DNS Server answers SERVFAIL

vikki · 08-12-2009, 03:00 AM

This is how my named.conf looks like

options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;
listen-on port 53 { any; };
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";
// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "lnmiit.ac.in" {
type master;
allow-query { any; };
file "server.zone";
};
zone "2.22.172.in-addr.arpa." {
type master;
allow-query { any; };
file "server.local";
};
};

and my zones files looks like this

$TTL 3D
@ IN SOA nfs.lnmiit.ac.in. noc@nfs.lnmiit.ac.in. (
2009081218 ; Serial
2H ; Refresh
10M ; Retry
1D ; Expire
1D ) ; Minimum
@ IN NS nfs.lnmiit.ac.in.
212 PTR www.lnmiit.ac.in.
212 PTR proxy2.lnmiit.ac.in.
211 PTR proxy.lnmiit.ac.in.

$TTL 3D
@ IN SOA nfs.lnmiit.ac.in. noc@lnmiit.ac.in. (
2009081217 ; serial (d. adams)
2H ; refresh
10M ; retry
1D ; expiry
1D ) ; minimum

@ IN NS nfs.lnmiit.ac.in.
nfs IN A 172.22.2.195
proxy IN A 172.22.2.211
proxy2 IN A 172.22.2.212
www IN A 172.22.2.212

i am not able to dig my servers. error comes while dig

dig www.lnmiit.ac.in

; <<>> DiG 9.3.3rc2 <<>> www.lnmiit.ac.in
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34447
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.lnmiit.ac.in. IN A

;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 12 21:16:09 2009
;; MSG SIZE rcvd: 34

Can someone help me with it where i am wrong and why there is SERVFAIL in the answers..

bathory · 08-12-2009, 04:09 AM

Are you sure that named is running? Check /var/log/messages (or the file bind uses for logging in your distro), because there are some errors in your config and zone files

In named.conf:
There is no closing bracket "}" for the options part in named.conf
You haven't define the localnets ACL and you don't need "match-destinations"

In both the zone files you have to replace "noc@lnmiit.ac.in." with "noc.lnmiit.ac.in." in the SOA record

Note that you can use named-checkconf and named-checkzone to check your setup.

vikki · 08-12-2009, 04:28 AM

Hello

yes my named service is running

and for the closing } in options
my named.conf is perfect with no errors, i checked it with named-checkconf
actually while copying it was mistakly not copied.

zone lnmiit.ac.in/IN: loaded serial 2009081217
OK
&

zone 2.22.172.in-addr.arpa/IN: loaded serial 2009081218
OK

what should i do..

i copied these files from the server running my external DNS. it is working fine... here i changed only IPs and it stopped working.

vikki · 08-12-2009, 04:35 AM

this is my complete named.conf

//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;
listen-on port 53 { any; };

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
include "/etc/named.root.hints";

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";

// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

zone "lnmiit.ac.in" {
type master;
allow-query { any; };
file "server.zone";
};
zone "2.22.172.in-addr.arpa." {
type master;
allow-query { any; };
file "server.local";
};
};

actually that time i tried to delete the comments.. so causing a bit confusion

bathory · 08-12-2009, 05:05 AM

I see that you ran dig from localhost. Try

Code:

dig www.lnmiit.ac.in @172.22.2.195

to see if it works

vikki · 08-12-2009, 06:28 AM

[root@nfs ~]# dig www.lnmiit.ac.in@172.22.2.195

; <<>> DiG 9.3.3rc2 <<>> www.lnmiit.ac.in@172.22.2.195
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10629
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.lnmiit.ac.in\@172.22.2.195. IN A

;; Query time: 2 msec
;; SERVER: 172.22.2.195#53(172.22.2.195)
;; WHEN: Thu Aug 13 00:47:43 2009
;; MSG SIZE rcvd: 47

no sir.. no success so far..

P.S. this is in chroot environment, if it helps

bathory · 08-12-2009, 08:03 AM

Does the reverse lookup work? Also can you resolve other domains?

Code:

dig -x 172.22.2.212
dig www.google.com

Take a look at the logfile (data/named.run) to see if you find something and since it's a SELinux distro check if it's not a security problem

vikki · 08-13-2009, 02:38 AM

issue got resolved..
thanks very much

bathory · 08-13-2009, 02:48 AM

Glad to see you've made it.
Could you post here the solution, so it may be of help for someone else with the same problem?

Cheers

nowonmai · 08-13-2009, 03:38 AM

Quote:

Originally Posted by vikki

This is how my named.conf looks like

Code:

options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

This section is a particularly bad idea. Having a predictable source port enables cache poisoning attacks.

Read this for further information.