Extremely simple bind DNS config. Please help

English Network/Internet
1

Hi everyone. I have a domain name that I want to point to a computer I’m trying to set up at home. I’m hoping to have a name server, webserver and a mailserver all on the same machine. I have installed Bind via Yast, opened the appropriate ports in the firewall and done what it told me to do in the README file, but it still isn’t behaving as expected. It works fine as a caching local server,but fails to identify its self as the either the authoritative nameserver or even point the domain name to its self to identify its self as the host of the doman that’s being looked up.

The host machine is on a public static IP with no NAT for any hosts in my home network. I’ve been testing the nameserver responses from another machine in the network that has the nameserver I’m testing as the only nameserver in its IPV4 DNS settings. Like I said, the nameserver hands out responses for domains like google.com and opensuse.org perfectly fine. Its just my own domain name that it fails on.

O would have thought the setup would have been simple with it being a static public IP with no NAT and everything being on the one host, but I’m obviously doing something wrong. Can anyone help me out

Here’s the contents of the files that the README file says to edit and put in place (although I’ re-obviously edited out the actual details.). Oh and the hostname of the machine the server is on is “www”.

/etc/named.d/mydomain.com.conf

#
# Configuration file for the mydomain.com zone.
#
zone "mydomain.com" in {
	type master;
	file "master/mydomain.com.zone";
};

/var/lib/named/master/mydomain.com.zone

$TTL 2D
mydomain.com.  IN SOA  www.mydomain.com.  hostmaster.mydomain.com. (
				1999092915	; serial
				1D		; refresh
				2H		; retry
				1W		; expiry
				2D )		; minimum

		IN NS		www
		IN MX		10 www

www		IN A		61.71.81.162

www		IN CNAME	www
ftp		IN CNAME	www

/etc/named.d/61.71.80.conf (Did I guess this filename correctly? That it needs to be a network address instead of a host address?

Configuration file for the reverse lookup of the 61.71.80.0**/21** network.

zone “80.71.61in-addr.arpa” in {
type master;
file “master/80.71.61.in-addr.arpa.zone”;
};

/var/lib/named/master/80.71.61.in-addr.arpa.zone

$TTL 2D
80.71.61.in-addr.arpa.	 IN SOA	 www.mydomain.com.  hostmaster.mydomain.com. (
				1999092915	; serial
				1D		; refresh
				2H		; retry
				1W		; expiry
				2D )		; minimum

		IN NS		www.mydomain.com.
			
162		IN PTR		www.mydomain.com.com.

Should the line in /var/lib/named/master/80.71.61.in-addr.arpa.zone that says

80.71.61.in-addr.arpa.	 IN SOA	 www.mydomain.com.  hostmaster.mydomain.com. (

not instead say

61.71.80.in-addr.arpa.	 IN SOA	 www.mydomain.com.  hostmaster.mydomain.com. (

? I tried my best to avoid silly mistakes like getting addresses the wrong way around, but my eyesight and short-term memory are both very poor.(This post, for example, has taken me 2 hours and 20 minutes to write) Any help that anyone could give would be very much appreciated.

2

I’m not currently running bind. I was running it when I had opensuse 11.3. My memory might be a tad rusty.

The only file with a specific required name, is “named.conf”. The names of other files are defined there.

I guess I didn’t use Yast to setup the original named.conf. Or, more correctly, after Yast has set it up, I suitably mutilated it for my own purposes.

named normally runs after a chroot(), to “/var/lib/named”. Once started, all paths are looked at relative to that. So when you identify your zone file as:
file “master/mydomain.com.zone”
that will refer to “/var/lib/named/master/mydomain.com.zone”.

As I recall, “/etc/named.conf” is copied to “/var/lib/named/etc/named.conf” by the script that starts named. I’m not sure whether it copies other files.

For my use, I put the master configuration in “/etc/named.conf”, which was copied to “/var/lib/named/etc/named.conf”, and then I put most other files that I needed (particularly zone files) in “/var/lib/named” or in subdirectories thereof. I just used the name “master/lan.rev.zone” for my reverse zone file.

I hope that helps a little.

Here’s the main clue. When things are not working, restart your named - or stop, then restart. Then look at the last few lines in “/var/log/messages”. They will probably tell you about the syntax errors that “named” is finding.

3

On Fri September 16 2011 05:26 pm, nrickert wrote:

>
> I’m not currently running bind. I was running it when I had opensuse
> 11.3. My memory might be a tad rusty.
>
> The only file with a specific required name, is “named.conf”. The
> names of other files are defined there.
>
> I guess I didn’t use Yast to setup the original named.conf. Or, more
> correctly, after Yast has set it up, I suitably mutilated it for my own
> purposes.
>
> named normally runs after a chroot(), to “/var/lib/named”. Once
> started, all paths are looked at relative to that. So when you identify
> your zone file as:
> file “master/mydomain.com.zone”
> that will refer to “/var/lib/named/master/mydomain.com.zone”.
>
> As I recall, “/etc/named.conf” is copied to
> “/var/lib/named/etc/named.conf” by the script that starts named. I’m
> not sure whether it copies other files.
>
> For my use, I put the master configuration in “/etc/named.conf”, which
> was copied to “/var/lib/named/etc/named.conf”, and then I put most other
> files that I needed (particularly zone files) in “/var/lib/named” or in
> subdirectories thereof. I just used the name “master/lan.rev.zone” for
> my reverse zone file.
>
> I hope that helps a little.
>
> Here’s the main clue. When things are not working, restart your named
> - or stop, then restart. Then look at the last few lines in
> “/var/log/messages”. They will probably tell you about the syntax
> errors that “named” is finding.
>
>

Stephen;

The IP is reversed in the “reverse lookup file”.

There are two utilities for checking syntax:
The first is named_checkconf, which checks the contents of /etc/named.conf, it
returns nothing if it finds no syntax errors. The second is named-checkzone
which checks the syntax of your zone files.


su
named_checkconf
named-checkzone {zone} {path to zone file}

These check syntax only and not semantics (i.e. meaning).

If you are having trouble resolving your zones from the internet, but not
locally then you need to register your dns server. There should be
information on this where you registered your domain.


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

4

And don’t forget that every time you edit a zone file, you must increase the serial number before reloading named. It doesn’t matter by how much, it must be larger than the last value. As you can see the format chosen there is YYYYMMDDNN, where NN is the version within that day.

5

Although I haven’t configured BIND using YAST, I just did a quick spin through the applet and it looks pretty straightforward, simple and easy to understand to me.

Have you tried that?

IMO a good rule of thumb is if you’re really new to a technology, you should consider using a tool before you edit raw files directly, and on openSUSE you should see what YAST offers before looking anywhere else.

IMO and HTH,
Tony

PS. From your description it sounds like you have your DNS servier configured as a Forwarding DNS Server and not as a caching DNS server… But if you use a tool like YAST my guess is that you wouldn’t have to bother with those details…

6

The good news first: the setup you described is possible. Some (unsorted) thoughts looking through post #1:

  1. You have a mess with the network. When your IP number is 61.71.81.162 and you are in a /21 subnet (subnet mask 255.255.255.248) the network address is 61.71.81.160. Your IP address is not part of any “61.71.80.0/21 network”. Use a subnet calculator to check it: Online IP Subnet Calculator

  2. You have to register a DNS server with your domain name registrar. Subject to the policy of your registrar you need at least 2 DNS servers.

  3. There is no use to configure reverse lookup (except for your local purposes). Your subnet belongs to the address space of your ISP and any reverse lookup will be directed to your ISP’s DNS server. Ask him to set up the reverse lookup for you.

  4. What is this:

www		IN CNAME	www

??? You already have an A record for www. Delete the line.

  1. Use ‘dig’ to test your DNS locally. When it works test from the outside. After any change in the configuration do
rcnamed reload

as root and then check the log files for messages.

  1. This is an example of working configuration files:
# in file /etc/named.conf
zone "mydomain.ch" in {
        file "master/mydomain.ch";
        type master;
        allow-transfer { 84.55.xxx.x; 213.200.xxx.xxx; };
        notify yes;
};

# reverse lookup for IP 62.2.abc.de
# letters abcde are numbers in reality
zone "de.abc.2.62.in-addr.arpa" in {
        allow-transfer { localhost; localnets; 84.55.xxx.x; };
        file "master/de.abc.2.62.in-addr.arpa";
        type master;
        notify yes;
};

# file /var/lib/named/master/mydomain.ch
$ORIGIN .
$TTL 172800     ; 2 days
mydomain.ch    IN SOA  ns.mydomain.ch.   admin.mydomain.ch. (
                                2010121601 ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                                IN NS   ns.mydomain.ch.
                                IN NS   ns.myotherdns.ch.
                                IN A    62.2.abc.de
                                IN MX   10 mail.mydomain.ch.
                                IN MX   20 mail.mailbackup.ch.
$ORIGIN mydomain.ch.
mail                            IN A    62.2.abc.de
ns                              IN A    62.2.abc.de
www                             CNAME   mydomain.ch.

# file /var/lib/named/master/de.abc.2.62.in-addr.arpa
$TTL 2d
@               IN SOA          ns.mydomain.ch.   admin.mydomain.ch. (
                                2010061402      ; serial
                                3h              ; refresh
                                1h              ; retry
                                1w              ; expiry
                                1d )            ; minimum

de.abc.2.62.in-addr.arpa.       IN NS           ns.mydomain.ch.
de.abc.2.62.in-addr.arpa.       IN PTR          mail.mydomain.ch.

Hope this helps. Good luck.

7

Wow. Thanks for the help. I’ll try out som fof the suggestions next week when I have some time again and post back with the results. I hope it is just the subnetting that I got wrong. Like I said, I was just substituting actual I.P. addresses and domain names with made up ones just so it didn’t look like I was trying to advertise my domain (not that it’s worth looking at anyway) and to avoid handing out my I.P. address to those with malicious intent.

The last two octets and the mask were my actul address though. It’s just that I had a stroke recently, and it’s made mental arithmetic vry difficult for me ( hence the reason for my very poor eyesight and short-term memory). This is why I want to move all my stuff to self hosting. Because it’s not worth me paying for the hosting when I can’t really make full use of it any more.

I was trying to do the subnetting math myself as a bit of an exercise to try and get my brain working again. I guess it would be far more sensible to use a subnet calculator in this case.

On the subject of registering nameservers with my resistrar, however, I’m a bit confused. My registrar is Godaddy.com and on the page where I say which nameservers I want to use it wants me to enter domain names and refuses to accept anything other than a Top Level Domain. Doesn’t this create a bit of a chicken-and-egg scenario? The currernt nameservers that my domain is on is indeed a rerferred to by a T.L.D. (.com) , but I don’t understand how or why. Surely the nameserver can’t be referred to by name without an authoritative respones from the server, whicannot be gotten from the namerver bacause no such response has been received?

Actually, is there a service I can hire like that of webhosting, but instead of renting a whole webhost, you just rent a DNS service? one that offers things needed for reliable mail delivery and things too, like SPF records and the like? That’s how I ended up with godaddy in the first place. Networksolutions–my oruginal registrar–refused to offer these services and I read on GoDaddy that they offered everything I needed. It wasn’t until the transfer was completed and money was paid that I found out it was only offered to those that paid GoDaddy for mail and webhosting (essentially, those that didn’t need it).

8

The chicken and egg problem of a nameserver that’s on the same domain it’s serving is handled by glue records. That should be an adequate starting point for a search.

Yes, you can get DNS hosting, but this is offered by some domain registrars, reducing the number of parties and bills by one. Be sure that the service offered is full editing of the zone, not just the ability to specify the nameservers for the domain, leaving you no better off.

9

on the other hand you configure the DNS server with Yast in 2-5 minutes with some clicks and without any headache :slight_smile:

10

FYI - I also use GoDaddy as my Domain Registrar, and for the last year I used MyDNS.

A couple weeks ago though, I decided to use Amazon’s Hosted DNS service called “Route 53” which at the moment only costs about $1 (US)/month. If you use Route 53, you should know that it was primarily setup as a service for clients utilizing Amazon’s Cloud Services (eg S3, EC2) and is configured only by API and CLI, but numerous free third parties have created online “GUI configurators” that provide a usable frontend.

So, although I have deployed my own public Authoritative DNS (the DNS your Domain Registrar points to), at its low cost I believe that Route 53 is practical and cost-effective.

Route steps to setup on Route 53, if you aren’t already an Amazon customer or client for any of its Dev or Consumer services,

  1. Open an Amazon account which requires tying to a Credit Card

  2. Configure your Amazon Services, in particular generating at least one key pair (certificates) used for Services authentication.

  3. Numerous Amazon Dev Services should be available as part of the “Starter Package,” verify Route 53 is one of them.

  4. Select one of any of the numerous Route 53 web frontends available

  5. Login using the key pair you generated in Step 2

  6. Build and configure your zone. If you’re familiar with DNS it should take only about a couple minutes, and replication begins immediately (I observed immediate effects because I had already configured GoDaddy and by the next 24-36 hours AFAIK the whole world was using the new DNS records).

  7. If you wish, you can test by pointing your machine directly to the Amazon DNS servers displayed by your Web Configurator. If you hadn’t already, point GoDaddy to these DNS servers displayed in your Web Configurator.

For me, I found Route 53 simple to setup, but for someone who isn’t already familiar with Amazon’s key pair authentication and typical DNS records configuration it might be a little challenging for the first time.

Also, since your public Reverse Lookup was mentioned, in my experience it is used in only one case I know of… When you deploy a Mailserver, and you <do> need to co-ordinate with your ISP to get that configured. I have never heard of Reverse Lookup Zones created for your public DNS, but I always create them when I configure a private DNS so if your DNS is doing both (eg forwarding or split DNS configuration), then I do recommend setting them up.

IMO and HTH,
Tony

11

Most people will only get one IP address out of a bank of hosted servers. In that case the hoster maintains the reverse lookup map and you have to ask them to change the result from something like server024-nw-tx.hoster.com to your domain name. Any decent hoster will do this for you.

Oh and reverse lookup is also important in another case, when you run a https site so that the reverse lookup result matches the certificate.

12

I’d never heard about configuring DNS reverse lookup for SSL before…

So, I did a bit of research and I couldn’t find a single case anywhere where a DNS Reverse Lookup Zone was required for deploying SSL, but I did come up with the following related scenarios…

  1. In 2006, a Windows Java runtime did a RDNS Lookup and was generally considered a bug. Since I couldn’t find this “feature” referenced later I assume it was confirmed as a bug and fixed. No other runtime (Java or otherwise, running on any platform) seems to have had this “feature.”

  2. Apache Server SSL Log configuration has a RDNS Lookup option, but it’s totally unrelated to creating the SSL session between server and client. Its value is to modify server logs to track who is connecting to the server… Instead of listing clients only by IP address the client’s hostname is also logged. Although an interesting feature, as expected this places a heavy additional load on the webserver as well as introducing latency related to the additional network connections so SSL logging RDNS Lookups are discouraged.

Spent some more time thinking about this, and am thinking that SSL only authenticates comparing the Certificate CN to the Hostname or IP address of the network connection, AFAIK there is never an option to do an alternate comparison which would then possibly require an additional lookup of some sort.

If anyone knows another scenario SSL might be related to a RDNS Lookup or where my understanding if faulty, am interested…

TIA,
Tony