DNS Server WAN-LAN connection problem

DKLeader · 10-08-2009, 07:01 AM

Hi,

I have a problem when trying to test connection with my nameservers. I am sorry that this post will be long but trying to get as much info added as posible.

I have 3 servers were 2 servers are both running Debian Lenny and Bind9 and the third is running Debian Lenny and HostingController (HC8 - Master)

Server 1 (Pri DNS / Domains / Mail) is behind a router. Public IP is 217.116.244.43 and private IP is 192.168.1.44. On the router I have forwarded port 53 to 192.168.1.44.
Server 2 (Sec DNS) is not behind a router and has public IP 217.116.244.35.
Server 3 (HC8 Master) is on public IP 217.116.244.57.

In HC8 I have added domains and done the setup of the DNS system.

My plan is to have superweb.dk as my primary domain name and nameservers has been named ns1.superweb.dk and ns2.superweb.dk.

Both ns have been approved by DK-Hostmaster.

The zones for superweb looks like this

Code:

@ IN SOA ns1.superweb.dk. admin.superweb.dk. (
	2009100703	; Serial
	3600		; Refresh
	600		; Retry
	1209600		; Expire
	3600 )		; TTL
@	IN	NS	ns1.superweb.dk.
@	IN	NS	ns2.superweb.dk.
@	IN	NS	ns3.superweb.dk.
superweb.dk.	IN	A	217.116.244.43
ftp.superweb.dk.	IN	CNAME	superweb.dk.
www.superweb.dk.	IN	CNAME	superweb.dk.
mail.superweb.dk.	IN	A	217.116.244.43
superweb.dk.	IN	MX	10	mail.superweb.dk.
superweb.dk.	IN	MX	15	superweb.dk.
superweb.dk.	IN	TXT	"v=spf1 a mx ptr ~all"

My named.conf looks like this

Code:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
// include "/etc/bind/named.conf.options";
options {
	directory "/var/cache/bind";
	recursion yes;
	allow-query { "any"; };
	allow-recursion { "any"; };
	allow-transfer { "any"; };
	query-source address * port 53;
//	forward first;
	
	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.
	forwarders {
		217.116.227.8;
		217.116.227.58;
	};
	
	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	listen-on { any; };
};
// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
zone "superweb.dk" IN {
	type master;
	file "db.superweb.dk";
	allow-transfer {
	193.163.102.6; 
	217.116.244.35; 
	213.173.243.0/28; // *.gratisdns.dk
	};
	also-notify { 
	213.173.243.11; // axfr.gratisdns.dk 
	};
};
zone "ns1.superweb.dk" IN {
	type master;
	file "db.ns1.superweb.dk";
	allow-transfer { 
	193.163.102.6;	
	217.116.244.35; 
	213.173.243.0/28; // *.gratisdns.dk
	};
	also-notify { 
	213.173.243.11; // axfr.gratisdns.dk 
	};
};
zone "ns2.superweb.dk" IN {
	type master;
	file "db.ns2.superweb.dk";
	allow-transfer {
	193.163.102.6; 
	217.116.244.35;
	213.173.243.0/28; // *.gratisdns.dk
	};
	also-notify { 
	213.173.243.11; // axfr.gratisdns.dk 
	};
};
zone "ns3.superweb.dk" IN {
	type master;
	file "db.superweb.dk";
	allow-transfer { 
	217.116.244.35;
	213.173.243.0/28; // *.gratisdns.dk
	};
	also-notify { 
	213.173.243.11; // axfr.gratisdns.dk 
	};
};
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
 	algorithm hmac-md5;
 	secret "my-key";
};
 
controls {
	inet 127.0.0.1 port 953
		allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf

and my resolv.conf :

Code:

domain superweb.dk
search superweb.dk
nameserver 192.168.1.44 
// nameserver 217.116.244.43
nameserver 193.163.102.6 // DK-Hostmaster
nameserver 217.116.227.8 // My ISP Pri DNS
// nameserver 217.116.227.58 // My ISP Sec DNS

If I test nameservers here : http://www.dns.lu/en/EN-LUTestNoms.php I get :

Code:

Success: Nameserver test succeded 
Info: Nameserver test for domain superweb.dk 
Note: Nameserver ns1.superweb.dk at 217.116.244.43 (provided) 
Note: Nameserver ns2.superweb.dk at 217.116.244.35 (provided)

but if I test them at DK-Hostmaster (https://www.dk-hostmaster.dk/english...on-nameserver/) I get :

Code:

Search result

 
; Candidate name server: ns1.superweb.dk
; Asked for 217.116.244.43, type PTR
; 108 octets from 193.163.102.5
; Response code: NXDOMAIN
; Answer contains 0 answers to your query.

Then I tried redelegate superweb.dk with ns1.superweb.dk here : https://www.dk-hostmaster.dk/english...e-domain-name/ but got this :

Code:

Error: general
Primary name server doesn't exist.

If I do a AXFR between pri and sec I do not get any errors - tried on sec "dig superweb.dk axfr @ns1.superweb.dk" and on pri "dig superweb.dk axfr @ns2.superweb.dk"

I did a port check to see if outer-world could send through port 53 - and it turned out OK.

My question is : what have I done wrong since I cannot get the domain redelegated.

Best Regards
DKLeader aka Jakob.

bathory · 10-08-2009, 09:22 AM

Quote:

$dig +trace superweb.dk

; <<>> DiG 9.6.1 <<>> +trace superweb.dk
;; global options: +cmd
. 494553 IN NS D.ROOT-SERVERS.NET.
. 494553 IN NS G.ROOT-SERVERS.NET.
. 494553 IN NS C.ROOT-SERVERS.NET.
. 494553 IN NS L.ROOT-SERVERS.NET.
. 494553 IN NS B.ROOT-SERVERS.NET.
. 494553 IN NS F.ROOT-SERVERS.NET.
. 494553 IN NS M.ROOT-SERVERS.NET.
. 494553 IN NS I.ROOT-SERVERS.NET.
. 494553 IN NS A.ROOT-SERVERS.NET.
. 494553 IN NS E.ROOT-SERVERS.NET.
. 494553 IN NS K.ROOT-SERVERS.NET.
. 494553 IN NS H.ROOT-SERVERS.NET.
. 494553 IN NS J.ROOT-SERVERS.NET.
;; Received 320 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

dk. 172800 IN NS P.NIC.dk.
dk. 172800 IN NS C.NIC.dk.
dk. 172800 IN NS S.NIC.dk.
dk. 172800 IN NS B.NIC.dk.
dk. 172800 IN NS L.NIC.dk.
dk. 172800 IN NS A.NIC.dk.
;; Received 309 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in 234 ms

superweb.dk. 86400 IN NS ns5.gratisdns.dk.
superweb.dk. 86400 IN NS ns1.gratisdns.dk.
superweb.dk. 86400 IN NS ns2.gratisdns.dk.
superweb.dk. 86400 IN NS ns3.gratisdns.dk.
superweb.dk. 86400 IN NS ns4.gratisdns.dk.
;; Received 349 bytes from 192.38.7.242#53(L.NIC.dk) in 104 ms

;; Received 29 bytes from 85.17.221.46#53(ns5.gratisdns.dk) in 94 ms

It looks like your upstream nameservers know nothing about your domain.
And why do you use 4 zones (superweb.dk, ns1.superweb.dk, ns2.superweb.dk, ns3.superweb.dk)!!!
Also you must provide your zone files with the A records for the dns servers

Code:

@ IN SOA ns1.superweb.dk. admin.superweb.dk. (
	2009100703	; Serial
	3600		; Refresh
	600		; Retry
	1209600		; Expire
	3600 )		; TTL
@	IN	NS	ns1.superweb.dk.
@	IN	NS	ns2.superweb.dk.
@	IN	NS	ns3.superweb.dk.
superweb.dk.	IN	A	217.116.244.43
ns1.superweb.dk. IN A 217.116.244.43
ns2.superweb.dk. IN A 217.116.244.35
ns3.superweb.dk. IN A 217.116.244.57
ftp.superweb.dk.	IN	CNAME	superweb.dk.
www.superweb.dk.	IN	CNAME	superweb.dk.
mail.superweb.dk.	IN	A	217.116.244.43
superweb.dk.	IN	MX	10	mail.superweb.dk.
superweb.dk.	IN	MX	15	superweb.dk.
superweb.dk.	IN	TXT	"v=spf1 a mx ptr ~all"

DKLeader · 10-08-2009, 01:43 PM

I have changed the zone for superweb.dk to :

Code:

@ IN SOA ns1.superweb.dk. admin.superweb.dk. (
	2009100803	; Serial
	3600		; Refresh
	600		; Retry
	1209600		; Expire
	3600 )		; TTL
@	IN	NS	ns1.superweb.dk.
@	IN	NS	ns2.superweb.dk.
superweb.dk.	IN	A	217.116.244.43
ns1.superweb.dk. IN A 217.116.244.43
ns2.superweb.dk. IN A 217.116.244.35
ftp.superweb.dk.	IN	CNAME	superweb.dk.
www.superweb.dk.	IN	CNAME	superweb.dk.
mail.superweb.dk.	IN	A	217.116.244.43
superweb.dk.	IN	MX	10	mail.superweb.dk.
superweb.dk.	IN	MX	15	superweb.dk.
superweb.dk.	IN	TXT	"v=spf1 a mx ptr ~all"

and deleted the three zones ns1, ns2 and ns3 - had to try something to get it to work and that is why they were created.
I only have 2 name servers - was planning on the third but forgot to delete it in the zone - did not change anything
But still I get the same results.

bathory · 10-08-2009, 04:59 PM

You should contact your domain registrar to change the authoritative nameservers for your domain to point to your dns servers, because now they are (ns1 to ns5)gratisdns.dk

Code:

dig superweb.dk

; <<>> DiG 9.6.1-P1 <<>> superweb.dk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23188
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5

;; QUESTION SECTION:
;superweb.dk.                   IN      A

;; ANSWER SECTION:
superweb.dk.            42161   IN      A       217.116.244.43

;; AUTHORITY SECTION:
superweb.dk.            42161   IN      NS      ns1.gratisdns.dk.
superweb.dk.            42161   IN      NS      ns4.gratisdns.dk.
superweb.dk.            42161   IN      NS      ns2.gratisdns.dk.
superweb.dk.            42161   IN      NS      ns3.gratisdns.dk.
superweb.dk.            42161   IN      NS      ns5.gratisdns.dk.

;; ADDITIONAL SECTION:
ns1.gratisdns.dk.       42160   IN      A       213.173.243.8
ns2.gratisdns.dk.       42160   IN      A       87.72.47.122
ns3.gratisdns.dk.       42160   IN      A       194.0.2.6
ns4.gratisdns.dk.       42160   IN      A       208.43.238.42
ns5.gratisdns.dk.       42160   IN      A       85.17.221.46

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct  9 00:57:14 2009
;; MSG SIZE  rcvd: 225