Weird, DNS propagation too long or my zone file is not right

schenke · 10-08-2007, 08:24 PM

Here is the zone file

Code:

TTL    86400
$ORIGIN murou.com.
@  IN SOA ns1.murou.com.  admin.murou.com. (
                                        2007100701              ; serial 
                                        21600           ; refresh
                                        3600            ; retry
                                        604800          ; expiry
                                        86400 )         ; minimum

                        IN NS   ns1.murou.com.

                        IN NS   ns2.murou.com.

                        IN MX 10  mail.murou.com.

                        IN A    12.205.160.148

ns1                     IN A    12.205.160.148

ns2                     IN A    12.205.160.148

mail                    IN A    12.205.160.148

Named.Conf

Code:

zone "murou.com" IN {
        type master;
        file "murou.com.zone";
        allow-update {none; };
};

The router is configured with port 53 forwarding. And the router is a regular home router. Very straightforward to set up.

If zone file and named.conf is right, and the port forwarding is also ok. That means, something wrong with my ISP.

schenke · 10-08-2007, 08:41 PM

Resolved......

My router can just open one protocol TCP or UDP for one line configuration, I just opened one. But named need port 53 with tcp and UDP. I just open port 53 with UDP protocol, then I can dig murou.com now.

Could you also try for me. Thank you so much!

You are right, but I always thought the router should be able to open port with both TCP and UDP. A small mistake lead so many effort. Anyway, I really learned a lot from this!!

This is really built from scratch, computer assemble, OS, package installation, config, etc......

schenke · 10-08-2007, 08:56 PM

It turns out, NAMED needs both TCP and UDP on port 53. My home router has only limited capability to forward request with both protocols. A small mistake causes large problem.

I am really exhausted to resolve this, thanks again for your help!

JimBass · 10-08-2007, 11:28 PM

Yes, it works now:

Code:

jim@jimsworktop:~$ dig murou.com @12.205.160.148

; <<>> DiG 9.4.1-P1 <<>> murou.com @12.205.160.148
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11403
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;murou.com.                     IN      A

;; ANSWER SECTION:
murou.com.              86400   IN      A       12.205.160.148

;; AUTHORITY SECTION:
murou.com.              86400   IN      NS      ns1.murou.com.
murou.com.              86400   IN      NS      ns2.murou.com.

;; ADDITIONAL SECTION:
ns1.murou.com.          86400   IN      A       12.205.160.148
ns2.murou.com.          86400   IN      A       12.205.160.148

;; Query time: 96 msec
;; SERVER: 12.205.160.148#53(12.205.160.148)
;; WHEN: Tue Oct  9 00:13:57 2007
;; MSG SIZE  rcvd: 111

Now you still have problems, you don't have a valid secondary DNS server. I see that this one box is doing everything for you, DNS, web, mail, etc. That is not a good idea, but there isn't much else you can do with a home connection. You need to find another computer to slave your DNS data. Even if your server/internet is down and can't receive mail, what other mail servers do depends on the DNS info.

As an example, say somebody at yahoo.com tries to send mail to you@murou.com, and say for whatever reason, your internet is not up. Since the only DNS server you have is down, when yahoo's machine(s) tries to send the message out, it can't resolve the name murou.com at all, so it most likely drops the message. If you had a slaved DNS machine, and it wasn't on the same internet connection you have at home, yahoo could at least know that murou.com does have a mail exchanger (MX), and that it can't be reached at present. Since it knows you exist, the mail will be dropped into a queue, and they will try to send it every hour for several days. In that time, you'll probably get back online, and receive the message. When they can't resolve you, you head to the bit bucket.

I know that there are free services that will slave a domain for you, I just don't know them by name. Do a google search for something like secondary DNS or slave DNS service, and have them grab the data from your machine.

For future reference, 99.9%+ of DNS queries are done with UDP on port 53. Since a question from another server usually has a short answer, they don't need to get TCP involved. When you transfer zones between servers, that is when TCP at port 53 comes into play. When you get a secondary server set up, it will try and transfer the entire zone from ns1 at port 53 via TCP.

Peace,
JimBass

schenke · 10-09-2007, 08:25 PM

Ye, I understand that. That's the cost of "low cost".
So far so good. Will google around for free slave DNS.

The next step is to increase the security, and know more about Linux. The disposable PII/PIII machines runs great for these purposes, of course only at "init 3".