DNS MX and NS entry working. but A entry failing. Using bind

saurabhrh · 12-03-2009, 06:19 AM

Hello,

I would be helpful if someone can take a look and suggest. I have almost spent 5 days with no luck.

I have set up a DNS server. When querying using dig for MX and NS records are correct. But its getting time out for A records

I am using linux bind for DNS server.

I have registered mydomain.in and transfered the Name servers to ns1.mydomain.in (abc.yy.zz.abc)

I have created the following zone file
=================================================
$TTL 900
$ORIGIN mydomain.in.

@ 900 IN SOA ns1.mydomain.in. name.mydomain.in. (
2009120318 ; Serial ID in reverse date format
28800 ; Refresh interval for slave servers
7200 ; Retry interval for slave servers
864000 ; Expire limit for cached info on slave servers
3600 ; Minimum Cache TTL in zone records
);

mydomain.in. NS ns1.mydomain.in.
mydomain.in. NS ns2.mydomain.in.
mydomain.in. NS ns3.mydomain.in.

mydomain.in. A abc.yy.zz.abc

mydomain.in. MX 10 mail
mail IN A abc.yy.zz.abc

mail2 IN A abc.yy.zz.abc
mail3 IN A abc.yy.zz.abc

ns1 IN A abc.yy.zz.abc
ns2 IN A abc.yy.zz.abc
ns3 IN A abc.yy.zz.abc

www IN CNAME mydomain.in.
; loc A abc.yy.zz.abc

====================================

When I am doing
"dig mydomain.in NS" its good
"dig mydomain.in MX" its good (also when sending email from gmail account to name@mydomain.in) its good

"dig mail.mydomain.in A" Sometime good sometime getting timeout
But
"dig mydomain.in" is bad (timeout)
"dig www.mydomain.in" is bad (timeout)

Other dns details you can get in http://www.intodns.com/mydomain.in

===================
but from internal networking if I am doing
"dig mydomain.in" is good
"dig www.mydomain.in" is good
=================

Could someone guide me where it is failing.

Thanks and regards,
name
================

vishesh · 12-03-2009, 06:28 AM

I have doubt in following entries

mydomain.in. A 122.166.xx.yy

What does it mean ?
Is it specifying name server ip, but you already include your name server name and ip as well.

I think there is no need of this entry.

Thanks

lomax0990 · 12-03-2009, 07:49 AM

I have always seen A records formatted as

Code:

mydomain.in.   IN    A    122.166.xx.yy

You have:

Code:

mydomain.in. A 122.166.xx.yy

I'm not sure if the IN in which you have left out is required, but you could start there.

saurabhrh · 12-03-2009, 07:52 AM

No vishesh it didnt help. Infact this entry is required otherwise http://mydomain.in would fail

bathory · 12-03-2009, 08:15 AM

@OP
It looks like your name server is not reachable from the internet:

Quote:

dig +trace mydomain.in

; <<>> DiG 9.6.1-P2 <<>> +trace mydomain.in
;; global options: +cmd
. 440632 IN NS a.root-servers.net.
. 440632 IN NS g.root-servers.net.
. 440632 IN NS k.root-servers.net.
. 440632 IN NS i.root-servers.net.
. 440632 IN NS l.root-servers.net.
. 440632 IN NS c.root-servers.net.
. 440632 IN NS e.root-servers.net.
. 440632 IN NS j.root-servers.net.
. 440632 IN NS b.root-servers.net.
. 440632 IN NS f.root-servers.net.
. 440632 IN NS d.root-servers.net.
. 440632 IN NS h.root-servers.net.
. 440632 IN NS m.root-servers.net.
;; Received 288 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

in. 172800 IN NS B2.IN.AFILIAS-NST.ORG.
in. 172800 IN NS D0.CCTLD.AFILIAS-NST.ORG.
in. 172800 IN NS B1.IN.AFILIAS-NST.in.
in. 172800 IN NS A1.IN.AFILIAS-NST.in.
in. 172800 IN NS C0.CCTLD.AFILIAS-NST.INFO.
in. 172800 IN NS A0.CCTLD.AFILIAS-NST.INFO.
in. 172800 IN NS A2.IN.AFILIAS-NST.INFO.
in. 172800 IN NS B0.CCTLD.AFILIAS-NST.ORG.
;; Received 499 bytes from 192.36.148.17#53(i.root-servers.net) in 228 ms

mydomain.in. 86400 IN NS ns1.mydomain.in.
mydomain.in. 86400 IN NS ns2.mydomain.in.
mydomain.in. 86400 IN NS ns3.mydomain.in.
;; Received 133 bytes from abc.xyz.62.1#53(D0.CCTLD.AFILIAS-NST.ORG) in 96 ms

;; connection timed out; no servers could be reached

Also I get SERVFAIL digging for MS and NS records. So it looks like a firewall issue to me

@vishesh
This is a valid entry. It gives the domain and IP address (same as @ A def.ghi.44.28).

@lomax0990
IN is not necessary as it's the default value for class of a record

saurabhrh · 12-03-2009, 08:25 AM

Bathory,

Thanks for looking into it.

==========
But it doesnt seems a firewall to me

because from outside I can telnet IP:53 for dns server.

Also "dig mydomain MX" is giving correct output. Also from my gmail I am able to send email to user@mydomain.in.

also http://IP is working.

============

any idea when "dig mydomain.in MX" and "mydomain.in NS" is working then why "dig mydomain.in A" is not working?

Thanks,
name

bathory · 12-03-2009, 09:20 AM

The thing is very strange:

From my dns:

Code:

dig mydomain.in

; <<>> DiG 9.6.1-P2 <<>> mydomain.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.in.                 IN      A

;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Thu Dec  3 16:56:44 2009
;; MSG SIZE  rcvd: 31

From opendns:

Code:

dig mydomain.in @efg.hi.jkl.222

; <<>> DiG 9.6.1-P2 <<>> mydomain.in @efg.hi.jkl.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53733
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.in.                 IN      A

;; ANSWER SECTION:
mydomain.in.          722     IN      A       abc.def.44.28

;; Query time: 86 msec
;; SERVER: wxy.67.abc.222#53(208.67.abc.xyz)
;; WHEN: Thu Dec  3 17:18:22 2009
;; MSG SIZE  rcvd: 47

Somehow for some of us, we get a response from a nameserver at AFILIAS-NST.ORG, that does not forward further, while opendns (and I guess gmail since you can get email from them) are using your dns.
Maybe you have to wait until your changes get propagated.

Regards

saurabhrh · 12-03-2009, 08:00 PM

Bathory,

Thanks a lot. That does explain something atleast.

But now I checked its showing the wrong IP. Correct should be ip. But its showing ip for mydomain.in
Any idea how it got changed on is own?

--------------------
dig mydomain.in @ip

; <<>> DiG 9.2.1 <<>> mydomain.in @ip
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26426
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.in. IN A

;; ANSWER SECTION:
mydomain.in. 0 IN A xxxx

regards,
name

bathory · 12-04-2009, 12:24 AM

Quote:

dig -x zz.yyy.ww.eee

;; ANSWER SECTION:
abc.66.def.67.in-addr.arpa. 86276 IN PTR bleep.bloop.opendns.com.

It looks like you've changed something and opendns instead of a SERVFAIL message sends back the IP of a server that you get redirected when you use their service.
Use the following (just change the serial) and see if it works:

Code:

$TTL 900
$ORIGIN mydomain.in.

@ IN SOA ns1.mydomain.in. me.mydomain.in. (
2009120318   ; Serial ID in reverse date format
28800        ; Refresh interval for slave servers
7200         ; Retry interval for slave servers
864000       ; Expire limit for cached info on slave servers
3600         ; Minimum Cache TTL in zone records
);

               NS ns1.mydomain.in.
               NS ns2.mydomain.in.
               NS ns3.mydomain.in.
               MX 10 mail

@              IN A 122.166.xx.yy

mail           IN A 122.166.xx.yy
mail2          IN A 122.166.xx.yy
mail3          IN A 122.166.xx.yy

ns1            IN A 122.166.xx.yy
ns2            IN A 122.166.xx.yy
ns3            IN A 122.166.xx.yy

www            IN CNAME mydomain.in.

saurabhrh · 12-04-2009, 04:46 AM

dig mail.mydomain.in A (GOOD) resolving to IP, and I am getting email also when send from my gmail id.

but

dig mydomain.in A (FAILING)
dig www.mydomain.in A (FAILING)

========
I have "mydomain.in" mentioned only in named.conf and mydomain.in.zone. There is nowhere else mydomain.in mentioned in any file of bind setup. Could that be the reason I am missing anything? but since its able to resolve mail.mydomain.in and not domain looks very very strange to me. Or some kind of bug in bind?

in named.conf

Quote:

zone "mydomain.in" IN {
type master;
notify no;
allow-query { any; };
file "mydomain.in.zone";
};

=================

saurabhrh · 12-04-2009, 04:48 AM

Bathory, Also the above mentioned suggestion by you didnt help. still bad.

bathory · 12-04-2009, 05:07 AM

You have messed things somehow I cannot understand. From my side now, everything works, except mx!!!

Code:

 dig mydomain.in

; <<>> DiG 9.6.1-P2 <<>> mydomain.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46626
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 13

;; QUESTION SECTION:
;mydomain.in.                 IN      A

;; ANSWER SECTION:
mydomain.in.          8575    IN      A       abc.xyz.44.28

;; AUTHORITY SECTION:
mydomain.in.          34338   IN      NS      ns4.mydomain.com.
mydomain.in.          34338   IN      NS      ns2.mydomain.in.
mydomain.in.          34338   IN      NS      ns2.mydomain.com.
mydomain.in.          34338   IN      NS      ns3.mydomain.in.
mydomain.in.          34338   IN      NS      ns1.mydomain.in.
mydomain.in.          34338   IN      NS      ns3.mydomain.com.
mydomain.in.          34338   IN      NS      ns1.mydomain.com.

;; ADDITIONAL SECTION:
ns1.mydomain.in.      14130   IN      A       ip.ip.44.28
ns1.mydomain.com. 166945 IN    A       67.15.ip.ip
ns1.mydomain.com. 166945 IN    A       67.15.ip.ip
ns1.mydomain.com. 166945 IN    A       67.15.ip.ip
ns2.mydomain.com. 166945 IN    A       74.54.ip.ip
ns2.mydomain.com. 166945 IN    A       74.54.ip.ip
ns2.mydomain.com. 166945 IN    A       74.54.ip.ip
ns3.mydomain.com. 166945 IN    A       67.15.ip.ip
ns3.mydomain.com. 166945 IN    A       67.15.ip.ip
ns3.mydomain.com. 166945 IN    A       67.15.ip.ip
ns4.mydomain.com. 166945 IN    A       74.52.ip.ip
ns4.mydomain.com. 166945 IN    A       74.52.ip.ip
ns4.mydomain.com. 166945 IN    A       74.52.ip.ip

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec  4 13:01:05 2009
;; MSG SIZE  rcvd: 402

Code:

 dig mx mydomain.in

; <<>> DiG 9.6.1-P2 <<>> mx mydomain.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57725
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.in.                 IN      MX

;; AUTHORITY SECTION:
mydomain.in.          10547   IN      SOA     ns1.mydomain.com. saurabblah.some-email.com. 2009120301 7200 7200 7200 7200

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec  4 13:02:00 2009
;; MSG SIZE  rcvd: 107

As you see in the SOA record above, it looks like the authoritative dns is ns1.mydomainsearch.com and not ns1.mydomain.in!!!. In fact:

Code:

dig soa mydomain.in

; <<>> DiG 9.6.1-P2 <<>> soa mydomain.in
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31385
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 13

;; QUESTION SECTION:
;mydomain.in.                 IN      SOA

;; ANSWER SECTION:
mydomain.in.          38029   IN      SOA     ns1.mydomainsearch.com. saurabblah.some-email.com. 2009120301 7200 7200 7200 7200

;; AUTHORITY SECTION:
mydomain.in.          34118   IN      NS      ns2.mydomain.in.
mydomain.in.          34118   IN      NS      ns2.mydomainsearch.com.
mydomain.in.          34118   IN      NS      ns3.mydomainsearch.com.
mydomain.in.          34118   IN      NS      ns3.mydomain.in.
mydomain.in.          34118   IN      NS      ns1.mydomain.in.
mydomain.in.          34118   IN      NS      ns1.mydomainsearch.com.
mydomain.in.          34118   IN      NS      ns4.mydomainsearch.com.

;; ADDITIONAL SECTION:
ns1.mydomain.in.      13910   IN      A       aaa.bb.44.28
ns1.mydomainsearch.com. 166725 IN    A       aaa.bb.253.251
ns1.mydomainsearch.com. 166725 IN    A       aa.bb.47.189
ns1.mydomainsearch.com. 166725 IN    A       aa.bb.253.220
ns2.mydomainsearch.com. 166725 IN    A       aa.bb.56.231
ns2.mydomainsearch.com. 166725 IN    A       aa.bb.56.236
ns2.mydomainsearch.com. 166725 IN    A       aa.bb.cc.227
ns3.mydomainsearch.com. 166725 IN    A       aa.bb.47.188
ns3.mydomainsearch.com. 166725 IN    A       aa.bb.253.219
ns3.mydomainsearch.com. 166725 IN    A       bb.bb.253.252
ns4.mydomainseaarch.com. 166725 IN    A       aa.bb.140.84
ns4.mydomainsearch.com. 166725 IN    A       aa.bb.140.82
ns4.mydomainsearch.com. 166725 IN    A       aa.bb.140.83

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec  4 13:04:45 2009
;; MSG SIZE  rcvd: 437

How do you explain this?

saurabhrh · 12-04-2009, 06:00 AM

Let me explain why it happened for you.

Actually for an hour i reverted to the nameservers of the domainsearchindia.com, through whom I have registered mydomain.in. So it worked and showed even A record. Purposely i deleted the MX entry there to see its actually failing for MX or not.

But now I have again changed to the nameserver I have setup on bind. Now again its not working.

So it seems that if I change to nameservers of domainsearchindia.com then everything is good. But if I change to nameserver of only ns1.mydomain.in then only MX, SOA, NS records are showing. A is just not showing.

Thanks,
nae

bathory · 12-04-2009, 06:25 AM

This is strange!! Some times your server responds and other is unreachable!!!

Code:

 dig mx mydomain.in @aaa.bb.44.28

; <<>> DiG 9.6.1-P2 <<>> mx mydomain.in @aaa.bb.44.28

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30659
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mydomain.in.                 IN      MX

;; ANSWER SECTION:
mydomain.in.          900     IN      MX      10 mail.mydomain.in.

;; AUTHORITY SECTION:
mydomain.in.          900     IN      NS      ns3.mydomain.in.
mydomain.in.          900     IN      NS      ns1.mydomain.in.
mydomain.in.          900     IN      NS      ns2.mydomain.in.

;; ADDITIONAL SECTION:
mail.mydomain.in.     900     IN      A       aaa.bb.44.28
ns1.mydomain.in.      900     IN      A       aaa.bb.44.28
ns2.mydomain.in.      900     IN      A       aaa.bb.44.28
ns3.mydomain.in.      900     IN      A       aaa.bb.44.28

;; Query time: 203 msec
;; SERVER: aaa.bb.44.28#53(122.166.44.28)
;; WHEN: Fri Dec  4 14:22:21 2009
;; MSG SIZE  rcvd: 170

Code:

dig ns1.mydomain.in @aaa.bb.44.28

; <<>> DiG 9.6.1-P2 <<>> ns1.mydomain.in @aaa.bb.44.28

;; global options: +cmd
;; connection timed out; no servers could be reached

Remove the entries for ns2 and ns3 (they are useless as they point to the same IP) to see iif this is the reason, because bind tries to round-robin dns.

saurabhrh · 12-04-2009, 12:11 PM

Bathory,

This didnt help either.

looks like something i have really missed in bind setup. Because if it can get my MX records correctly, then it can't be firewall or any problem outside. it has to be something related to bind. isnt it?

regards,
nae