 436 bytes from 207.69.188.187#53(207.69.188.187) in 58 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 491 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 129 ms
ns1.murou.com. 172800 IN A 12.205.160.148
murou.com. 172800 IN NS ns1.murou.com.
murou.com. 172800 IN NS slv1.1and1.com.
;; Received 118 bytes from 192.55.83.30#53(m.gtld-servers.net) in 304 ms
So your registrar believes that your nameserver is running at public IP 12.205.160.148. If that is the case, then I should be able to get name resolution by asking that IP specifically -
Code:
jim@jimsworktop:~$ dig murou.com @12.205.160.148
; <<>> DiG 9.4.1-P1 <<>> murou.com @12.205.160.148
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
Game over. You either have the wrong static address set at your registrar, or you have some problem with named/BIND itself. Since you tell us that you can resolve it locally, that means you don't have a BIND problem, unless you're using separate views for the zone internally and externally.
Your slave server at least has named running, but it can't answer the query either -
Code:
jim@jimsworktop:~$ dig murou.com @slv1.1and1.com
; <<>> DiG 9.4.1-P1 <<>> murou.com @slv1.1and1.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19187
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;murou.com. IN A
;; Query time: 59 msec
;; SERVER: 217.160.224.4#53(217.160.224.4)
;; WHEN: Sat Oct 6 11:44:41 2007
;; MSG SIZE rcvd: 27
This line in particular
Code:
WARNING: recursion requested but not available
means they don't think they are authoritative for your domain. You need to have all servers answer authoritatively for the zone. That means that slv1.1and1.com doesn't think it is a nameserver for you.
So it comes back to either not forwarding correctly from the router to the linux machine, or you have the wrong address registered with the registrar. I suppose your ISP could be blocking you as well, but that port test tool should have revealed that to you.
Your home machine, supposedly at 12.205.160.148 doesn't answer at all, and your secondary is at least running on the IP it is supposed to be at, but it doesn't think it is a nameserver for your domain.
Every setting by register is fine. If the name server and other server on the same IP, they call it glue DNS. They suggested to build a subdomain like ns1.mydomain.com first with a record of public IP. And then the primary NS is pointing to the subdomain. If you dig the ns1.murou.com, you will find everything is fine. I guess, the register does not allow me to DIY because they offered a bundle DNS/mail/web/etc. service.
I am waiting for the result, called the register, they said, probably I cannot use their NS as slave NS, if I choose my own NS, I can only use my own NS. Maybe it's true. Let's try.
Actually I already eliminate the three reasons you listed.
Are u saying you cannot ping the IP? Can you ping ns1.murou.com? I guess, you can. That's the IP I am using for everything. So IP is not the problem.
I checked "named" with "rndc status", double checked with "ps aux", it's running. so Named is runing. I will publish zone file here tonight.
The only thing left is the port forwarding. I think, it's also ok, because I tried port 80, it is working, also confirmed pop3 port, ssh port, although didnot try with port 53. Router should do the same thing if i setup it in the same way , regardless port number. A kind of confirmation (? I will double check and enable telnet in linux and try 53)
If you had eliminated the 3 reasons I gave, you wouldn't have a problem!
Ping is absolutely useless in this case. I haven't used any tool besides dig, which is the only DNS specific tool worth using. What I said was that when I specifically ask the IP address 12.205.160.148 for DNS info about murou.com, it doesn't answer at all. Again, that means:
1) 12.205.160.148 is not your IP address or your registrar claims it is when it isn't
2) Named is not running
3) Your router is not forwarding port 53 on IP 12.205.160.148 to port 53 on the server's LAN IP.
So far you've shown me nothing that proves that 1 could not be true, the rndc and ps aux | grep named indicate that point 2 isn't the problem, and you've also not done anything to disprove point 3.
By the way, ns1.murou.com doens't ping, although that isn't surprising for a home cable modem -
But again, ping tells us nothing. I'm not willing to port sniff your public IP, as that will look to your ISP like I am attempting to hack their network.
You don't need to open telnet to your linux box, you need to open 53 for named. If it is open for named, you can try and get in there with any tool pointed at port 53, be it dig, telnet, or anything else you can direct at a specific port.
Ah, here's something finally. I tried ssh, and after about 45 seconds (way the hell too long) it finally replied -
Code:
jim@jimsworktop:~$ ssh ns1.murou.com
The authenticity of host 'ns1.murou.com (12.205.160.148)' can't be established.
RSA key fingerprint is 36:49:90:b5:a9:88:ea:e1:9d:c5:88:04:71:89:d3:5b.
Are you sure you want to continue connecting (yes/no)? no
Host key verification failed.
That means your public IP is probably 12.205.160.148, and you simply don't have port 53 forwarded. It would be the same setup as whatever you did to forward 22 to the linux machine for ssh.
If the port is forwarded correctly according to your router, then named itself has a problem. If you post anything, post the full named.conf file(s) and the zone file for murou.com.
If anything I say isn't clear, ask about it. Your last post seems to show you don't really understand what I am doing to solve the DNS issues you're having.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
The IP is almost static IP if I do not change the modem
