Re: subdomain delegation question #2: (simple config)
Hi Dalton,
Tue, 24 May 2011 10:09:00 -0700 dalton stickney wrote:
Hi all.
I have set up a simple bind config to test this. I am very obviously
missing something simple here, but i can't figure out what it is for
some reason.
I am trying to delegate name servers for the subdomain
sccnj04.example.com to ns sip.example.com.
When i dig i get no error, but also no answer:
; DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 ns
sccnj04.example.com @ns1
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 8850
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL:
0
;; QUESTION SECTION:
;sccnj04.example.com. IN NS
;; AUTHORITY SECTION:
example.com. 86400 IN SOA ns1.example.com.
hostmaster.example.com.
2011052405 3600 900 864000 86400
;; Query time: 0 msec
;; SERVER: 10.1.0.8#53(10.1.0.8)
;; WHEN: Tue May 24 13:08:03 2011
;; MSG SIZE rcvd: 88
Here is my simple config:
named.conf
options {
directory /var/named;
version Nope.;
};
zone example.com in {
type master;
file example.com;
};
Here is the zone file:
$TTL 86400
; Start of Authority
example.com. 86400 IN SOA ns1.example.com. hostmaster.example.com.
(
2011052405 ; Serial
3600 ; Refresh
900; Retry
864000 ; Expire
86400 ; Min TTL
)
; Host
sip.example.com. IN A 10.1.0.8
; Nameserver
example.com. IN NS ns1.example.com.
$ORIGIN sccnj04.example.com.
sccnj04IN NS sip.example.com.
^
You current $ORIGIN is sccnj04.example.com, so the non-FQDN label
sccnj04 at the line above would be sccnj04.sccnj04.example.com when
converted to FQDN.
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: subdomain delegation question
Hi Dalton, Sun, 22 May 2011 13:36:43 -0700 dalton stickney wrote: Hello all, I have what may be an easy question here, but it's been a while since I did much with Bind, so I'm not entirely sure if I'm doing something wrong here. What I'm trying to do, should be relatively simple i think, but for some reason i cannot get it to work. I'm trying to delegate a subdomain to a separate nameserver. My zone file looks like this: $TTL 86400 ; Start of Authority stor.company.com. 86400 IN SOA ns1.company.com. hostmaster.company.com. ( 2011052000 ; Serial 3600 ; Refresh 900; Retry 864000 ; Expire 86400 ; Min TTL This is not a Min TTL but a Minimum Negative TTL instead. ) ; Host sip.stor.company.com. IN A 10.10.10.10 It looks like that your $ORIGIN is stor.company.com. Start tidying your zone file by reading the section 3.2 Zone file style guide of RFC 1912 Common DNS Operational and Configuration Errors available at http://www.rfc-editor.org/rfc/rfc1912.txt . You don't have to specify your $ORIGIN every time so the line quoted above can be edited as sip IN A 10.10.10.10 ; Nameserver subdomain.stor.company.com. IN NS sip.stor.company.com. stor.company.com. IN NS ns2.company.com. stor.company.com. IN NS ns1.company.com. I have the appropriate entry for stor.company.com in named.conf. I can resolve the nameserver for the subdomain: sip.stor.company.com. sip.stor.company.com isn't a subdomain but a hostname which is used as a nameserver for subdomain.stor.company.com. But i cannot dig for ns for subdomain.stor.company.com, it times out. Which servers are listed as a resolvers on your machine on which you're running dig? If this is an UNIX machine, please show us your /etc/resolv.conf and comment it. Have you reloaded the zone stor.company.com properly? -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: subdomain delegation question
Hi Dalton, Sun, 22 May 2011 15:04:02 -0700 dalton stickney wrote: Hi, thanks for the quick replies. I apologize for the HTML, and the vagueness of the original post. (this is my first time posting to this list) Let me give some more specifics here: This is the zone file for stor.company.com, so i am trying to delegate subdomain.stor.company.com to the nameserver with hostname sip.stor.company.com. $TTL 86400 ; Start of Authority stor.company.com. 86400 IN SOA ns1.company.com. hostmaster.company.com. ( 2011052000 ; Serial 3600 ; Refresh 900; Retry 864000 ; Expire 86400 ; Min TTL ) ; Host sip.stor.company.com. IN A 10.10.10.10 ; Nameserver subdomain.stor.company.com. IN NS sip.stor.company.com. stor.company.com. IN NS ns2.company.com. stor.company.com. IN NS ns1.company.com. I have a named.conf entry as master for stor.company.com. Please run these two commands and show us the results: dig @ns1.company.com. stor.company.com. soa +noal +comm +answ dig @sip.stor.company.com. subdomain.stor.company.com. soa +noal +comm +answ I thought my glue record was the sip host record, but am i mistaken about that? No, you're correct. I have reloaded the nameserver. Thanks again for the help. -dalton On Sun, May 22, 2011 at 2:08 PM, Doug Barton do...@dougbarton.us wrote: Please don't use HTML mail for technical mailing lists. It made replying to this message ridiculously more difficult than necessary. On 05/22/2011 13:36, dalton stickney wrote: subdomain.stor.company.com IN NS sip.stor.company.com. stor.company.com IN NS ns2.company.com. stor.company.com IN NS ns1.company.com. You've already delegated stor.company.com, so delegations below that need to be in the stor.company.com zone file. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: subdomain delegation question
Hi Dalton, Sun, 22 May 2011 17:27:17 -0700 dalton stickney wrote: Thanks for the reply. See output of commands below: Please run these two commands and show us the results: dig @ns1.company.com. stor.company.com. soa +noal +comm +answ [dstickney@lw-lts-155 ~]$ dig @ns1.company.com stor.company.com. soa +noal +comm +answ ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @ns1.company.com stor.company.com. soa +noal +comm +answ ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 38942 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; ANSWER SECTION: stor.company.com. 86400 IN SOA ns1.company.com. hostmaster.company.com. 2011052000 3600 900 864000 86400 Everything seems to be fine there. dig @sip.stor.company.com. subdomain.stor.company.com. soa +noal +comm +answ [dstickney@lw-lts-155 ~]$ dig @sip.stor.company.com subdomain.stor.company.com soa +noal +comm +answ ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 @sip.stor.company.com subdomain.stor.company.com soa +noal +comm +answ ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 50198 ^^^ ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 The status of the query is REFUSED! This usually means that either the server being queried doesn't allow the queries from the particular client (you) or this server is simply misconfigured. Remember, if you want to delegate some zone to some host then you must configure this host to accept the queries for the domain being delegated. Thanks! -dalton -dalton On Sun, May 22, 2011 at 2:08 PM, Doug Barton do...@dougbarton.us wrote: Please don't use HTML mail for technical mailing lists. It made replying to this message ridiculously more difficult than necessary. On 05/22/2011 13:36, dalton stickney wrote: subdomain.stor.company.com IN NS sip.stor.company.com. stor.company.com IN NS ns2.company.com. stor.company.com IN NS ns1.company.com. You've already delegated stor.company.com, so delegations below that need to be in the stor.company.com zone file. hth, Doug -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: out of place mx records.
Hello Gregory, Thu, 28 Oct 2010 13:04:58 +1300 Gregory Machin wrote: Hi. I have taken over some dns servers, and the process of doing upgrade, half way through the process.. I have a question about the zone files , as there is some configuration here that I have not seen before and seems out of place. here is an excerpt of the zone file $TTL 14400 @ IN SOA example.com. postmaster.example.com. ( 2010042142 ; Serial 3600; Refresh (1 hours) 1200; Retry (20 minutes) 1728000 ; Expire (20 days) 14400 ; Minimum (4 hours) ) IN NS ns1.example.com. IN NS ns2.example.com. ; IN NS ns1.catalyst.net.nz. IN MX 10 mail01.example.com. IN MX 10 mail02.example.com. ; IN MX 20 mail03.example.com. IN A 202.xx.xx.2 ns1 IN A 192.168.xx.xx ns2 IN A 192.168.xx.xx listservINA 202.xx.xx.2 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 cache INA 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 captaincomet IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 louie IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail01 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail02 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 nelson INA 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 My question is why would INMX10mcvpemr01 and INMX 10mcvpemr02 be repeated trough the zone file surely this is redundant ? These MX record sets aren't redundant as they belong to the different labels named listserv, cache etc. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: out of place mx records.
Hello Sten, Thu, 28 Oct 2010 02:48:36 +0200 Sten Carlsen wrote: To me it looks redundant, named-compilezone -o - zone file should show you how bind interprets these. My guess is that they will be listed only once in the output. I don't see how they could belong to each subdomain, to do that there should be a@... to set a new origin? ; Set current origin to mail02 mail02 IN A 192.168.xx.xx ; Two lines below are still under the same origin mail02 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 ; Time to set a new origin nelson IN A 202.xx.xx.1 [...] On 28/10/10 2:14, Ian Manners wrote: Hi Gregory, mail02 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 nelson IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 My question is why would INMX10mcvpemr01 and IN MX 10mcvpemr02 be repeated trough the zone file surely this is redundant ? It looks like an old way of specifying the MX for each subdomain. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: out of place mx records.
Hello Gregory, Thu, 28 Oct 2010 15:54:32 +1300 Gregory Machin wrote: Hi Andrey. Thanks for you input. OK .. but most of those hosts should not be accepting email connections, buy my understanding. Or is it implied that email destined for that host would be handled by the email servers mcvpemr01 and mcvpemr02 on its behalf ? Yes. This is a nature of MX RR. If you don't want to handle mail traffic for some of your hosts (labels in terms of DNS) at all, then just route your mail as shown below: ; --- Method 1 --- ; This IP should be unreachable or the mail daemon at this host ; should refuse any connections attempts not-for-mail IN A 192.168.209.16 listserv IN A 202.xx.xx.2 IN MX 10 not-for-mail ; --- Method 2 --- listserv IN A 202.xx.xx.2 IN MX 10 not-for-mail.invalid-domain.tld. Another but more complex way is to handle such traffic at your mail relay which is silently delivers messages destined for some domains to /dev/null. Regards Gregory Machin On Thu, Oct 28, 2010 at 1:09 PM, Andrey G. Sergeev (AKA Andris) and...@aernet.ru wrote: Hello Gregory, Thu, 28 Oct 2010 13:04:58 +1300 Gregory Machin wrote: Hi. I have taken over some dns servers, and the process of doing upgrade, half way through the process.. I have a question about the zone files , as there is some configuration here that I have not seen before and seems out of place. here is an excerpt of the zone file $TTL 14400 @ IN SOA example.com. postmaster.example.com. ( 2010042142 ; Serial 3600 ; Refresh (1 hours) 1200 ; Retry (20 minutes) 1728000 ; Expire (20 days) 14400 ; Minimum (4 hours) ) IN NS ns1.example.com. IN NS ns2.example.com. ; IN NS ns1.catalyst.net.nz. IN MX 10 mail01.example.com. IN MX 10 mail02.example.com. ; IN MX 20 mail03.example.com. IN A 202.xx.xx.2 ns1 IN A 192.168.xx.xx ns2 IN A 192.168.xx.xx listserv IN A 202.xx.xx.2 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 cache IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 captaincomet IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 louie IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail01 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 mail02 IN A 192.168.xx.xx IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 nelson IN A 202.xx.xx.1 IN MX 10 mcvpemr01 IN MX 10 mcvpemr02 My question is why would IN MX 10 mcvpemr01 and IN MX 10 mcvpemr02 be repeated trough the zone file surely this is redundant ? These MX record sets aren't redundant as they belong to the different labels named listserv, cache etc. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Tue, 12 Oct 2010 16:52:15 +0300 Alans wrote: On 10/12/2010 03:44 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. Even this way, you should know all the IP of subdomains to work properly. Try it for facebook, open homepage fine but once you login it will fail. If you can query at least one of the authoritative NS for the domain in question then you would have no problems determining the IP addresses you might need. Another thing, we are talking about a technical person, for other users they don't know about hosts file or they don't have access to change it even it they know about it. Sure but please don't forget about the average level of computer skills of the audience the most underground sites have. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello David, Mon, 11 Oct 2010 18:38:24 -0400 David Miller wrote: On 10/11/2010 3:26 PM, Andrey G. Sergeev (AKA Andris) wrote: Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? You are kidding right? ...or was this post a joke? Not at all. OpenDNS is Anycast - http://en.wikipedia.org/wiki/Anycast Thanks, I know what anycast is and about the fact that OpenDNS uses it. Besides of all that it still seems strange that *both* of their public resolvers are behind the *same* router (peer1.rtr1.ams.opendns.com [195.69.144.88] for me). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Ian, Tue, 12 Oct 2010 10:54:19 +0100 Ian Tait wrote: Ok, but you can always browse by IP address and in this case there is no DNS server than can stop you from browsing what you want. Vaguely related, are host headers - a lot of webservers share an IP address/many IP addresses and use host headers to 'display' the correct website. You wouldn't be able to browse a particular website hosted in this fashion, by IP address. If you know the website domain and the corresponding IP address and if your ISP prevents you from accessing this website by timing out or tampering DNS query results you can always put the entry like 192.168.10.20 www.domain.tld. to your hosts file and access the site. This technique is also in use when someone needs to access the site which is on a not delegated domains. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Matus, Mon, 11 Oct 2010 18:37:43 +0200 Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. Strongly agreed. And doing this brainf***ing stuff could lead to an unpredictable glitches too. Render unto Caesar the things which are Caesar's, and unto God the things that are God's (Matthew 22:21). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Steinar, Mon, 11 Oct 2010 19:38:54 +0200 (CEST) sth...@nethelp.no wrote: Unfortunately, in some countries you may be required to do so. The example I know best is, naturally, Norway. In Norway we have what is basically a government requirement for ISPs to block child porn domains, using a list supplied by the police. A decent description of the system, for those of you with a reading knowledge of Norwegian, is here: http://no.wikipedia.org/wiki/Kripos'_barnepornofilter Would you please describe if brief for those who don't read in Norwegian the methods the major Norwegian ISPs use to block the CP domains? -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Hello Alans, Mon, 11 Oct 2010 20:07:40 +0300 Alans wrote: Why not? OpenDNS is a good example i think. Good example? Was it a joke? Do the traceroute on IP addresses of the two OpenDNS resolvers and you'll find that they both are behind the same router. Do you still trust the OpenDNS people who advertise their service as reliable? P.S. Please don't top-post - this breaks the logic of the discussion thread. Thank you. regards, Alans On 10/11/2010 07:37 PM, Matus UHLAR - fantomas wrote: On 11.10.10 14:16, Alans wrote: Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting kind of similar to that in a small scale. So i was wondering about Bind dns capabilities and may be third party stuffs that could integrate with bind dns in addition to the ip/website list. This is NOT something BIND (or any DNS server) should do. Blocking web sites is business for web proxies, firewalls etc. Doing this stuff at DNS level could lead to many surprises. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hello Kevin, Wed, 06 Oct 2010 07:47:41 -0700 Kevin Oberman wrote: I keep hoping for a BIND distro that upgrades nslookup(1) to: print STDERR, nslookup(1) has been replaced by host(1)\n; exit 0; Short answer: never. I've been wishing that nslookup would go away since back in BIND-v4 days. I could save a lot of troubleshooting time if I didn't get trouble reports based on the use of nslookup that is misleading or not completely bogus. What about any scripts and tools that rely on the expected behaviour and output of nslookup? Just think about the amount of such legacy and sometimes obsolete *but working* software. Who would be responsible for migration so the newer DNS tools would be used instead of nslookup? :) Note: I'm not talking about my own scripts and tools (I'm using dig and/or host whenever possible). -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hello Kevin, Wed, 06 Oct 2010 13:42:35 -0400 Kevin Darcy wrote: ISC has tried to kill it, but the beast is resilient and won't die. Invocations of nslookup are embedded in thousands of legacy scripts and some folks are unable or unwilling to change them. Well said, Kevin! Just have sent some similar thoughts to the list. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hello Dotan, Tue, 5 Oct 2010 20:20:02 +0200 Dotan Cohen wrote: Can you successfuly telnet port 53 from an external host? Yes, but it's only a connection. I don't see any output. That' me typing helo: $ telnet 178.63.65.136 53 Trying 178.63.65.136... Connected to 178.63.65.136. Escape character is '^]'. helo USER test ^C^C Connection closed by foreign host. The DNS protocol has no human-readable verbs. The fact that you can connect to the port 53 from the external location indicates that the TCP connections aren't blocked. But DNS uses TCP only in a limited number of cases - most time the UDP protocol is being used for queries. So you must verify that you _can_ query your server for something like this: dig @server-name-or-ip example.de. soa +norec -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hello Dotan, Tue, 5 Oct 2010 20:35:24 +0200 Dotan Cohen wrote: The two domains names are sharingcenter.eu and sharingcenter.de. The eu domain has ns1 and ns2 on the same server (IP addresses 178.63.65.136 and 178.63.65.188) and works fine. The de domain has ns1 on this same server (IP address 178.63.65.171) but ns2 on a different server (IP address 88.198.21.168). The commands dig @178.63.65.171 sharingcenter.de. soa +norec +short dig @88.198.21.168 sharingcenter.de. soa +norec +short were done without any delays or errors from my location so the UDP connections from the external hosts are fine too. If you still experience troubles while working with the registrar control panel you should consult with their support. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hi Dotan! Mon, 4 Oct 2010 23:08:43 +0200 Dotan Cohen wrote: I am configuring BIND on two servers: ns1.example.de on a server with IP address 1.1.1.1 and ns2.example.de on a server with IP address 1.1.2.2. BIND starts fine on both servers, but when I try to configure my domain name in the registrar's control panel I get this error: Error : Unable to query the nameserver ns1.example.de [...] You might be blocking 53/udp and (or) 53/tcp port. Try to query your problematic server from some other location rather than the site this server is installed on. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Mon, 4 Oct 2010 23:41:13 +0200 Dotan Cohen wrote: You might be blocking 53/udp and (or) 53/tcp port. Try to query your problematic server from some other location rather than the site this server is installed on. The ports aren't blocked as another site (example.eu) hosted on the 1.1.1.1 server works fine. The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0). Only the example.de site which has one nameserver on the 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a headache. It may be the zone transfer issue - the DENIC might want to trasfer the zone example.de and your server at 1.1.1.1 has been configured to deny these attempts originated from the unknown IPs. Grep your BIND log for any error messages related to 'example.de'. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Hi Imran,
Mon, 4 Oct 2010 20:33:02 -0400 Imran wrote:
Sounds like a resolv.conf issue ... make sure that you have an
entry in the resolv.conf file that maps ns1.example.de to 1.1.1.1
and ns2.example.de to 1.1.2.2
You're wrong. The resolv.conf file has nothing to do with
hostname-to-IP or vice versa mapping. Such mapping is a function of the
hosts file.
Regardless of the file name there is nothing to fix by setting some
mappings.
-Original Message-
From: bind-users-bounces+imran=netwave...@lists.isc.org
[mailto:bind-users-bounces+imran=netwave...@lists.isc.org] On Behalf
Of Dotan Cohen
Sent: Monday, October 04, 2010 5:09 PM
To: bind-users@lists.isc.org
Subject: Unable to query the nameserver
I am configuring BIND on two servers: ns1.example.de on a server
with IP address 1.1.1.1 and ns2.example.de on a server with IP
address 1.1.2.2. BIND starts fine on both servers, but when I try
to configure my domain name in the registrar's control panel I get
this error:
Error : Unable to query the nameserver ns1.example.de
Of course I have been googling this for hours and I've been reading
BIND manuals for about two weeks now! I'm really stuck. Here are my
configuration files:
// On 1.1.1.1
[r...@1.1.1.1]# cat /etc/named.conf
options {
directory /etc;
pid-file /var/run/named/named.pid;
listen-on {
any;
};
};
zone . {
type hint;
file /etc/db.cache;
};
zone example.de {
type master;
file /var/named/example.de.hosts;
notify yes;
allow-query { any; };
};
zone example.eu {
type master;
file /var/named/example.eu.hosts;
};
[r...@1.1.1.1]# cat /var/named/example.de.hosts
$ORIGIN example.de.
$TTL 86400
example.de. IN SOA example.de. foo.example.de. (
2010100401; Serial - increment me
10800
3600
604800
38400 )
IN NSns1.example.de.
IN NSns2.example.de.
IN A 1.1.1.1
wwwIN A 1.1.1.1
ns1IN A 1.1.1.1
ns2IN A 1.1.2.2
// On 1.1.2.2
[r...@1.1.2.2]# cat /etc/named.conf
options {
directory /etc;
pid-file /var/run/named/named.pid;
listen-on {
any;
};
};
zone . {
type hint;
file /etc/db.cache;
};
zone example.de {
type slave;
masters { 1.1.1.1; };
allow-update { 1.1.1.1; };
file /var/named/example.de.hosts;
notify yes;
allow-query { any; };
allow-notify { 1.1.2.2; };
};
[r...@1.1.2.2]# cat /var/named/example.de.hosts
$ORIGIN example.de.
$TTL 86400
example.de. IN SOA example.de. foo.example.de. (
2010100401; Serial - increment me
10800
3600
604800
38400 )
IN NSns2.example.de.
ns2IN A 1.1.2.2
Of course, when I make a change to a hosts file I increment the
serial number and restart bind. I also restart bind after making a
change to named.conf. What am I doing wrong? Thanks!
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Using same authoritative NSes multiple times in delegation
Greetings, does the following setup violate any DNS RFCs or is it in the conflict with any best practices? -- [and...@strigidae ~]$ dig +nocmd +nocom +noque +nosta domain1.tld1. ns domain1.tld1. 86400 IN NS ns1.domain1.tld1. domain1.tld1. 86400 IN NS ns2.domain1.tld1. domain1.tld1. 86400 IN NS ns1.domain2.tld2. domain1.tld1. 86400 IN NS ns2.domain2.tld2. domain1.tld1. 86400 IN NS ns1.domain3.tld3. domain1.tld1. 86400 IN NS ns2.domain3.tld3. ns1.domain1.tld1. 86400 IN A IP.Add.ress.1 ns2.domain1.tld1. 86400 IN A IP.Add.ress.2 ^ ns1.domain2.tld2. 86400 IN A IP.Add.ress.3 ^ ns2.domain2.tld2. 86400 IN A IP.Add.ress.4 ns1.domain3.tld3. 86400 IN A IP.Add.ress.2 ^ ns2.domain3.tld3. 86400 IN A IP.Add.ress.3 ^ -- As we can see above, the ns2.domain1.tld1 / ns1.domain3.tld3 are actually the same physical host with the IP.Add.ress.2 and the ns1.domain2.tld2 / ns2.domain3.tld3 are actually the same machine with the IP.Add.ress.3. What are the benefits of this setup? Thanks in advance. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) http://www.andris.name/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuration for hostname.bind.
Greetings Chris,
Sun, 14 Jun 2009 12:01:50 +0200 Chris Hills wrote:
On 13/06/09 16:23, Andrey G. Sergeev (AKA Andris) wrote:
Also, is it possible to configure BIND to respond on
version.server. chaos txt and id.server. chaos txt in the same
manner as version.bind. and hostname.bind. (i.e. automatically
without requiring a separate zone file)?
options {
server-id any_text;
};
This worked for id.server. but not version.server. The attached patch
fixes this.
There is no need for _any_ patch to use the built-in functionality.
--
Yours sincerely,
Andrey G. Sergeev (AKA Andris) http://www.andris.name/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
