ERR_NAME_RESOLUTION_FAILED | DNS_PROBE_FINISHED_NXDOMAIN

Discussion in 'ISPConfig 3 Priority Support' started by Frankenstein, Aug 4, 2018.

  1. Frankenstein

    Frankenstein Member

    Hey Guys,

    yesterday i tried to get my nameservers working with my domain which is located in the hetzner domain robot. I created a primary dns zone for the domain and for my master fqdn on ispconfig. The one for the master is working, but not for the company domain.
    (fqdn: control.domain.tld company domain: domain.tld)

    When i try to change the domain nameservers in the robot to my nameservers, the following message show:
    "Error: Unknown nameserver: ns1.domain.tld"

    But when the nameserver is unknown, why the fqdn of the master is working with the dns entry fine?

    Best regards,
    Frankenstein
     
    Frankenstein, Aug 4, 2018
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    A DNS zone should be created for domain.tld only, one would not create one for control.domain.tld. control.domain.tld is a dns A-Record in the zone domain.tld.

    When you use subdomains of the same zone as NS records, then ensure that you creatd A-Records for them as well.

    Example. When you have a zone domain.tld with ns1,domain.tld and ns2.domain.tld as NS records, then the zone must contian also ns1 and ns2 as A-Records.
     
    till, Aug 4, 2018
    #2
  3. Frankenstein

    Frankenstein Member

    2018-08-04 21_19_12-Window.png Done - but straight the same issue - also for the master fqdn.
    //Edit
    Here some outputs from ns1 and ns2 (but monitoring says all servers fine):

    Code:
    Aug 04 21:29:51 ns1 named[852]: client 192.168.77.5#47563 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 04 21:45:21 ns1 named[852]: client 192.168.77.5#48825 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 04 22:09:27 ns1 named[852]: client 192.168.77.5#51923 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 04 22:21:45 ns1 named[852]: client 185.35.62.59#60706 (www.google.com): query (cache) 'www.google.com/A/IN' denied
Aug 04 22:36:33 ns1 named[852]: client 47.89.192.12#24581 (www.iana.org): query (cache) 'www.iana.org/A/IN' denied
Aug 04 23:04:29 ns1 named[852]: client 192.168.77.5#39773 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 05 00:52:38 ns1 named[852]: client 192.168.77.5#60597 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 05 04:20:02 ns1 named[852]: client 74.82.47.58#57485 (dnsscan.shadowserver.org): query (cache) 'dnsscan.shadowserver.org/A/IN' denied
Aug 05 04:51:25 ns1 named[852]: client 192.168.77.5#34431 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied
Aug 05 08:47:14 ns1 named[852]: client 134.147.203.115#31207 (v9c5.ab55459f.wc.syssec.rub.de): query (cache) 'v9c5.ab55459f.wc.syssec.rub.de/A/IN' denied
    Code:
    Aug 05 00:52:38 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer status: REFUSED
Aug 05 00:52:38 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Aug 05 00:52:38 ns2 named[852]: zone domain.tld/IN: refresh: unexpected rcode (SERVFAIL) from master 159.69.85.86#53 (source 0.0.0.0#0)
Aug 05 02:18:23 ns2 named[852]: client 74.82.47.62#57537 (dnsscan.shadowserver.org): query (cache) 'dnsscan.shadowserver.org/A/IN' denied
Aug 05 04:51:25 ns2 named[852]: zone domain.tld/IN: Transfer started.
Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: connected using 159.69.85.86#34431
Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: failed while receiving responses: REFUSED
Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer status: REFUSED
Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec)
Aug 05 04:51:25 ns2 named[852]: zone domain.tld/IN: refresh: unexpected rcode (SERVFAIL) from master 159.69.85.86#53 (source 0.0.0.0#0)
    IP adresses and domains from my side censored
     
    Last edited: Aug 5, 2018
    Frankenstein, Aug 4, 2018
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Use these steps to further check a DNS zone:

    1) Check the DNS records locally on the server:

    dig @localhost yourdomain.tld

    if that's ok, then check the subdomain that you got in the error message:

    dig @localhost ns1.yourdomain.tld

    If this is ok, then the DNS server is working properly. If not, continue with (2).

    2) is there a copy of the zone file with .err file ending for this zone in the zone file directory? (/etc/bind/ on Debian and Ubuntu servers)
    2a) If yes, use the named-checkzone command to test that .err file to find out why BIND rejects it.

    If the above is all ok, then you might need a glue record for ns1 on the DNS servers of your domain registry. http://wiki.gandi.net/en/glossary/glue-record
     
    till, Aug 5, 2018
    #4
  5. Frankenstein

    Frankenstein Member

    Code:
    root@ns1 ~ # dig @localhost domain.tld

; <<>> DiG 9.10.3-P4-Debian <<>> @localhost domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28707
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;domain.tld.            IN    A

;; ANSWER SECTION:
domain.tld.        3600    IN    A    192.168.77.1

;; AUTHORITY SECTION:
domain.tld.        3600    IN    NS    ns2.domain.tld.
domain.tld.        3600    IN    NS    ns1.domain.tld.

;; ADDITIONAL SECTION:
ns1.domain.tld.    3600    IN    A    192.168.77.4
ns2.domain.tld.    3600    IN    A    192.168.77.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 05 12:30:36 CEST 2018
;; MSG SIZE  rcvd: 125

root@ns1 ~ # dig @localhost ns1.domain.tld

; <<>> DiG 9.10.3-P4-Debian <<>> @localhost ns1.domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16831
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.domain.tld.        IN    A

;; ANSWER SECTION:
ns1.domain.tld.    3600    IN    A    192.168.77.4

;; AUTHORITY SECTION:
domain.tld.        3600    IN    NS    ns1.domain.tld.
domain.tld.        3600    IN    NS    ns2.domain.tld.

;; ADDITIONAL SECTION:
ns2.domain.tld.    3600    IN    A    192.168.77.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 05 12:31:10 CEST 2018
;; MSG SIZE  rcvd: 109

root@ns1 ~ # dig @localhost ns2.domain.tld

; <<>> DiG 9.10.3-P4-Debian <<>> @localhost ns2.domain.tld
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63166
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.domain.tld.        IN    A

;; ANSWER SECTION:
ns2.domain.tld.    3600    IN    A    192.168.77.5

;; AUTHORITY SECTION:
domain.tld.        3600    IN    NS    ns1.domain.tld.
domain.tld.        3600    IN    NS    ns2.domain.tld.

;; ADDITIONAL SECTION:
ns1.domain.tld.    3600    IN    A    192.168.77.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 05 12:31:25 CEST 2018
;; MSG SIZE  rcvd: 109
     
    Frankenstein, Aug 5, 2018
    #5
  6. Frankenstein

    Frankenstein Member

    Frankenstein, Aug 12, 2018
    #6

Share This Page