I have successfully set my first linux server using Ubuntu and Bind9. All of my dns settings are working great until reverse dns checks. I am not a dns guru and think the fact that I am using a partial class C is the cause. Can someone review and show me my error. Thank you. For this sample domain my IP range is 1.18.2.160/27 /etc/bind/zones/rev.160.2.18.1.in-addr.arpa $ttl 38400 @ IN SOA nsa.sample.net. root.sample.net. ( 2008091001; 28800; 604800; 604800; 86400; ) @ IN NS nsa.sample.net. 171 IN PTR nsa.sample.net. 170 IN PTR smtp.sample.net. ; ‘future secondary for later’ 161 IN PTR mail.sample.net. Or maybe it should be: 171.160/27.2.18.1 IN PTR nsa.sample.net. 170.160/27.2.18.1 IN PTR smtp.sample.net. ; ‘future secondary for later’ 161.160/27.2.18.1 IN PTR mail.sample.net. vi /etc/bind/named.conf.local zone "160.2.18.1.in-addr.arpa" { type master; notify no; file "/etc/bind/zones/rev.160.2.18.1.in-addr.arpa"; allow-transfer { 1.18.2.170; }; allow-update { none; }; allow-query { any; }; }; Thanks for any help
Sorry Falko, I thought I proofed the post before I posted. I double checked the server and the spaces are only in the post.
You seem to be using public ip ranges. Any reason why you don't use official local ip ranges 192.168 or 172 or 10 ranges? What is the output of the command Code: dig @localhost -x <ip adrress of your server>
I did not use 10 or 192 so that everyone understood that this is an external dns server. dig response: ; <<>> DiG 9.4.2-P1 <<>> @localhost -x 1.18.2.171 ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached
Update: I found extra servers in vi /etc/resolv.conf and removed all but localhost. New dig output: ; <<>> DiG 9.4.2-P1 <<>> -x @localhost 1.18.2.171 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22676 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;\@localhost.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: in-addr.arpa. 10800 IN SOA A.ROOT-SERVERS.NET. dns-ops.ARIN.NET. 2008100416 1800 900 691200 10800 ;; Query time: 271 msec ;; SERVER: 1.18.2.171#53(1.18.2.171) ;; WHEN: Sat Oct 4 17:09:45 2008 ;; MSG SIZE rcvd: 108 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 38994 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.18.2.171. IN A ;; AUTHORITY SECTION: . 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008100401 1800 900 604800 86400 ;; Query time: 585 msec ;; SERVER: 1.18.2.171#53(1.18.2.171) ;; WHEN: Sat Oct 4 17:09:45 2008 ;; MSG SIZE rcvd: 106
Are you the owner of the class A 1.x.x.x subnet? Most likely not. If you are connected to the public internet, you should use a valid IP address for your server.
No I do not own that class A 1 range but I do own a different partial class A range. I have contacted by provider 3 times and because I have my own dns server I had them transfer the authority to my server. Previous errors showed no domain (nxdomain) in RDNS tests but at least now all I get is a server error (servfail). Everything works great (www, email and vpn) until I send emails to servers using rdns check. At that point everything stops working. Yes I could have had my provider do this but there was a charge. As a small school district every penny counts. If money was not the problem I could have switched to a windows server by now.
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; include "/etc/bind/named.conf.local"; //key "TRANSFER" { // algorithm hmac-md5; // secret "+157+48374"; //}; //include "/etc/bind/rndc.key"; server 1.18.2.170 { // keys { // TRANSFER; // }; }; -end- Notice that at the end I tried to setup the secondary and bailed when it did not work.
twink@nsa:~$ ls -la /etc/bind/zones total 16 drwxr-sr-x 2 root bind 4096 2008-10-03 07:40 . drwxr-sr-x 3 bind bind 4096 2008-10-04 17:03 .. -rw-r--r-- 1 root bind 625 2008-09-27 22:12 sample.net.db -rw-r--r-- 1 root bind 271 2008-10-03 07:40 rev.160.2.18.1.in-addr.arpa
It bothers me to no end when people do not post the solution so here goes: The event logs were fine. I could create many errors and then fix them right away. After reading A LOT of bind information I finally gave up and hired a friend who works with a bind server for his company. Still no help. Turns out most people do not run their own authoritive server for partial class C's. So here was my solution. vi /etc/bind/named.conf.local ; -- wrong -- zone "160.2.18.1.in-addr.arpa" { ; -- This had to match EXACTLY what my ISP sent me. -- ; -- So it became zone "160/27.2.18.1.in-addr.arpa" { type master; file "/etc/bind/zones/rev.160.2.18.1.in-addr.arpa"; allow-transfer { 1.18.2.170;}; allow-update { none;}; allow-query { any;}; }; After that everything worked. I at least learned a lot about bind and dns during this process but the dent in the front of my head still hurts a lot... Thanks for all the help.
