Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0

    DNS on private LAN


    I have a lab that students need to set up DNS. The lab has a private class B (172.17.0.0) subnet with several class C (192.168.x.0) subnets connected via linux boxes that route packets. One machine is set up as the main DNS server on the class B subnet with the domain backbone.lab. Each of the class C subnets should be in the lab domain with names like dogbone.lab, tailbone.lab, etc. Anything on the class B network can be resolved ok, but when a box on one of the class C networks tries to query for something on backbone.lab it doesn't work. It looks like the DNS servers on the class C networks are the source of the problem. Here's a few packets captured when trying (note these boxes are running Mandrake Linux 10.1):

    host www.backbone.lab

    No. Time Source Destination Protocol Info
    1 0.000000 192.168.2.77 172.17.0.1 DNS Standard query A mandrakeonline.net

    2 0.000211 172.17.0.1 192.168.2.77 DNS Standard query response, No such name

    3 0.001246 192.168.2.77 172.17.0.1 DNS Standard query A mandrakeonline.net.backbone.lab

    4 0.001372 172.17.0.1 192.168.2.77 DNS Standard query response, No such name
    ===========================================

    In case it is relevant, here's some possibly relevant syslog messages from the DNS server on the class B subnet:

    Mar 11 15:08:55 D17-1 named[5965]: starting BIND 9.3.0 -u named
    Mar 11 15:08:55 D17-1 named[5965]: found 2 CPUs, using 2 worker threads
    Mar 11 15:08:55 D17-1 named[5965]: loading configuration from '/etc/named.conf'
    Mar 11 15:08:55 D17-1 named[5965]: listening on IPv4 interface lo, 127.0.0.1#53
    Mar 11 15:08:55 D17-1 named[5965]: listening on IPv4 interface eth0, 192.168.1.1#53
    Mar 11 15:08:55 D17-1 named[5965]: listening on IPv4 interface eth0:0, 172.17.0.1#53
    Mar 11 15:08:55 D17-1 named[5965]: couldn't add command channel 127.0.0.1#953: not found
    Mar 11 15:08:55 D17-1 named[5965]: couldn't add command channel ::1#953: not found
    Mar 11 15:08:55 D17-1 named: named startup succeeded
    Mar 11 15:08:55 D17-1 named[5965]: zone ./IN: loaded serial 2002071603
    Mar 11 15:08:55 D17-1 named[5965]: zone 17.172.in-addr.arpa/IN: loaded serial 1109105137
    Mar 11 15:08:55 D17-1 named[5965]: zone backbone.lab/IN: loaded serial 1109105077
    Mar 11 15:08:55 D17-1 named[5965]: running
    ...
    Mar 11 15:11:59 D17-1 dhcpd: Unable to add forward map from router2.backbone.lab to 172.17.2.88: timed out

    ==========================================

    And here is the named.conf for this machine:

    options {
    directory "/etc";
    pid-file "/var/run/named/named.pid";
    };

    // Root master added for lab
    zone "." {
    type master;
    file "/var/named/named.imroot.conf";
    allow-update { none; };
    };



    zone "backbone.lab" {
    type master;
    file "/etc/backbone.lab.hosts";
    };

    zone "17.172.in-addr.arpa" {
    type master;
    file "/etc/172.17.rev";
    };

    Thanks for any suggestions.
    Mike
  2. #2
  3. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Ok, let me get a few facts straight.

    1) You've got the main dns server on ip 172.17.0.1, network 172.17.0.0/24.
    2) You've got a dns server on ip 192.168.*.?, network 192.168.*.0/16 for each subnet.
    3) Problem, all boxes on each network 192.168.*.0/16 is unable to resolve *.backbone.lab.

    Question: Is all subnet dns servers on machines that also perform as that subnet's router/gateway?

    I won't be able to magically tell you what's wrong. We're going to have to go through a possibly lengthy process of me telling you to execute certain commands, and you give me the response for them. I need test IPs to work with. They don't have to be real IPs, but they should be real to avoid confusion when I give you instructions.

    I think the main server is on 172.17.0.1
    What is an example sub network dns server IP?
    What is an example box IP on the same sub network as the example dns server IP?
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0

    DNS on a private LAN


    1) You've got the main dns server on ip 172.17.0.1, network 172.17.0.0/24.

    Yes, but its 172.17.0.0/16
    2) You've got a dns server on ip 192.168.*.?, network 192.168.*.0/16 for each subnet.
    Yes, but its 192.168.x.0/24
    3) Problem, all boxes on each network 192.168.*.0/16 is unable to resolve *.backbone.lab.
    Yes, w//24 correction

    Question: Is all subnet dns servers on machines that also perform as that subnet's router/gateway?
    No, different boxes are used as routers


    I think the main server is on 172.17.0.1
    Yes
    What is an example sub network dns server IP?
    192.168.99.2
    What is an example box IP on the same sub network as the example dns server IP?
    192.168.99.5
    Also, thr router on this subnet has 192.168.99.1 internal and 172.17.20.50 external
  6. #4
  7. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Yeah, I got my 16's and 24's mixed up, but I had the right idea. Thanks for also giving me the IP of the router/gateway.

    So let's get dangerous.

    First, we're going to assume that your network/subnet relationship is working fine. We are also going to assume your dns server is configured correctly. Let's check out things on the client that cannot resolve the domain. Show me the response for these commands on 192.168.99.5.

    cat /etc/resolv.conf
    dig @192.168.99.2 www.backbone.lab
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    Originally Posted by SilentRage
    Yeah, I got my 16's and 24's mixed up, but I had the right idea. Thanks for also giving me the IP of the router/gateway.

    So let's get dangerous.

    First, we're going to assume that your network/subnet relationship is working fine. We are also going to assume your dns server is configured correctly. Let's check out things on the client that cannot resolve the domain. Show me the response for these commands on 192.168.99.5.

    cat /etc/resolv.conf
    dig @192.168.99.2 www.backbone.lab
    resolv.conf:

    search yatta.lab
    nameserver 192.168.99.2

    (I'll have to run dig tomorrow, don't have access to the lab anymore tonight.)
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    OK, back at it.

    Client's resolv.conf:

    search yatta.lab
    nameserver 192.168.99.2

    Client runs: dig @192.168.99.2 www.backbone.lab

    ; <<>> DiG 9.3.0 <<>> @192.168.99.2 www.backbone.lab
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached

    And for good measure, the 192.168.99.2 DNS server's relevant config's

    named.conf:

    options {
    directory "/etc";
    pid-file "/var/run/named/named.pid";
    };

    zone "yatta.lab" {
    type master;
    file "/etc/yatta.lab.hosts";
    };

    zone "99.168.192.in-addr.arpa" {
    type master;
    file "/etc/192.168.99.rev";
    };

    yatta.lab.hosts:


    $ttl 38400
    yatta.lab. IN SOA drunkenclam.yatta.lab. root (
    1109196277
    10800
    3600
    604800
    38400 )
    yatta.lab. IN NS drunkenclam.yatta.lab.
    drunkenclam.yatta.lab. IN A 192.168.99.2
    www.yatta.lab. IN A 192.168.99.3

    192.168.99.rev:


    $ttl 38400
    99.168.192.in-addr.arpa. IN SOA drunkenclam.yatta.lab. root (
    1109196313
    10800
    3600
    604800
    38400 )
    99.168.192.in-addr.arpa. IN NS drunkenclam.yatta.lab.
    2.99.168.192.in-addr.arpa. IN PTR drunkenclam.yatta.lab.
    3.99.168.192.in-addr.arpa. IN PTR www.yatta.lab.

    -------------------------------------------------------------------------
    Clients in the 192.168.99.0 network ARE able to resolv drunkenclam.yatta.lab
  12. #7
  13. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    Note that the bind config files were generated by Webmin.
  14. #8
  15. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Run this command on 192.168.99.5

    dig @192.168.99.2 drunkenclam.yatta.lab

    Run these commands on 192.168.99.2:

    netstat -an | grep ':53'

    dig @192.168.99.2 www.backbone.lab
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  16. #9
  17. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    dig @192.168.99.2 drunkenclam.yatta.lab

    ; <<>> DiG 9.3.0 <<>> @192.168.99.2 drunkenclam.yatta.lab
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54541
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;drunkenclam.yatta.lab. IN A

    ;; ANSWER SECTION:
    drunkenclam.yatta.lab. 38400 IN A 192.168.99.2

    ;; AUTHORITY SECTION:
    yatta.lab. 38400 IN NS drunkenclam.yatta.lab.

    ;; Query time: 0 msec
    ;; SERVER: 192.168.99.2#53(192.168.99.2)
    ;; WHEN: Wed Mar 30 16:02:44 2005
    ;; MSG SIZE rcvd: 69

    netstat -an | grep ':53'

    tcp 0 0 192.168.99.2:53 0.0.0.0:* LISTEN
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
    udp 0 0 192.168.99.2:32808 192.168.99.2:53 ESTABLISHED
    udp 0 0 192.168.99.2:53 0.0.0.0:*
    udp 0 0 127.0.0.1:53 0.0.0.0:*

    dig @192.168.99.2 www.backbone.lab

    ; <<>> DiG 9.3.0 <<>> @192.168.99.2 www.backbone.lab
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached
  18. #10
  19. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Ok we've established that there is most definately no connectivity issues between the client and the subnet dns server. Even querying the subnet dns server locally, the request times out for www.backbone.lab. Testing continues from the subnet dns server.

    Run these commands on 192.168.99.2:

    route
    ping 192.168.99.1

    Run these commands on 192.168.99.1:

    cat /etc/resolv.conf
    route
    dig @172.17.0.1 www.backbone.lab
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  20. #11
  21. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    On 192.168.99.2 (dns server):

    route

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.99.0 * 255.255.255.0 U 0 0 0 eth0
    default 192.168.99.1 0.0.0.0 UG 0 0 0 eth0

    ping 192.168.99.3

    PING 192.168.99.3 (192.168.99.3) 56(84) bytes of data.
    64 bytes from 192.168.99.3: icmp_seq=1 ttl=64 time=0.436 ms
    64 bytes from 192.168.99.3: icmp_seq=2 ttl=64 time=0.515 ms

    --- 192.168.99.3 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1000ms

    On 192.168.99.3 (client):

    cat /etc/resolv.conf

    search yatta.lab
    nameserver 192.168.99.2

    route

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.99.0 * 255.255.255.0 U 0 0 0 eth0
    default 192.168.99.1 0.0.0.0 UG 0 0 0 eth0

    dig @172.17.0.1 www.backbone.lab

    ; <<>> DiG 9.3.0 <<>> @172.17.0.1 www.backbone.lab
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31674
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.backbone.lab. IN A

    ;; ANSWER SECTION:
    www.backbone.lab. 38400 IN CNAME D17-1.backbone.lab.
    D17-1.backbone.lab. 38400 IN A 172.17.0.1

    ;; AUTHORITY SECTION:
    backbone.lab. 38400 IN NS D17-1.

    ;; Query time: 2 msec
    ;; SERVER: 172.17.0.1#53(172.17.0.1)
    ;; WHEN: Thu Mar 31 09:34:15 2005
    ;; MSG SIZE rcvd: 89
  22. #12
  23. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Ok, maybe I shouldn't give ya so many commands at once. Cause now I'm confused. I told ya to execute those last 3 commands on 192.168.99.1, but you said you executed them on 192.168.99.3. Did you execute the commands on the wrong box, or did you just mislabel your results?

    192.168.99.1 is a linux box yes? It's not a router?
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    Aarg, mea culpa, used the wrong box. Here's the right stuff for 192.168.99.1:

    (Pinging it from 192.168.99.2 works ok)


    cat /etc/resolv.conf


    search yatta.lab
    nameserver 192.168.99.2

    route

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.6.0 172.17.6.50 255.255.255.0 UG 0 0 0 eth1
    192.168.12.0 172.17.2.5 255.255.255.0 UG 0 0 0 eth1
    192.168.11.0 172.17.20.21 255.255.255.0 UG 0 0 0 eth1
    192.168.99.0 * 255.255.255.0 U 0 0 0 eth0
    172.17.0.0 * 255.255.0.0 U 0 0 0 eth1
    default 192.168.99.1 0.0.0.0 UG 0 0 0 eth0


    dig @172.17.0.1 www.backbone.lab

    ; <<>> DiG 9.3.0 <<>> @172.17.0.1 www.backbone.lab
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39023
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.backbone.lab. IN A

    ;; ANSWER SECTION:
    www.backbone.lab. 38400 IN CNAME D17-1.backbone.lab.
    D17-1.backbone.lab. 38400 IN A 172.17.0.1

    ;; AUTHORITY SECTION:
    backbone.lab. 38400 IN NS D17-1.

    ;; Query time: 3 msec
    ;; SERVER: 172.17.0.1#53(172.17.0.1)
    ;; WHEN: Fri Apr 1 09:01:40 2005
    ;; MSG SIZE rcvd: 89
  26. #14
  27. DNS/BIND Guru
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2003
    Location
    OH, USA
    Posts
    4,266
    Rep Power
    173
    Yep, definately no connectivity problems between the subnet clients or dns server or gateway to the class B network. Now to investigate the subnet dns server config.

    ...nevermind... Found something wrong with the main dns server config.

    The following showed up in the authority section of your backbone.lab results.

    backbone.lab. 38400 IN NS D17-1.

    This says your dns server is "D17-1" but this is not the case. The subnet dns servers are querying the wrong server when attempting to lookup information on www.backbone.lab. They need to query "D17-1.backbone.lab". Modify your NS record in the backbone.lab zone appropriately.
    Send me a private message if you would like me to setup your DNS for you for a price of your choosing. This is the preferred method if your DNS needs to be fixed/setup fast and you don't have the time to bounce messages back and forth on a forum. Also, check out these links:

    Whois Direct | DNS Crawler | NS Trace | Compare Free DNS Hosts
  28. #15
  29. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2005
    Posts
    12
    Rep Power
    0
    Well, its gotta be close - I hope. Fixed the NS record in the main dns server, and now dig shows that's ok.

    Packet captures on the main dns server no longer show anything reaching it from the subnet queries.

    Packet captures on subnet show queries trying to be sent to the real root servers.

    Checked /var/named/named.ca on subnet server which looks like this:

    ; This file holds the information on root name servers needed to
    ; initialize cache of Internet domain name servers
    ; (e.g. reference this file in the "cache . <file>"
    ; configuration file of BIND domain name servers).
    ;
    ; This file is made available by InterNIC
    ; under anonymous FTP as
    ; file /domain/named.root
    ; on server FTP.INTERNIC.NET
    ; -OR- RS.INTERNIC.NET
    ;
    ; last update: Jan 29, 2004
    ; related version of root zone: 2004012900
    ;
    ;
    ; formerly NS.INTERNIC.NET
    ;
    . 3600000 IN NS A.ROOT-SERVERS.NET.
    A.ROOT-SERVERS.NET. 3600000 A 172.17.0.1

    Since its got the IP for the main dns server, it doesn't look like this file is being used. How come?

    Packet captures on main and subnets show look ups for mandrakeonline.net to all of the real root name servers being made constantly.
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo