DNS Problem (Ubu Server 7.10)

Discussion in 'Server Operation' started by normanp, Jan 30, 2008.

  1. normanp

    normanp New Member

    I have set up bind9 on my server. It is for the LAN only and has no Internet connection.
    I used:
    as my guide but substituted 'myorg' for their 'mydomain.lan'.

    To test it on that same server I tried:

    dig myorg

    The response after some time was:

    ...connection timed out; no servers could be reached.

    I am not sure how to proceed from here - any help would be appreciated - many thanks.
  2. topdog

    topdog Active Member

    check /etc/resolv.conf and also
    netstat -ntlp
    Does the resolv.conf point to the server and is it listening ?
  3. normanp

    normanp New Member

    /etc/resolv.conf has this:

    netstat -ntlp produces a list that includes:
    tcp 0 0* LISTEN 3975/named
    then the same with
    then the same with
    tcp6 0 0 :::53 :::* LISTEN 3975/named
    then the same with ::1:953

    My server's IP address (cofirmed with ifconfig) is

    This looks like resolv.conf is wrong: weird as I have never edited it! I will try changing it to and reboot. Is this the correct action? What is this file for? Is it needed at all?

    By the way the connected Vista workstation would not get an ipv4 DNS server address until I disabled ipv6 by putting 'off' at the end of the line:
    alias net-pf-10 ipv6
    in file /etc/modprobe.d/aliases
    (done after web search on topic - but not understood!)
    However maybe it didn't get a DNS address because of resolv.conf??
    Last edited: Jan 31, 2008
  4. topdog

    topdog Active Member

    Yes change it to the correct address, you can even use for that and there is no need to reboot the resolver library reads that file each time a resolution request it made.
  5. normanp

    normanp New Member

    I changed it to in resolv.conf and now dig myorg functions!
    I will now examine the report it makes and test if the Vista machine is seeing this DNS server properly...

    OK - now DNS is up and running: from the Vista machine I can ping usrv1.myorg and I can http://usrv1 in IE!

    Now I will enable DDNS...
    (I have only defined an A record for the server - I expect DDNS to supply others when allocated by the DHCP service)
    Last edited: Jan 31, 2008
  6. topdog

    topdog Active Member

    For DDNS all you need to do is add the key you are going to use to sign the updates to /etc/dhcpd.conf and then add a zone to the file as well.

    Then allow the key to update the zone in /etc/named.conf.
  7. normanp

    normanp New Member

    I re-enabled ipv6 after the above and the Vista machine did now still receive a DNS Server IP OK so it must have been the resolv.conf that caused it not to get one.

    For DDNS I have followed:

    In /etc/bind/named.conf.local
    I added to the zones:
    allow-update { key "rndc-key"; };
    notify yes;

    In /etc/dhcp3/dhcpd.conf:
    I omitted:
    option ntp servers (I don't think I have one)
    option routers (I don't have one)
    and adapted other bits (IP addresses, domain-name, server-name)

    On restarting dhcp3 it complained about permissions to /etc/bind/rndc.key and failed to start.

    I then chmodded this file (444) and dhcp then restarted OK.
    I have yet to test if DDNS functions.

    A few questions:
    Where does DDNS add A records to? Does it automatically increment the serial number? Does it remove them again after a time?
    Is 'allow unknown clients' in the subnet section of /etc/dhcp3/dhcp.conf a security risk or needed for DDNS to function?
    Is my chmod a security risk?

    Thanks again.
    Last edited: Jan 31, 2008
  8. topdog

    topdog Active Member

    Changing the permissions on the key file is a very BAD idea it means now that anyone even the user nobody can change your dns. what you need to do is get the contents of the file and add to /etc/dhcp3/dhcp.conf

    As for the unknown clients you need that there otherwise you will have to add a declaration for each host that you want to get an address from your server
  9. normanp

    normanp New Member

    Oops - on restarting my server this morning bind fails to start with messages about permissions. I think this is the outcome of trying to configure DDNS without a proper understanding of what the changes in configuration are for! I will now go back to the pre-DDNS state and ensure DHCP & DNS function properly - then study it a bit more...

    BTW the key file permissions were still read-only so I can't see the difference between copying this into /etc/dhcp3/dhcp.conf and having include statements in dhcpd.conf...

    As a newb I must say I find the man pages vary a lot in quality. For example they don't always give simple examples of use or explain exactly what they are doing (example: try finding out exactly what quota does when counting bytes for groups!). I also find how-to's with errors get copied all round the web without crediting the source (eg the need to change the zone file serial number when updating the file or whether to use quota.user or aquota.user). In a way I feel it is up to the creators/maintainers of apps and distros to keep authoritative, correct and exhaustive man pages / help sites! This need not matter except that many people may be running insecure servers as a result... Ok - rant over - sorry if I have trodden on any toes!
  10. topdog

    topdog Active Member

    That is the point if the user nobody who is a guest can read you key file it means that they can update your dns at will and the can stop your server to as the key is used to control rndc.

    When you put the key contents in the dhcp file that is different as that file can only be read by root so your key is not compromised but any way it is not like the server is on the internet so there is no need to freak over that.

    Actually RHEL had an update recently to the bind package because the key file was being installed readable by every one.
  11. normanp

    normanp New Member

    Thanks again topdog. Apart from the above rant I should say that as a newb I find the community support (as in this site) amazing - and that it is this continuous discussion that will drive forward quality. So different from the loneliness of the long-suffering M$ user!
    Back to my homework. If it is OK I will get back to you when I am clear what I am doing.
  12. topdog

    topdog Active Member

    The beautiful thing about picking the errors in others tutorials is that it makes you a better admin enabling you to learn more, the best thing is to mail the author with a bug report and get them to fix it.
  13. normanp

    normanp New Member

    I have made a lot of progress but I am still not clear if ddns is functioning correctly.

    After sorting out the config files I noticed that the lease in /var/lib/dhcp3/leases did not mention ddns-text etc as it should. On looking in /var/log/daemon.log when renewing a lease I noticed that permission was denied to /etc/bind/zones for writing myorg.db.jnl. I chmodded that dir to 774 and the journal could now be written successfully (I hope this is not a new security hole!).

    Now in the lease in /var/lib/dhcp3/dhcpd.leases I see in the lease description 'set ddns-txt = ...' and set 'ddns-fwd-name = "...' which seems to indicate that ddns now functions. However I think it doesn't because there is no mention of ddns-rev-name, and the files myorg.db (my fwd zone file) and the rev file are unaffected.

    I cannot find out where the ddns should put the new A (and rev) records... Should these appear in myorg.db (and the rev file)? Perhaps the permissions are wrong on myorg.db for bind to update it - after all I created this file not the installer!
    (I have just checked and myorg.db has the same permissions and owners as myorg.db.jnl so surely this is OK. The rev file had user owner root and I have changed this to bind. Now the dir and all its files have the same perms and owners)

    Thanks for any help offered.
    Last edited: Feb 6, 2008
  14. normanp

    normanp New Member

    Further to the previous post:
    DDNS is now half working: the zone file /etc/bind/zones/myorg.db is being updated with an A record for my client machine and I can now ping the client by name from the server! Incidentally this whole zone file has been tidied up for me by bind at the same time.

    However the reverse lookup file is not being updated - I expected a PTR record to appear for the client when I ipconfig /release then renew on the Windows client.

    Again any help would be appreciated.

    Quite a lot of steps were required to make DDNS function this far - I don't know if it would be helpful to post them here.
  15. topdog

    topdog Active Member

    You need entries for both the forward and reverse in your dhcpd config and then also allow the reverse to be updated by the key it should work,
  16. normanp

    normanp New Member

    I now have DDNS fully functioning. The reverse zone wasn't being updated because I didn't have an NS entry in the reverse zone file!

    Curiously the zone files don't get updated immediately by DDNS - there seems to be a delay. I can see that the jnl files get written then 'something' uses these to do the update. It would be useful to be able to kick this to be immediate when testing as it had me confused and slows down the testing.

    I have found nslookup very disappointing on the Linux box! On the Win workstation I can nslookup then:
    > ls -d myorg
    > ls -t PTR 1.168.192.in-addr.arpa
    (where myorg and 1.168.192.in-addr.arpa are my zone names as defined in /etc/bind/named.conf.local on the server)
    Am I missing something? (surely M$ doesn't do this better!!)

    Just to close this thread I will post all the relevant files and where to look to monitor if ddns functions / faultfind problems.
  17. topdog

    topdog Active Member

    Nslookup is depreciated on linux, most distros actually tell you that, rather user dig or host.
  18. normanp

    normanp New Member

    I have tried dig and host and I can't get either to list the A and PTR records that DDNS added! They list all the other stuff (SOA, MX, NS etc). I know they are there because nslookup on the Win box lists them and they are in the zone files.
    Maybe I am using these tools wrongly..
  19. topdog

    topdog Active Member

    Could be that your /etc/resolv.conf is pointing to another server.
  20. normanp

    normanp New Member

    resolv.conf is fine (see post 5 where it was wrong - this stopped dig & dns functioning at all). I wonder if this is some limitation of dig? Maybe it only lists records pointing to this server?

Share This Page