[SOLVED] Bind9 - Works locally, but other name servers not being updated?

Scynix · 05-12-2011, 03:21 PM

Hello all,
I'm running Bind9 on a Debian box.
My ISP recently changed my static IP addresses. I changed the appropriate files and ran into a series of issues with the rndc.key that took a lot to resolve, but I did resolve that part.

I can now use the server as a name server, and appropriately dig other addresses, and the zone files that it itself has. However, if I use any other DNS server (including the ones that my ISP provided), they cannot resolve my domain. They still have the incorrect IP address associated with my name servers, even.

This was 24 hours ago. When attempting to dig one of my zones (example www.darkfalls.net) it simply doesn't find it. If I manually set any of my machines to use my debian box as their DNS, it can resolve it just fine. It's as if it's not updating other servers to the new changes, despite having increased the serial on each zone file appropriately.

Is there anything I could be missing?
I apologize I don't have a lot of info to paste in here, I'm just not sure what to provide that would help with this circumstance. I'm at a loss of what to do next. It seems to be working just fine- the rest of the internet just disagrees.

Edit: If I use DNS Crawler, when I attempt to crawl ns1.darkfalls.net it times out with the incorrect IP address (the old address).
If I change it to use my server as the DNS server, and crawl the same address (ns1.darkfalls.net) it works fine. Bwaaahhhhhhh~~~

MensaWater · 05-12-2011, 04:09 PM

dig -t ns darkfalls.net output:

Code:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -t ns darkfalls.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48229
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;darkfalls.net.                 IN      NS

;; ANSWER SECTION:
darkfalls.net.          172702  IN      NS      ns1.darkfalls.net.
darkfalls.net.          172702  IN      NS      ns2.darkfalls.net.

;; ADDITIONAL SECTION:
ns1.darkfalls.net.      172702  IN      A       24.234.137.70
ns2.darkfalls.net.      172702  IN      A       24.234.137.71

;; Query time: 2 msec
;; SERVER: 10.0.4.108#53(10.0.4.108)
;; WHEN: Thu May 12 16:56:28 2011
;; MSG SIZE  rcvd: 99

whois darkfalls.net output:

Quote:

[Querying whois.verisign-grs.com]
[Redirected to whois.godaddy.com]
[Querying whois.godaddy.com]
[whois.godaddy.com]
The data contained in GoDaddy.com, Inc.'s WhoIs database,
while believed by the company to be reliable, is provided "as is"
with no guarantee or warranties regarding its accuracy. This
information is provided for the sole purpose of assisting you
in obtaining information about domain name registration records.
Any use of this data for any other purpose is expressly forbidden without the prior written
permission of GoDaddy.com, Inc. By submitting an inquiry,
you agree to these terms of usage and limitations of warranty. In particular,
you agree not to use this data to allow, enable, or otherwise make possible,
dissemination or collection of this data, in part or in its entirety, for any
purpose, such as the transmission of unsolicited advertising and
and solicitations of any kind, including spam. You further agree
not to use this data to enable high volume, automated or robotic electronic
processes designed to collect or compile this data for any purpose,
including mining this data for your own personal or commercial purposes.

Please note: the registrant of the domain name is specified
in the "registrant" field. In most cases, GoDaddy.com, Inc.
is not the registrant of domain names listed in this database.

Registrant:
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: DARKFALLS.NET
Created on: 09-May-02
Expires on: 09-May-12
Last Updated on: 11-Apr-10

Administrative Contact:
Private, Registration DARKFALLS.NET@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Technical Contact:
Private, Registration DARKFALLS.NET@domainsbyproxy.com
Domains by Proxy, Inc.
DomainsByProxy.com
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
(480) 624-2599 Fax -- (480) 624-2598

Domain servers in listed order:
NS1.DARKFALLS.NET
NS2.DARKFALLS.NET

dig -t any, dig -t mx and dig www.darkfalls.net for your domain all timeout. Doing digs and specifying @ followed by either of your servers times out. I also can't telnet to either of your listed domain (NS) servers on port 53 which I should be able to do. All this suggests the name servers simply aren't reachable.

You mention having the wrong IP but don't say what the right IPs are. Are 24.234.137.70 and 24.234.137.71 valid? If not that is your issue.

The ISP provides you with your IPs. The Domain Registrar provides you with your DNS entries (at least for the name servers). These aren't always the same. Whois shows your Registrar is GoDaddy so you'd need to update the records for your DNS servers' IPs at GoDaddy. If you have an account you should be able to login to their site and do this change yourself.

Note: DNS propagation can take up to 72 hours due to caching at various intermediate and root name servers. Sometimes even if the change at Registrar is done it may take a while. Also your own systems (e.g. Windows) might have the record cached so even if everyone else on the internet sees the right IPs you might not until you clear your cache.

What are the correct IPs for your name servers?

Scynix · 05-12-2011, 04:31 PM

Those IP's are the old ones.
The new ip's are 24.120.129.34 and 24.120.129.35
35 isn't running at the moment, since I've been trying to get 34 to work.

If I designate that address as the DNS server, I can resolve all addresses just fine. Which implies to me it's working, it's just not propagating. But I'm not sure.
But yes, you're correct, those listings show the old address being associated with ns1.darkfalls.net, which is not correct. I've updated the zone files/serials with the new address, but out side servers are still showing the old address. They were updated yesterday.

I could understand it possibly being the 72 hour propagation issue, it's just strange to me after 24 hours it hasn't updated anywhere I've tested.
Also, my registrar has "ns1.darkfalls.net" as the entries, not the IP addresses themselves.

technodweeb · 05-12-2011, 05:33 PM

I can do a nslookup www.darkwater.net 24.120.129.34 and get a proper reply. Your main issue first is to get your domain registration with GoDaddy updated for the new static IP addresses you are using (mensawater mentioned before). Your server will respond from outside your network, so that is not the issue. The rest of the world not knowing where to look for your domain data is.

Scynix · 05-12-2011, 05:41 PM

Where are my manners? Even if it is the internet.

Thank you both very much for your assistance. I really appreciate it.

I've gone to godaddy's site and logged in, and edited the DNS entries for my servers, but I have them pointing to "ns1.darkfalls.net", not any specific IP address. This worked when I first set up the network (which was easily 10 years ago, I think, on a red hat machine). I never had to enter any IP address in. I was, at least at the time, under the impression that since I'm running the DNS server, my server would be the one to let the internet know where to look via my zone files.

Scynix · 05-12-2011, 08:29 PM

Alright, I'm a doofus. It's been so long since I set the addresses previously I couldn't find it in the (new?) version of their site. Got the addresses updated and within an hour everything seems to be working normally again.

Thanks a lot guys.

MensaWater · 05-13-2011, 09:14 AM

Glad to be of help. Since you appear to have resolved your problem please go to "Thread Tools" and mark this a "Solved". That way anyone doing a web search in future that finds your post may be able to more quickly solve their own issue.

One note though:
Your reverse IPs aren't delegated to you yet. This is something you have to request of the ISP (Cox apparently) rather than the Registrar. Just as the Registrar has to create a forward lookup for your domain servers, the ISP should make a reverse lookup for your range of IPs (not just the name servers but the entire IP range they've assigned to you). That way you can make your own reverse zone that specifies what your various IPs are.

For example your MX record says it is IP 24.120.129.34 but dig -x 24.120.129.35 reports that IP as something on Cox.net:

Quote:

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 <<>> -x 24.120.129.34
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11616
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;34.129.120.24.in-addr.arpa. IN PTR

;; ANSWER SECTION:
34.129.120.24.in-addr.arpa. 85932 IN PTR wsip-24-120-129-34.lv.lv.cox.net.

;; Query time: 5 msec
;; SERVER: 10.0.4.108#53(10.0.4.108)
;; WHEN: Fri May 13 10:11:27 2011
;; MSG SIZE rcvd: 90

It should instead specify that this is the IP for mail.darkfalls.net.
Reverse IP lookups aren't absolutely required but some folks might reject your traffic if they can't get what they expect as a reasonable response on doing a reverse lookup. This is especially true for people running mail servers - sometimes if they can't verify your IP on a reverse lookup they'll simply reject your email.