BIND name resolution issues.

Discussion in 'Server Operation' started by bentman78, May 5, 2009.

  1. bentman78

    bentman78 New Member

    I followed this example to get BIND up and running on CentOS.
    http://www.wains.be/index.php/2007/1...dns-with-bind/

    Problem is I can't get my domains to resolve.
    Even locally, dns names I add to my zones aren't resolving.
    Here is my named.conf:
    ################################## RNDC SETTINGS ######################################

    // we include the rndckey (copy-paste from rndc.key created earlier)
    key "rndckey" {
    algorithm hmac-md5;
    secret "xxxxxxxxxxxxxxxxxxxxxxxxx";
    };

    controls {
    inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; };
    #inet xxx.xxx.xxx.xxx allow { any; } keys { "rndckey"; };
    };

    ################################## OPTIONS ####################################
    options {
    directory "/var/named";
    pid-file "/var/run/named/named.pid";

    recursion yes;

    allow-recursion {
    127.0.0.1;
    xxx.xxx.xxx.xxx;
    };

    // these are the opendns servers (optional)
    forwarders {
    208.67.222.222;
    208.67.220.220;
    };

    listen-on {
    127.0.0.1;
    xxx.xxx.xxx.xxx;
    };

    /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below. Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
    #query-source address * port 53;

    // so people can't try to guess what version you're running
    version "REFUSED";

    allow-query {
    any;
    #127.0.0.1;
    #xxx.xxx.xxx.xxx;
    };
    };

    server xxx.xxx.xxx.xxx {
    keys { rndckey; };
    };

    ######################################## ZONES ########################################

    zone "." IN {
    type hint;
    file "named.ca";
    };

    zone "domain1.com" IN {
    type master;
    file "data/domain1.com.zone";
    };


    zone "domain2.com" IN {
    type master;
    file "data/domain2.com.zone";
    };

    One of my zone files:
    $ttl 38400
    domain2.com. IN SOA ns.domain2.com. admin.domain2.com. (
    20090429 ; Serial
    10800 ; Refresh after 3 hours
    3600 ; Retry after 1 hour
    604800 ; Expire after 1 week
    86400 ) ; Minimum TTL of 1 day

    domain2.com. IN NS ns1.domain2.com.

    domain2.com. IN MX 1 mx.domain2.com.

    www.domain2.com. IN A xxx.xxx.xxx.xxx
    ns1.domain2.com. IN A xxx.xxx.xxx.xxx
    ns2.domain2.com. IN A xxx.xxx.xxx.xxx
    mx.domain2.com. IN A xxx.xxx.xxx.xxx
    node1.domain2.com. IN A xxx.xxx.xxx.xxx
    webmail.domain2.com IN A xxx.xxx.xxx.xxx
    mailadmin.domain2.com IN A xxx.xxx.xxx.xxx
    mail.domain2.com. IN CNAME mx.domain2.com.


    The problem is some of the domains are resolving, but most aren't. When I try to do nslookup www.google.com 127.0.0.1 It's not resolving locally. Because of this when I do nslookup www.domain2.com 127.0.0.1 I'm not getting the correct response. I was wondering if IPTables has anything to do with it. I have this in my ruleset:
    -A INPUT -p udp -m udp --sport 53 -j ACCEPT
    -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT

    Can anyone help me? I really need to get this up. ANy heop is appreciated.
     
  2. topdog

    topdog Active Member

    I doubt if your bind is even working because you can not comment using # which you have done around the allow-query setting. The config file is malformed

    Run the command
    Code:
    named-checkconf
     
  3. bentman78

    bentman78 New Member

    service named configtest
    is fine. Both zones load without a problem.
     
  4. topdog

    topdog Active Member

    There is definitely a typo in your named.conf whats the output of
    Code:
    dig www.google.com @127.0.0.1
     
  5. bentman78

    bentman78 New Member

    ; (1 server found)
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25585
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com. IN A

    ;; ANSWER SECTION:
    www.google.com. 21 IN CNAME google.navigation.opendns.com.
    google.navigation.opendns.com. 21 IN A 208.67.217.231
    google.navigation.opendns.com. 21 IN A 208.67.217.230

    ;; AUTHORITY SECTION:
    . 516485 IN NS l.root-servers.net.
    . 516485 IN NS m.root-servers.net.
    . 516485 IN NS a.root-servers.net.
    . 516485 IN NS b.root-servers.net.
    . 516485 IN NS c.root-servers.net.
    . 516485 IN NS d.root-servers.net.
    . 516485 IN NS e.root-servers.net.
    . 516485 IN NS f.root-servers.net.
    . 516485 IN NS g.root-servers.net.
    . 516485 IN NS h.root-servers.net.
    . 516485 IN NS i.root-servers.net.
    . 516485 IN NS j.root-servers.net.
    . 516485 IN NS k.root-servers.net.

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue May 5 17:00:27 2009
    ;; MSG SIZE rcvd: 315
     
  6. topdog

    topdog Active Member

    www.domain2.com may not be resolving correctly because the queries are being sent out to the forwarders instead of being handled locally.
     
  7. bentman78

    bentman78 New Member

    The problem is I can't resolve the domains locally or from my machine at home.
    Should I take the forwarders out?
     
  8. topdog

    topdog Active Member

    You should be able to resolve queries via the hits file without forwarders. those domains you have locally are they pointed correctly from the registry or not ? If they are not pointed from the registry then you will have issues resolving them using the forwarders.
     
  9. bentman78

    bentman78 New Member

    the glue records?
    I have them pointing to the correct name servers.
     
  10. topdog

    topdog Active Member

    Okay then take out the forwarders and run the query against the localhost as well as the opendns servers and see which is different
     
  11. bentman78

    bentman78 New Member

    I'm still having issues:
    [root@localhost data]# nslookup webmail.domain2.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    ** server can't find webmail.domain2.com: NXDOMAIN

    [root@localhost data]# cat zone.*
    $ttl 38400
    domain2.com. IN SOA ns1.domain2.com. admin.domain2.com. (
    20090429 ; Serial
    10800 ; Refresh after 3 hours
    3600 ; Retry after 1 hour
    604800 ; Expire after 1 week
    86400 ) ; Minimum TTL of 1 day

    domain2.com. IN NS ns1.domain2.com.

    domain2.com. IN MX 1 mx.domain2.com.

    www.domain2.com. IN A xxx.xxx.xxx.xxx
    ns1.domain2.com. IN A xxx.xxx.xxx.xxx
    ns2.domain2.com. IN A xxx.xxx.xxx.xxx
    mx.domain2.com. IN A xxx.xxx.xxx.xxx
    node1.domain2.com. IN A xxx.xxx.xxx.xxx
    webmail.domain2.com IN A xxx.xxx.xxx.xxx
    mailadmin.domain2.com IN A xxx.xxx.xxx.xxx
    mail.domain2.com. IN CNAME mx.domain2.com.

    This is the output of dig.google.com
    ; <<>> DiG 9.3.4-P1 <<>> www.google.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33568
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com. IN A

    ;; ANSWER SECTION:
    www.google.com. 30 IN CNAME google.navigation.opendns.com.
    google.navigation.opendns.com. 30 IN A 208.67.217.230
    google.navigation.opendns.com. 30 IN A 208.67.217.231

    ;; AUTHORITY SECTION:
    . 516864 IN NS M.ROOT-SERVERS.NET.
    . 516864 IN NS A.ROOT-SERVERS.NET.
    . 516864 IN NS B.ROOT-SERVERS.NET.
    . 516864 IN NS C.ROOT-SERVERS.NET.
    . 516864 IN NS D.ROOT-SERVERS.NET.
    . 516864 IN NS E.ROOT-SERVERS.NET.
    . 516864 IN NS F.ROOT-SERVERS.NET.
    . 516864 IN NS G.ROOT-SERVERS.NET.
    . 516864 IN NS H.ROOT-SERVERS.NET.
    . 516864 IN NS I.ROOT-SERVERS.NET.
    . 516864 IN NS J.ROOT-SERVERS.NET.
    . 516864 IN NS K.ROOT-SERVERS.NET.
    . 516864 IN NS L.ROOT-SERVERS.NET.

    ;; Query time: 4 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Wed May 6 11:53:34 2009
    ;; MSG SIZE rcvd: 315

    and my domain:
    ; <<>> DiG 9.3.4-P1 <<>> domain2.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23182
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;domain2.com. IN A

    ;; AUTHORITY SECTION:
    domain2.com. 38400 IN SOA ns1.domain2.com. admin.domain2.com. 20090429 10800 3600 604800 86400

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Wed May 6 11:57:56 2009
    ;; MSG SIZE rcvd: 82


    I have the following iptables rules installed
    iptables -I INPUT -p udp --dport 53 -j ACCEPT
    iptables -I OUTPUT -p udp --sport 53 -j ACCEPT


    Anyone seen this before?
     
  12. falko

    falko Super Moderator ISPConfig Developer

    There are dots missing - should be
    webmail.domain2.com. IN A xxx.xxx.xxx.xxx
    mailadmin.domain2.com. IN A xxx.xxx.xxx.xxx
     

Share This Page