perfect multi server ubuntu DNS Slave not responding

im green with linux, so please forgive my ignorance.

i built up my servers following the multiserver guide. ubuntu 20.04 mutiserver dns and panel

i have 3 servers, panel, ns1 and ns2. i update the panel to have records for NS1. i set up the secondary zone following the instructions at the end of NS2 setup, and configured for DNSSEC.
my NS1 responds just fine, using MXtoolbox, trying to hit all my NS servers, it fails on NS2 saying it could not be found.
i did Dig @localhost domain.com on the servers, and it came up the correct records, so i assume records are replicating.
NS1 and NS2 are listed on both the old and new servers, both as an A record and NS record.

i have an old server lets call it NS1old, that is also responding just fine.

all 3 servers are nat'ed through our firewall. firewall settings for each host are set. i verified the nat IPs listing the public ones on the record and internal records in the servers hosts file.

i dont have any .err files, i did at one point, finished setting my records up and it went away... i didnt see much in the logs other than domain requests...

where should i look for more answers?

thanks for any help anyone can provide!

 

Why such old Ubuntu? Current is 24.04, so four years newer.

Are the IP-addresses local addresses in your NAT:ted intranet or global routable addresses?

You should verify the are, avoid assuming.
Did you set up mirroring for ns2 host? Or are you using secondary zones on ns2?
My signature has link to DNS setup tutorial, it has info on how to verify the name service is working.

My guess is the NAT setup or forwarding of name service queries from Internet to ns2 is not working properly. I have not used name servers behind NAT so can not offer tips on what might be wrong. Test from outside your intranet if you can access the name servers.

 

i started with 24. but i ran in to a compatibility issue with ispconfig and DNS. if im incorrect, im more than happy to upgrade. ive rebuilt this one 3 times now, so im getting quicker lol.

The IP addresses for the NS servers are the external addresses, the local config on the servers points to their local internal IP address. im using meraki firewall to NAT the IPs through. NS1 and NS2(old) are both natted through without issue and respond. the new NS2 server was responding for a short time, it then stopped as i added more zones. i reinstalled everything to get where i am now.

i did some checks using dig @localhost domain.com and everything resolved, thats where my assumption comes from, but im assuming i did this right lol. i did just follow your article, the first test. i was able to run the commands on my NS2 and get details back. pointing at the public IP for the NS2 server and @localhost. i then did the Dig test again, it appears to resolve correctly.

"root@ns2:/home/nsadmin# dig @173.195.x.x domain.com" edited example of my command, incase i did something wrong. this pulled up the correct records. i was also able to do one to the ns2 server by name and got the correct DNS A record.

i was going to do mirroring, but im using DNSSEC so i created the secondary zones. and just to be clear, i access my portal through the Panel server, i created my first zone, assigned it to NS1, fill out the IP transfer field so that it can speak to NS2, i add the secondary zone through the same portal, add it to NS2 from the drop down, then set the NS1 IP to allow sync.

this is the walkthrough i was using. ispconfig-multiserver-setup-debian-ubuntu/6/

i keep wondering if the firewall is the issue, but its not blocking either of the other 2 servers, no names or IPs are re-used or duplicate... tho i am considering a new public IP assignment for the problem server. my old servers were ispconfig servers on ubuntu, they just werent mirrored or synced, it was two independent sites that i individually updated. this is my first time to use the multiserver setup to try and make a single portal for dual systems.

let me know what you think, thanks so much for the time and happy holidays!

 

noted. would that have any impact on my current issue? im just realizing i had meant to run on 22.04... i may rebuild with 24, i dont know where i saw a compatibility issue...

 

Mirroring is not set. yes, i did set the records accordingly. does the dig test prove that i have replication working just fine? it sounds like im good, just need to figure out whats going on between my firewall.

 

looking under /var/log it appears the bind was successful. i do get some errors "... denied (allow-query-cache did not match). but it says all zone loaded. attached a screen shot of my logs.

 

it does not. ns2 does not show the right info now. i uploaded more of the syslog, primary server is rosey, secondary is c3po. ns1 and ns2 are the names of the old servers.

 

there is a Slave folder on both name servers. but its empty, and can only be accessed with sudo. in the directory /etc/bind/slave

 

from the NS2 server, running the command like you did, i get

"domain.com" {
type slave;
masters {Correct public IP for NS1;};
allow-transfer {none;};
file "/etc/bind/slave/sec.domain.com";
could it be that i need to have the Internal IP for NS1 there?

 

UPDATE, that did it. i changed the IPs listed to the internal IPs. its now resolving on mxtoolbox... i reset bind and checked the conf.local file to make sure it updated.

thanks so much for yalls help! i really appreciate your time and efforts!!

 

Internal IP's is correct (asuming the servers are in the same lan).
For both transfers and notifications.

It's only for dns server to get updates from and has otherwise no binding with clients trying to use that dns server to resolve a domain.

 

noted. i plan to keep this to DNS only. my next goal is to upgrade everything in place, since i installed such an old version.
thanks again for your help!