DNS name resolution PB

Hi,

I'm using Bind 9.1.3 on a RH 7.2 linux box (kernel 2.4-10) and I'm currently facing some DNS configuration problems.

We 're hosting some customers domains, mail servers and web servers. Therefore, we 're doing some virtual hosting stuff.

Today, we are reorganizing our network and as long as we are doing this, we decided to make new DNS.

When I wanted to test my configuration I used the nslookup linux command.

From the inside of my network this works fine, but when I want to lookup a machine on the Internet this doesn't work properly.

This DNS server has got a public IP Adress to be directly on the internet. (This in not really sure, I know !)

Could you point me out where it can come from ?

Any pointers or remarks are greatly welcomed !

Thanks in advance
Stéphane

>> From the inside of my network this works fine

What are you looking up? Internal FQDN or external? Keep in mind, the FQDN that is world reachable maps to your external IP, therefore it's considered external.

>> when I want to lookup a machine on the Internet this doesn't work properly

That's the DNS cache or /etc/resolv.conf problem. We can't troubleshoot this problem so why don't you check those yourself? If you need further help, please provide relevant details.

Thanks freebsd,

Here 's my configuration :

using Bind 9.1.3

ns1 IP : 213.223.156.xxx
ns2 IP : 213.223.156.yyy

/etc/resolv.conf :
domain resint.com
nameserver 213.223.156.xxx
nameserver 213.223.156.yyy


/etc/named.conf :
// generated by named-bootconf.pl

options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
forwarders {
194.6.128.3;
194.6.128.4;
};

};

//
// a caching only nameserver config
//
zone "." {
type hint;
file "named.ca";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};

zone "156.223.213.in-addr.arpa" {
type master;
file "/home/named/213223156";
};


zone "cavarroc.net" {
type master;
file "/home/named/cavarroc.xxx";
};

zone "cavarroc.com" {
type master;
file "/home/named/cavarroc.xxx";
};

/home/named/213223156 :
@ IN SOA ns1.resint.com. root (
200010021 ; Serial
3600 ; refresh 1 hour
60 ; refresh 1 min
86400 ; expire 1 days
60 ) ;TTL 1 min
NS ns1.resint.com.
NS ns2.resint.com.

168 PTR ns1.resint.com.
169 PTR ns2.resint.com.
173 PTR mail.resint.com.
170 PTR web1.resint.com.
171 PTR web2.resint.com.
172 PTR web3.resint.com.

/home/named/cavarroc.xxx :
@ IN SOA cavarroc.net. root (
200010021 ; Serial
3600 ; refresh 1 hour
60 ; refresh 1 min
86400 ; expire 1 days
60 ) ;TTL 1 min
NS ns1.resint.com.
NS ns2.resint.com.
MX 10 mail
localhost A 127.0.0.1
mail A 213.223.156.173
mail HINFO "Serveur mail" "Linux"
www A 213.223.156.170
www HINFO "Serveur Web2" "Win2000"
ftp A 213.223.156.170
ftp HINFO "Serveur Web2" "Win2000"


Running Test :
Note: nslookup is deprecated and may be removed from future releases.
Consider using the `dig' or `host' programs instead. Run nslookup with
the `-sil[ent]' option to prevent this message from appearing.
> mail
Server: 213.223.156.168
Address: 213.223.156.168#53

Name: mail.resint.com
Address: 213.223.156.173

### Seems to work fine from the inside
> www.cavarroc.net
Server: 213.223.156.168
Address: 213.223.156.168#53

Name: www.cavarroc.net
Address: 213.223.156.170
> www.cavarroc.com
Server: 213.223.156.168
Address: 213.223.156.168#53

Name: www.cavarroc.com
Address: 213.223.156.170
### Seems to work fine from the inside
> www.yahoo.fr
;; connection timed out; no servers could be reached
### Doesn't work from the outside !!! How to solve it !!!
>

Could you point me out on how to solve this problem ?

>> Could you point me out on how to solve this problem ?

You misconfigured your DNS all over the places. Reconfigure it properly should fix your nslookup problem. Your biggest problem is, you can't run authoritative DNS server for your customers, unless you host resint.com yourself rather than unimedia.fr.

Here is a list of your major misconfigurations:

1) You don't need /home/named/213223156 because you will never be authoritative for reverse. 99.99% of ISPs don't delegate reverse for customers, unless you lease a huge netblock from them but that doesn't seem to be the case.

2) Say you have authoritative to host your particular reverses, you still don't have DNS authoritative to the entire 213.223.156.0/24. So 156.223.213.in-addr.arpa is incorrect.

3) You can't combine "cavarroc.net" and "cavarroc.com" to /home/named/cavarroc.xxx

4)
>> /home/named/cavarroc.xxx :
>> @ IN SOA cavarroc.net. root (

ns1.unimedia.fr is the SOA, not cavarroc.net itself, (not to mention cavarroc.net is not a FQDN). Not ns1.resint.com either.

5)
>> 86400 ; expire 1 days
>> 60 ) ;TTL 1 min

TTL of 1 min is crazy. The proper Min is 1 day and expire should be 3 days. Many DNS administrators illiterately configured the expire to be 7 days, which is still to long.

6)
>> NS ns1.resint.com.
>> NS ns2.resint.com.

You can't set NS to ns1.resint.com because it's not authoritative for cavarroc.net.
It should be:

ns1.unimedia.fr
ns2.unimedia.fr

7)
>> mail A 213.223.156.173

mail.cavarroc.net resolves to 212.208.180.253, not 213.223.156.173 and again, you are not authoritative for it.

8) My comment:
Just run a cache-only DNS server and forwarders to 194.6.128.3-4 and remove all other zone info.
If you have that many static IPs (213.223.168-173), why don't you run your own authoritative DNS server?

Thank you very much for your usefull help. Especially according to reverse DNS needs.

excuse me but I forget to tell you one important thing :

As we faced some problems with our internet connection two months ago, we moved all our customers to a local internet services supplier for a while.
In the meantime, we found another internet ISP and are now ready to re-host our customer.

Therefore, all the domains mentioned in my previous mail will be hosted by ourselves, this means resint.com, and the authoritative DNS would become ns1.resint.com, ns2.resint.com instead of ns1.unimedia.fr, ns2.unimedia.fr.
This also means that we will modify the DNS registration and delegation from the INTERNIC, RIPE, AFNIC or whoever ...

I reused the previous DNS configuration files, which were a real mess. I tried to clean it up, nevertheless I certainly let lots of mistakes.

As I'm French, I do not understand all the stuf ! excuse me !

What is a FQDN ?
Why shouldn' I use cavarroc.xxx if cavarroc.net and cavarroc.com point to the same location ?


Regarding to this new information, I do not think that I misconfigured my DNS all over the places but I may be wrong.


Any comment will be greatly appreciated

Stéphane

If I good understand what you Freebsd explained, and as I will host an authoritative DNS, my SOA should be ns1.resint.com


(As you should have understand, I'm just testing my DNS before using it and migrating all the domains to it !)
We're hosting 2 DNS servers (ns1, ns2), 1 mail server and several web servers which are doing virtual hosting.

This means :

I removed 156.223.213.in-addr.arpa from /etc/named.conf

/home/named/cavarroc.xxx :
@ IN SOA ns1.resint.com. root (
200010021 ; Serial
3600 ; refresh 1 hour
86400 ; refresh 1 day
259200 ; expire 3 days
60 ) ;TTL 1 min
NS ns1.resint.com.
NS ns2.resint.com.
MX 10 mail
localhost A 127.0.0.1
mail A 213.223.156.173
mail HINFO "Serveur mail" "Linux"
www A 213.223.156.170
www HINFO "Serveur Web2" "Win2000"
ftp A 213.223.156.170
ftp HINFO "Serveur Web2" "Win2000"

Is this correct ?

It shouldn't be IN SOA cavarroc.net (/home/named/cavarroc.net, in this case I would understand why I shouldn't use cavarroc.xxx), should it ?

Excuse me but I'm still a newbie !

>> we found another internet ISP and are now ready to re-host our customer

Good, just do so.

>> What is a FQDN ?

In the form of xxx.yyy.zzz

>> Why shouldn' I use cavarroc.xxx if cavarroc.net and cavarroc.com point to the same location ?

Different domain and different TLD (top level domain).

Imagine doing a recursive lookup on both, and ns1.resint.com being the SOA. Do you think looking up cavarroc.net is faster than cavarroc.com? No. Because starting from root servers, .com and .net are different. It takes much longer time to lookup the .net than the .com.

>> I removed 156.223.213.in-addr.arpa from /etc/named.conf

Yes, you don't need it. But give a shot and ask your ISP if they can setup the reverse for you at no charge or for a low one-time fee. Having a reverse that maps back to the same FQDN helps alot.

>> /home/named/cavarroc.xxx :
>> Is this correct ?
No. Try this:


1) Do not set mail A 213.223.156.173 because you can't use mail.cavarroc.net. I will explain this a little later.

2) Do not use HINFO, especially when running on a insecure OS (win2k). These days nobody uses HINFO any longer because there are too many people abusing it. As the DNS host standpoint, just provide sufficient info for other to query, no more, no less. Do not let others reveal too much info. In BIND8, there is an option called version which can be configured in named.conf like so:

options {
version "";
}

This tells BIND not to release the version info. Why should version matters? Because BIND is the most insecure software on earth, the developers realized releasing the version is potential vulnerable if there were exploits found in such version.
In your case, running win2k doesn't make you proud but vulnerable to all kind of attacks (do not tell others explicitly you are running win2k), therefore highly discouraged. In fact, running M$ servers is a shame, so hide it to yourself.

>> MX 10 mail

As you can see from my post, the MX MUST be pointed to mail.resint.com, not mail.cavarroc.net.
SMTP relies on DNS heavily, setting mail.cavarroc.net could easily cause your messages to be bounced or deferral.
As I pointed out in many of my posts, that's why dynamic IP site that points their MX to mail.theirdomain.com is plain dumb. 50% of the mails could be easily lost.
Now say your mail.resint.com doesn't have a unique IP but sharing the same IP as ns1.resint.com and ns1.resint.com is being the SOA and NS. You then MUST set your MX to ns1.resint.com (not mail.resint.com although it resolves to the same IP as ns1.resint.com).

>> Excuse me but I'm still a newbie !

Nobody on earth is born to know everything. Just try your best and configure BIND, then post here if you have further questions. BTW, when you are familiar with BIND, then that's about time to ditch the world-most insecure software (BIND) and give djbdns a try. djbdns's dnscache is 500 to 700 times faster than BIND. Do a search using the search keyword djbdns or just djb if you are interested in migrating from BIND to djbdns. Well, I don't think you are ready yet, so just play around with BIND for now.

Thanks a lot for all these precisions.
I learn a lot with you.

It works fine now !!!

All that I have to do now is to setup ns2.
To do so, I think that I've just to recopy all files from ns1 to ns2, and to change "type master" to "type slave" in the named.conf file, which defines new zones.

Am I wrong ?

Stéphane

>> I think that I've just to recopy all files from ns1 to ns2

Not quite. All zones file will be zone-transferred from ns1 to ns2 when your ns2 is up. Your named.conf for ns2, however, is somewhat identical to ns1's, except toggling master and slave.

Once again, remember when mail.resint.com. and mail.cavarroc.net resolve to the same IP, you must set all zones' MX to use just mail.resint.com, no others.