linux dns issue

cbtshare · 04-22-2012, 08:17 PM

I am having a issue:

Quote:

nslookup www.domain.com

from my client gives me

Quote:

nslookup www.domain.com
Server: 111.111.111.1
Address: 111.111.111.1#53

** server can't find www.domain.com: NXDOMAIN

and from my nameserver

if I do

dig www.domain.com @111.111.111.1

Quote:

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> www.domain.com @111.111.111.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domain.com. IN A

;; ANSWER SECTION:
www.domain.com. 3423 IN CNAME 95.211.1xx.xx.

;; AUTHORITY SECTION:
. 10623 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2012042201 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 111.111.111.1#53(111.111.111.1)
;; WHEN: Sun Apr 22 20:46:54 2012
;; MSG SIZE rcvd: 143

but also from my nameserver

nslookup www.domain.com

Quote:

Server: 111.111.111.1
Address: 111.111.111.1#53

** server can't find www.domain.com: NXDOMAIN

but once i restart everything is fine.Till a few minutes I cant resolve that one domain.

any ideas?

bathory · 04-23-2012, 12:39 AM

Hi,

Quote:

dig www.domain.com @111.111.111.1

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> www.domain.com @111.111.111.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35745
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domain.com. IN A

;; ANSWER SECTION:
www.domain.com. 3423 IN CNAME 95.211.1xx.xx.

;; AUTHORITY SECTION:
. 10623 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2012042201 1800 900 604800 86400
<-snip->

Also dig gives a NXDOMAIN.
Now it also gives an answer (a CNAME to an IP), but from the whole dig output:
1. your dns did not answer authoritatively (no aa in the header flags)
2. gave as authoritative dns a root server

Defining a CNAME pointing to an IP address is not a wise think to do. You should always point to an A record.
Anyway you can post your zone file so we could see what is wrong.

Regards

cbtshare · 04-23-2012, 01:20 AM

I have no input in my zone file for www.domain.com ,I dont know why it showed up with CNAME and HOST A
.
My zone file is:

Quote:

@ IN SOA server1.domain.com. root.localhost. (

2012042213; serial
28800; refresh, seconds
7200; retry, seconds
604800; expire, seconds
86400 ); minimum, seconds

;
NS server1.domain.com.;

;
MX 10 server1.domain.com.

;
domain.com. A 111.111.111.1
server1 A 111.111.111.1
domain.com. TXT "v=spf1 a mx ~all"
server1.domain.com. TXT "v=spf1 a -all"

bathory · 04-23-2012, 02:06 AM

Quote:

I have no input in my zone file for www.domain.com ,I dont know why it showed up with CNAME and HOST A

The dig answer is very strange indeed.
At first it gives a NXDOMAIN correctly and then it resolves the non-existent domain to a CNAME pointing to an IP address.
I guess your dns is forwarding queries to somewhere else. So show us also named.conf and the output of

Code:

dig ns domain.com

cbtshare · 04-23-2012, 02:49 AM

named.conf is below.

Code:

options {

listen-on port 53 { 111.111.111.1;};

listen-on-v6
{ none; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query
{ localhost;
111.111.111.0/26;
};

allow-transfer { localhost; 111.111.111.0/26; };

recursion yes;
dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;


bindkeys-file "/etc/named.iscdlv.key";

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};



view "internal" {
        match-clients {
                localhost;
                111.111.111.0/26;
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };


        zone "111.111.111.in-addr.arpa" {
                type master;
                file "pri.111.111.111.in-addr.arpa";

        };
        zone "domain.com" {
                type master;
                file "pri.domain.com";

        };

include "/etc/named.rfc1912.zones";
};

bathory · 04-23-2012, 04:13 AM

I guess this happens because you're using dnssec validation, while you have not configured dnssec correctly.
If you don't want dnssec comment out those lines and restart the service
BTW, you don't need the internal view, as you don't define another view in named.conf. So try this:

Code:

options {

listen-on port 53 { 111.111.111.1;};

listen-on-v6
{ none; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query
{ localhost;
111.111.111.0/26;
};

allow-transfer { localhost; 111.111.111.0/26; };

recursion yes;
#dnssec-enable yes;
#dnssec-validation yes;
#dnssec-lookaside auto;
#bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

        zone "." IN {
                type hint;
                file "named.ca";
        };


        zone "111.111.111.in-addr.arpa" {
                type master;
                file "pri.111.111.111.in-addr.arpa";

        };
        zone "domain.com" {
                type master;
                file "pri.domain.com";

        };

include "/etc/named.rfc1912.zones";

cbtshare · 04-23-2012, 05:24 AM

Thank you, I will try your config, but I just put a host A record in 111.111.111.1 and it seems to be stable now.I do not get any error about dnssec so why do you say it is configured incorrectly? I wanna offer some security to users browsing on my LAN.

bathory · 04-23-2012, 06:41 AM

Quote:

but I just put a host A record in 111.111.111.1 and it seems to be stable now

You mean, that you add an A record for www, so it can be resolved now?

Quote:

I do not get any error about dnssec so why do you say it is configured incorrectly? I wanna offer some security to users browsing on my LAN.

I'm not a dnssec expert, but from my knowledge for an authoritative dns you should sign your zone.

cbtshare · 04-23-2012, 06:23 PM

Quote:

Originally Posted by bathory

You mean, that you add an A record for www, so it can be resolved now?

I'm not a dnssec expert, but from my knowledge for an authoritative dns you should sign your zone.

Yes, this seems to resolve it.I dont know why but it does lolll.I will look into dnssec a bit more closely to see if I am doing anything wrong.

Code:

 dig www.domain.com @111.111.111.1

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> www.domain.com @111.111.111.1
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14923
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domian.com.       IN      A 

;; ANSWER SECTION:
www.domain.com. 266    IN      CNAME   95.211.xx.xx.

;; AUTHORITY SECTION:
.                       7466    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2012042301 1800 900 604800 86400

I inputted the A record, I havent a clue where it is reading the CNAME from loll
I thank you for your assistance.

Cheers

bathory · 04-24-2012, 01:47 AM

Hi,

Why you say it's solved, as you still get the same results from dig?
BTW did you try to resolve that 95.211.xx.xx ip address?