Hey Guys, yesterday i tried to get my nameservers working with my domain which is located in the hetzner domain robot. I created a primary dns zone for the domain and for my master fqdn on ispconfig. The one for the master is working, but not for the company domain. (fqdn: control.domain.tld company domain: domain.tld) When i try to change the domain nameservers in the robot to my nameservers, the following message show: "Error: Unknown nameserver: ns1.domain.tld" But when the nameserver is unknown, why the fqdn of the master is working with the dns entry fine? Best regards, Frankenstein
A DNS zone should be created for domain.tld only, one would not create one for control.domain.tld. control.domain.tld is a dns A-Record in the zone domain.tld. When you use subdomains of the same zone as NS records, then ensure that you creatd A-Records for them as well. Example. When you have a zone domain.tld with ns1,domain.tld and ns2.domain.tld as NS records, then the zone must contian also ns1 and ns2 as A-Records.
Done - but straight the same issue - also for the master fqdn. //Edit Here some outputs from ns1 and ns2 (but monitoring says all servers fine): Code: Aug 04 21:29:51 ns1 named[852]: client 192.168.77.5#47563 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 04 21:45:21 ns1 named[852]: client 192.168.77.5#48825 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 04 22:09:27 ns1 named[852]: client 192.168.77.5#51923 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 04 22:21:45 ns1 named[852]: client 185.35.62.59#60706 (www.google.com): query (cache) 'www.google.com/A/IN' denied Aug 04 22:36:33 ns1 named[852]: client 47.89.192.12#24581 (www.iana.org): query (cache) 'www.iana.org/A/IN' denied Aug 04 23:04:29 ns1 named[852]: client 192.168.77.5#39773 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 05 00:52:38 ns1 named[852]: client 192.168.77.5#60597 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 05 04:20:02 ns1 named[852]: client 74.82.47.58#57485 (dnsscan.shadowserver.org): query (cache) 'dnsscan.shadowserver.org/A/IN' denied Aug 05 04:51:25 ns1 named[852]: client 192.168.77.5#34431 (domain.tld): zone transfer 'domain.tld/AXFR/IN' denied Aug 05 08:47:14 ns1 named[852]: client 134.147.203.115#31207 (v9c5.ab55459f.wc.syssec.rub.de): query (cache) 'v9c5.ab55459f.wc.syssec.rub.de/A/IN' denied Code: Aug 05 00:52:38 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer status: REFUSED Aug 05 00:52:38 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) Aug 05 00:52:38 ns2 named[852]: zone domain.tld/IN: refresh: unexpected rcode (SERVFAIL) from master 159.69.85.86#53 (source 0.0.0.0#0) Aug 05 02:18:23 ns2 named[852]: client 74.82.47.62#57537 (dnsscan.shadowserver.org): query (cache) 'dnsscan.shadowserver.org/A/IN' denied Aug 05 04:51:25 ns2 named[852]: zone domain.tld/IN: Transfer started. Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: connected using 159.69.85.86#34431 Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: failed while receiving responses: REFUSED Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer status: REFUSED Aug 05 04:51:25 ns2 named[852]: transfer of 'domain.tld/IN' from 192.168.77.5#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.001 secs (0 bytes/sec) Aug 05 04:51:25 ns2 named[852]: zone domain.tld/IN: refresh: unexpected rcode (SERVFAIL) from master 159.69.85.86#53 (source 0.0.0.0#0) IP adresses and domains from my side censored
Use these steps to further check a DNS zone: 1) Check the DNS records locally on the server: dig @localhost yourdomain.tld if that's ok, then check the subdomain that you got in the error message: dig @localhost ns1.yourdomain.tld If this is ok, then the DNS server is working properly. If not, continue with (2). 2) is there a copy of the zone file with .err file ending for this zone in the zone file directory? (/etc/bind/ on Debian and Ubuntu servers) 2a) If yes, use the named-checkzone command to test that .err file to find out why BIND rejects it. If the above is all ok, then you might need a glue record for ns1 on the DNS servers of your domain registry. http://wiki.gandi.net/en/glossary/glue-record
Code: root@ns1 ~ # dig @localhost domain.tld ; <<>> DiG 9.10.3-P4-Debian <<>> @localhost domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28707 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domain.tld. IN A ;; ANSWER SECTION: domain.tld. 3600 IN A 192.168.77.1 ;; AUTHORITY SECTION: domain.tld. 3600 IN NS ns2.domain.tld. domain.tld. 3600 IN NS ns1.domain.tld. ;; ADDITIONAL SECTION: ns1.domain.tld. 3600 IN A 192.168.77.4 ns2.domain.tld. 3600 IN A 192.168.77.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Aug 05 12:30:36 CEST 2018 ;; MSG SIZE rcvd: 125 root@ns1 ~ # dig @localhost ns1.domain.tld ; <<>> DiG 9.10.3-P4-Debian <<>> @localhost ns1.domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16831 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.domain.tld. IN A ;; ANSWER SECTION: ns1.domain.tld. 3600 IN A 192.168.77.4 ;; AUTHORITY SECTION: domain.tld. 3600 IN NS ns1.domain.tld. domain.tld. 3600 IN NS ns2.domain.tld. ;; ADDITIONAL SECTION: ns2.domain.tld. 3600 IN A 192.168.77.5 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Aug 05 12:31:10 CEST 2018 ;; MSG SIZE rcvd: 109 root@ns1 ~ # dig @localhost ns2.domain.tld ; <<>> DiG 9.10.3-P4-Debian <<>> @localhost ns2.domain.tld ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63166 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns2.domain.tld. IN A ;; ANSWER SECTION: ns2.domain.tld. 3600 IN A 192.168.77.5 ;; AUTHORITY SECTION: domain.tld. 3600 IN NS ns1.domain.tld. domain.tld. 3600 IN NS ns2.domain.tld. ;; ADDITIONAL SECTION: ns1.domain.tld. 3600 IN A 192.168.77.4 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Aug 05 12:31:25 CEST 2018 ;; MSG SIZE rcvd: 109