#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Location
    Idaho
    Posts
    46
    Rep Power
    14

    is this correct for dns? trying to fix misconfigured domain???


    I'm trying fix a primary & secondary nameserver and hopefully get qmail running on ns2.getnby.com (it's running now but when checking mail I'm getting The host 'mail.getnby.com' could not be found) I've changed the records on both machines but when ns1.getnby.com dns was first setup the master & secondary directories were symlinked since I only had 1 ip at first. I'm pretty sure I've munged this setup too (I have a history of that) so any criticisms(sp), opinions or other remarks would be appreciated!

    /etc/namedb/named.conf

    options {
    directory "/var/named";
    };
    zone "." {
    type hint;
    file "etc/named.ca";
    };
    zone "getnby.com"{
    type master;
    file "master/getnby.com";
    notify yes;
    };
    zone "199.104.118.67"{
    type master;
    file "master/199.104.118.67";
    notify yes;
    };
    zone "0.0.127.in-addr.arpa"{
    type master;
    file "master/named.local";
    };

    zone file
    $TTL 86400
    getnby.com. IN SOA ns1.getnby.com. webmaster.getnby.com. (
    2002020403 ; serial
    86400 ; refresh
    30 ; retry
    604800 ; expire
    172800 ; default_ttl
    )
    getnby.com. IN NS ns1.getnby.com.
    getnby.com. IN NS ns2.getnby.com.
    ns1.getnby.com. IN A 199.104.118.66
    ns2.getnby.com. IN A 199.104.118.67
    getnby.com. IN A 199.104.118.66
    www.getnby.com. IN A 199.104.118.66
    mail.getnby.com. IN MX 10 ns2.getnby.com.

    named.local
    $TTL 86400
    @ IN SOA localhost. root.localhost. (
    2001071401 ; serial
    28800 ; refresh
    14400 ; retry
    3600000 ; expire
    86400 ; default_ttl
    )
    @ IN NS localhost.
    1 IN PTR localhost.

    Doing some further checking I've found that I can check mail if I use ns2.getnby.com or ip# for incoming mail server but not mail.getnby.com???

    Thanks, Terry
    Last edited by tlthomas; February 4th, 2002 at 05:02 PM.
    It works better if you plug it in!
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    In my test yesterday I found that you have just made some big configuration changes to your DNS. Here is what I got yesterday.

    1) SOA as of yesterday:
    What's listed in roots?
    # whois getnby.com
    [snip]
    NS1.GETNBY.COM 199.104.118.66
    NS2.GETNBY.COM 199.104.118.67

    [/snip]

    let's check your getnby.com by querying ns1.getnby.com

    # dnsq soa getnby.com ns1.getnby.com
    Code:
    6 getnby.com:
    133 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
    query: 6 getnby.com
    answer: getnby.com 172800 SOA getnby.com root.getnby.com 2002011101 86400 30 604800 172800
    authority: getnby.com 172800 NS getnby.com
    authority: getnby.com 172800 NS ns1.getnby.com
    additional: getnby.com 172800 A 192.168.0.1
    additional: ns1.getnby.com 172800 A 199.104.118.66
    At your SOA, you have set its MNAME to getnby.com but root servers don't know anything about it because it has been delegated to ns1.getnby.com. So you need to change it to ns1.getnby.com so it can be traced to roots and chain of delegation is followed properly.

    Don't use root.getby.com as your RNAME, setup an alias of hostmaster instead.

    Your Retry (30 seconds) which wastes a lot of bandwidth if your ns2.getnby.com is ever down. A proper Retry should be around 30 minutes (1800) to 1H (3600).
    You need to change your TTL from 172800 (2 days) to 86400 (1 day). Note, TTL is the minimum, not the actual.

    SOA as of today:
    # dnsq soa getnby.com ns1.getnby.com
    Code:
    6 getnby.com:
    142 bytes, 1+1+2+2 records, response, weird ra, noerror
    query: 6 getnby.com
    answer: getnby.com 167164 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns1.getnby.com 80585 A 199.104.118.66
    additional: ns2.getnby.com 86400 A 199.104.118.67
    - Your MNAME has been fixed.
    - However, your ns1.getnby.com is no longer giving authoritative answer for getnby.com, this is so-called lame server.

    Now let's try to ask ns2.getnby.com:
    # dnsq soa getnby.com ns2.getnby.com
    Code:
    6 getnby.com:
    142 bytes, 1+1+2+2 records, response, authoritative, weird ra, noerror
    query: 6 getnby.com
    answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns1.getnby.com 86400 A 199.104.118.66
    additional: ns2.getnby.com 86400 A 199.104.118.67
    2) NS as of today has been fixed.
    3) A record as of yesterday:
    Why used 192.168.0.1? You need to add another A record for ns2.getnby.com so it's glued.
    What is glueness?
    When you delegate your getnby.com to ns1.getnby.com and ns2.getnby.com with the NS record, you MUST add the associated A record of ns1.getnby.com and ns2.getnby.com within the same zone. It's required.
    I've heard of gluelessness, what is it?
    When you delegate your getnby.com to ns1.anotherdomain.com, you CAN'T add:
    Code:
    ns1.anotherdomain.com.	IN	A	12.34.56.78
    Then further DNS lookup is required since you can't get the Address of getnby.com within the same zone. BIND will ignore such A record by default.
    How about delegating subdomain.getnby.com to ns.subdomain.getnby.com?
    It's the same parent zone, same parent domain, therefore glue is needed.
    Code:
    subdomain.getnby.com.	IN	NS	ns.subdomain.getnby.com.
    ns.subdomain.getnby.com.	IN	A	11.22.33.44
    NS + A makes it glue. In this example, you don't need to define an A record for subdomain.getnby.com because it's delegated to ns.subdomain.getnby.com. BTW, gluelessness is bad, according to djb (qmail author). It's fine to be glueless at one level, that usually happens when you host someone's domain.

    4) MX:

    What's your MX?

    Normally you can do:
    # dnsmx getnby.com
    But I trust no one, I want to see what you have set so I will ask ns1.getnby.com for the answer (yesterday):
    # dnsq mx getnby.com ns1.getnby.com
    Code:
    15 getnby.com:
    129 bytes, 1+1+2+3 records, response, authoritative, weird ra, noerror
    query: 15 getnby.com
    answer: getnby.com 172800 MX 10 mail.getnby.com
    authority: getnby.com 172800 NS getnby.com
    authority: getnby.com 172800 NS ns1.getnby.com
    additional: mail.getnby.com 172800 A 199.104.118.67
    additional: getnby.com 172800 A 192.168.0.1
    additional: ns1.getnby.com 172800 A 199.104.118.66
    Because currently your ns1.getnby.com is a lame server, so I am going to ask ns2.getnby.com for the answer (today):
    # dnsq mx getnby.com ns2.getnby.com
    Code:
    15 getnby.com:
    78 bytes, 1+0+1+0 records, response, authoritative, weird ra, noerror
    query: 15 getnby.com
    authority: getnby.com 172800 SOA ns1.getnby.com webmaster.getnby.com 2002020404 86400 30 604800 172800
    It's not even giving answer. Why?
    Let's try this:
    # dnsmx getnby.com
    10 mail.getnby.com

    So mail.getnby.com appears to be your MX. But wait, it doesn't have A record as of today, that's why ns2 is not answering.
    Your MX has got a serious problem.
    # dnsip ns2.getnby.com
    199.104.118.67
    Oh no, as of yesterday it's the same IP as mail.getnby.com. Remember the whois lookup and ns1.getnby.com and ns2.getnby.com are listed at root servers?
    If you want more reliability, you MUST set your MX to be ns2.getnby.com to avoid unnecessary DNS traffic. It makes 30% difference.

    Here is what you need to do on ns1 now:
    1) Fix all your Retry, Refresh, Expire and Minimum
    2) Change your MX to ns2.getnby.com
    >>
    Code:
    mail.getnby.com. IN MX 10 ns2.getnby.com.
    That's absolutely incorrect.
    - mail.getnby.com has no A record.
    - your DNS servers have never delegated anything to mail.getnby.com
    - specifying mail.getnby.com is out-of-zone.
    The fix is:
    Code:
    getnby.com. IN MX 0 ns2.getnby.com.
    3) At your named.conf add the following:
    directory "/var/named";
    version "";
    auth-nxdomain no;
    fetch-glue no;
    recursion no;
    };
    4) Remove the following:
    zone "199.104.118.67"{
    type master;
    file "master/199.104.118.67";
    notify yes;
    };
    Why?
    Because your authoritative DNS servers will NEVER be authoritative for your reverse.
    5) Increment the Serial on NS1 then shutdown completely and restart it.
    6) Fix (1) and (2) then I will look it up again.
    Last edited by freebsd; February 4th, 2002 at 07:55 PM.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Location
    Idaho
    Posts
    46
    Rep Power
    14
    I 'think' I've done everything you've suggested to both ns1 & ns2 and restarted them both but I'm confused by

    >NS + A makes it glue. In this example, you don't need to define an A record for subdomain.getnby.com because it's delegated to ns.subdomain.getnby.com. BTW, gluelessness is bad, according to djb (qmail author). It's fine to be glueless at one level, that usually happens when you host someone's domain.

    I would need to do this only if I wanted to add a subdomain of getnby.com (terry.getnby.com) right? It's not required if I don't???

    zone record...
    $TTL 86400
    getnby.com. IN SOA ns1.getnby.com. webmaster.getnby.com. (
    2002020501 ; serial
    86400 ; refresh
    1800 ; retry
    604800 ; expire
    86400 ; default_ttl
    )
    getnby.com. IN NS ns1.getnby.com.
    getnby.com. IN NS ns2.getnby.com.
    ns1.getnby.com. IN A 199.104.118.66
    ns2.getnby.com. IN A 199.104.118.67
    getnby.com. IN A 199.104.118.66
    www.getnby.com. IN A 199.104.118.66
    getnby.com. IN MX 0 ns2.getnby.com.

    named.conf
    options {
    directory "/var/named";
    version"";
    auth-nxdomain no;
    fetch-glue no;
    recursion no;
    };
    zone "." {
    type hint;
    file "etc/named.ca";
    };
    zone "getnby.com"{
    type master;
    file "master/getnby.com";
    notify yes;
    };
    zone "0.0.127.in-addr.arpa"{
    type master;
    file "master/named.local";
    };

    Also with my old zone records (munged up ones) people could check mail by using their domain name (mail.getnby.com) but it seems that to pop mail with the records like this that it's neccessary to use ns2.getnby.com??? oh well once I get this fixed and another box built I'm going to try out djbdns, at least with this setup it's alot easier to edit zones...

    Thanks again, Terry
    It works better if you plug it in!
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Latest:
    Code:
    $ dnsq soa getnby.com ns2.getnby.com
    6 getnby.com:
    142 bytes, 1+1+2+2 records, response, authoritative, noerror
    query: 6 getnby.com
    answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020501 86400 1800 604800 86400
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns1.getnby.com 86400 A 199.104.118.66
    additional: ns2.getnby.com 86400 A 199.104.118.67
    Code:
    $ dnsq soa getnby.com ns1.getnby.com
    6 getnby.com:
    80 bytes, 1+0+2+1 records, response, noerror
    query: 6 getnby.com
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns2.getnby.com 86400 A 199.104.118.67
    As you can see, your ns1.getnby.com is still a lame server, while ns2.getnby.com is perfectly fine, even the MX:
    Code:
    $ dnsq mx getnby.com ns2.getnby.com
    15 getnby.com:
    112 bytes, 1+1+2+2 records, response, authoritative, noerror
    query: 15 getnby.com
    answer: getnby.com 86400 MX 0 ns2.getnby.com
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns2.getnby.com 86400 A 199.104.118.67
    additional: ns1.getnby.com 86400 A 199.104.118.66
    It seems like your ns2 is being the master at this moment. You need to check your named.conf on both and make sure.
    In BIND8 on ns1, you should add allow-transfer { 199.104.118.67; }; and in your 0.0.127.in-addr.arpa zone add allow-transfer { none; };
    You also need to change the Serial on NS1 to tomorrow like 2002020601 and lower the Refresh from 86400 (1 day) to 1800 (1/2 hour) so your NS2 can pick up the change in half hour.

    With recursion no; your DNS server is no longer producing the weird ra error from my query above.

    >> people could check mail by using their domain name (mail.getnby.com)

    If you want user-friendly more than reliability, then use mail.getnby.com. For SMTP, don't even do it. If you do, you will lose 30% on reliability. Not to mention when your ISP (srv.net) has a broken in-addr.arpa (reverse DNS), you will lose another 40%, that's a total of 70% loss on reliability, because many SMTP servers reject MX that has a broken reverse DNS.
    RFC says your MX should have reverse DNS but yours don't, that alone is a RFC violation and you shouldn't run SMTP server in the first place.
    When you create another A record like mail.getnby.com, it takes further lookup to get the answer of the Address record of your mail.getnby.com (remember ns2.getnby.com is glued at roots?), which is extremely unreliable. All I can say is, you have chose the wrong ISP, because srv.net's DNS as well is highly misconfigured.

    >> this that it's neccessary to use ns2.getnby.com?

    Up to you, it's a 70% loss in reliability on SMTP. For POP3, probably 30%. You can do whichever way you wish, but don't complain when there's a problem.
    Maybe you should switch your ISP to Speakeasy.net, which is by far the best for running servers yourself.

    >> if I wanted to add a subdomain of getnby.com (terry.getnby.com) right?

    Yes. Anyway I don't want to confuse you further so I am not going to talk about that subdomain delegation anymore.

    >> I'm going to try out djbdns

    Great. But djbdns is not suitable for DNS newbie. So make sure you fix your BIND, play around with it for couple weeks, then do the migration.

    >> at least with this setup it's alot easier to edit zones

    Not only that, djbdns's dnscache is much more secure and reliable than BIND's cache. Why? Because BIND caches anything, authoritative answers and negative answers, that is why BIND is vulnerable to cache posioning, BIND 9 doesn't make any difference. You can search google and find out more about cache posioning. dnscache, however, only caches authoritative answers that can be traced to roots. You can say BIND's cache trust everyone (vulnerable to zone spoofing), even script kiddies. If there are no evil people on earth, that would be fine, but that's not true. Now that you know BIND developers have never had any security concerns when developing their ****ty software.
    You can say that practice is equivalent to running Windows file sharing with Open Guest Access, which uses weak password or without password with full Administrator read+write access to your Windows network.
    Yeah BIND9 is a little better in security but it doesn't help much because it's being rewritten from scratch (they claimed that) by the same old group of security-illiterate people. Those BIND people should go back to school.
    Last edited by freebsd; February 5th, 2002 at 03:04 PM.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Location
    Idaho
    Posts
    46
    Rep Power
    14
    I've been trying to figure out the ns1.getnby.com bs everything seems identical between the two but I think part of it is that it's a redhat 6.2 box that's been hacked on pretty bad by me (it was my first 'nix' experience) so I'm working on putting back together an old box that I'll load freebsd on and just use it for a name server until I'm ready to replace the redhat box with another freebsd one and just change the ns1.getnby.com internic record to have it go to another ip# (I have 16 available, 2 are now being used)

    >If you want user-friendly more than reliability,

    I'll take your advise and go for reliabilty!

    >Maybe you should switch your ISP to Speakeasy.net, which is by far the best for running servers yourself.

    The only problem is that there is no dsl in our town, I'm getting a pretty good deal on my 56k frame because I'm also a reseller for srv.net dialup service so it's only costing me about $80/mo. including phone co. charges


    >>> if I wanted to add a subdomain of getnby.com (terry.getnby.com) right?

    >Yes. Anyway I don't want to confuse you further so I am not going to talk about that subdomain delegation anymore.

    whew! Thanks :-) Gotta save something for me to screw up on later!

    I sure appreciate the help!
    Thanks Again!!!
    Terry
    It works better if you plug it in!
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Guess what? lame server is gone!!
    Code:
    $ dnsq soa getnby.com ns1.getnby.com
    6 getnby.com:
    142 bytes, 1+1+2+2 records, response, authoritative, noerror
    query: 6 getnby.com
    answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020601 1800 1800 604800 86400
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns1.getnby.com 86400 A 199.104.118.66
    additional: ns2.getnby.com 86400 A 199.104.118.67
    Now that your ns1.getnby.com is giving authoritative answer for getnby.com and it's no longer a lame server.
    So let's check ns2.getnby.com:
    Code:
    $ dnsq soa getnby.com ns2.getnby.com
    6 getnby.com:
    142 bytes, 1+1+2+2 records, response, authoritative, noerror
    query: 6 getnby.com
    answer: getnby.com 86400 SOA ns1.getnby.com webmaster.getnby.com 2002020501 86400 1800 604800 86400
    authority: getnby.com 86400 NS ns1.getnby.com
    authority: getnby.com 86400 NS ns2.getnby.com
    additional: ns1.getnby.com 86400 A 199.104.118.66
    additional: ns2.getnby.com 86400 A 199.104.118.67
    As you can see they are pretty identical except ns2 hasn't picked up the changes. Check your named.conf and make sure.

    >> I have 16 available, 2 are now being used

    Then you should create another slave and name it mail.getnby.com. Normally when you are short of static IPs, like sthost.co.uk (sjbates's thead), you either have to call your master ns1.sthost.co.uk or mail.sthost.co.uk. Of course, using mail.xxx.yyy for nameserver doesn't sound right, but that's just the way you have to configue, for more reliability.

    >> it's only costing me about $80/mo

    Maybe you should educate them to fix their DNS servers, currently their DNS is worse off then yours (too many glueless records + broken reverse DNS).
    If they can fix their broken reverse DNS, your DNS will then be 100% reliable. Like I said previously, many SMTPs reject MX with a broken reverse DNS (not able to resolve to a name). As far as I heard, AOL does that.
    I also see that your SMTP server (qmail-smtpd) is up and running and deny relaying. Just so you know, when you run an open relay SMTP, you probably will not be able to send any messages to hotmail.com (they are ordb.org's big-time supporter/subscriber).
    Finally, when DNS resolution is propagated to your NS2 you should increase the SOA Refresh to about 3 hours to 12 hours (86400 - 24 hours).
    Go back to Mail forum and continue your qmail configuration when you are ready.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Location
    Idaho
    Posts
    46
    Rep Power
    14
    >As you can see they are pretty identical except ns2 hasn't picked up the changes. Check your named.conf and make sure.

    I didn't set up the update since I'm almost finished with another freebsd box and I was afraid ns1 would screw up ns2 but i'll do that now!

    >I also see that your SMTP server (qmail-smtpd) is up and running and deny relaying.

    I've never allowed anyone (except me) to send my through my mailserver (now there's 2!!! I'll post what I think my problems were in other forum) since I don't offer dialup my clients (all 14 of them, 3 paying!) have to use their normal dialup account to send but they can receive through email accounts I setup for them and now that dns is going good I feel happy about accepting new domains!

    Thanks again!!! You are GREAT!!!
    Terry
    It works better if you plug it in!

IMN logo majestic logo threadwatch logo seochat tools logo