Dns question

Nikosis · 03-28-2007, 01:51 AM

Hi
I've got some strange problem with my dns,everything works (www, dns for local hosts) except it doesn't resolve names for my server, I'm not sure what might be wrong, I checked my zones, and everything is OK.

my-domain.org

Quote:

$TTL 86400
$ORIGIN my-domain.org.
@ 1D IN SOA ns1.my-domain.org. hostmaster.my-domain.org. (
2007031100 ; serial
3H ; refresh
15 ; retry
1w ; expire
3h ; minimum
)
IN NS ns1.my-domain.org. ; internal
IN NS 1.external.net. ; external
IN NS 2.external.net. ; external
IN NS external.net. ; external
IN MX 10 mail.my-domain.org. ; internal mail provider
; server host definitions
ns1 IN A 333.333.333.1 ;name server definition
mail IN A 333.333.333.1 ;mail server definition
www IN A 333.333.333.1 ;web server definition
ftp IN CNAME www.my-domain.org. ;ftp server definition

localhost.zone

Quote:

$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

1D IN NS @
1D IN A 127.0.0.1

localhost.rev

Quote:

$TTL 86400
@ IN SOA localhost. root.localhost. (
2007031100 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

Thx

Notwerk · 03-28-2007, 03:59 AM

Hello,

The zone definitions seem ok except for:

Quote:

ns1 IN A 333.333.333.1 ;name server definition
mail IN A 333.333.333.1 ;mail server definition
www IN A 333.333.333.1 ;web server definition
ftp IN CNAME www.my-domain.org. ;ftp server definition

It's better if you keep only on A record per host and use CNAME for any other names. Like this:

Code:

ns1 IN A 333.333.333.1 ;name server definition
mail IN CNAME ns1.mydomain.org. ;mail server definition
www IN CNAME ns1.mydomain.org. ;web server definition
ftp IN CNAME ns1.my-domain.org. ;ftp server definition

As for the server resolving names for itself, this will work if the server is configured to listen (and accept queries) on the loopback interface 127.0.0.1 and at the same time the /etc/resolve.conf references 127.0.0.1 as the name server.

Could you post /etc/resolve.conf and /etc/bind/named.conf?
(Make sure to hide any rndc keys secrets before posting).

Nikosis · 03-28-2007, 01:26 PM

Hi
Thanks, for advice
named.conf

Quote:

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
// version statement for security to avoid hacking known weaknesses
version "not currently available";
// optional - disables all transfers - slaves allowed in zone clauses
allow-transfer {"none";};
// Closed DNS - permits only local IPs to issue recursive queries
// remove if an Open DNS required to support all users
// or add additional ranges
allow-recursion {192.168.1.0/24;};
//allow-query {192.168.1.0/24;};
};
logging{
channel my_log{
file "/var/log/named/my.log" versions 3 size 2m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
category default{
my_log;
};
};
// required zone for recursive queries
zone "." {
type hint;
file "caching/named.ca";
};
zone "my-domain.org" IN {
type master;
file "master/my-domain.org";
// enable slaves only
allow-transfer { 1.2.3.4;5.6.7.8;9.10.11.12; };
};
// required local host domain
zone "localhost" IN {
type master;
file "caching/localhost.zone";
allow-update { none; };
};
// localhost reverse map
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching/localhost.rev";
allow-update { none; };
};
// reverse map for class C 192.168.0.0
zone "1.168.192.IN-ADDR.ARPA" IN {
type master;
file "master/192.168.1.rev";
};

resolv.conf

Quote:

search my-domain.org
nameserver 333.333.333.1
nameserver 1.2.3.4
nameserver 5.6.7.8

Thx

Notwerk · 03-28-2007, 06:18 PM

Modify the options section to something like:

Code:

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
// version statement for security to avoid hacking known weaknesses
version "not currently available";
// optional - disables all transfers - slaves allowed in zone clauses
allow-transfer {"none";};
// Closed DNS - permits only local IPs to issue recursive queries
// remove if an Open DNS required to support all users
// or add additional ranges
allow-recursion {192.168.1.0/24;};
//allow-query {192.168.1.0/24;};
allow-query {192.168.1.0/24; 127.0.0.1;};
listen-on {192.168.1.xxx; 127.0.0.1;};
};

This allows the server to talk to itself over the loopback interface 127.0.0.1
(Make sure to put your servers IP address instead of 192.168.1.xxx)

Then modify /etc/resolv.conf to include 127.0.0.1 like so:

Code:

search my-domain.org
nameserver 127.0.0.1
nameserver 333.333.333.1
nameserver 1.2.3.4
nameserver 5.6.7.8

This will make the line which includes 333.333.333.1 redundant, so you can remove it after testing that everything is working fine.

Cheers

H_TeXMeX_H · 03-28-2007, 06:39 PM

Uhhh, is '333.333.333.1' an IP address ? isn't the max 255 ?

monsm · 03-29-2007, 10:05 AM

Actually all those IPs looks suspicious. I doubt 1.2.3.4 is your actual nameserver either. You should probably check with your ISP (if this is your home machine) to get the actual name servers after the loopback one and then list them in order (primary, secondary, tertiary).

Nikosis · 03-29-2007, 08:49 PM

Thanks for advice Notwerk, it works.
allow-query {192.168.1.0/24; 127.0.0.1;};
listen-on {192.168.1.xxx; 127.0.0.1;};
wasn't necessary, allow-recursion{192.168.1.0/24;127.0.0.1;}; is enough.
Thx