• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 933
  • Last Modified:

Help to configure nameservers

Hi

I need help to configure new primary and secondary nameservers. I've tried but it does not work, so, what I need is something like this:

My Info:

primary server: 777.777.777.777  primary.nameserver.com
secondary server:  888.888.888.888 secondary.nameserver.com

What are all the files that I need to edit on my servers, and if possible, examples of how they should look.


Here is what I have done:

/etc/named.conf (on master) ( it has this line "caching only nameserver by default, but i want it to be "proper" nameservers.
***********************************************************************************************************************************
// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         query-source address * port 53;
};

//
// a caching only nameserver config
//
include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "777.777.777.in-addr.arpa" {
        type master;
        file "nameserver.com.rev";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

zone "nameserver.com" {
        type master;
        file "nameserver.com.zone";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};
***********************************************************************************************************************************


/etc/resolv.conf (on master)
***********************************************************************************************************************************
domain nameserver.com
nameserver 127.0.0.1
nameserver 888.888.888.888
***********************************************************************************************************************************



/var/named/namserver.com.rev (on master)
***********************************************************************************************************************************
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA         primary.nameserver.com. internet.nameserver.com. (
      2004042601   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     primary.namserver.com.
              IN  NS     secondary.namserver.com.

777           IN  PTR    primary.namserver.com.
***********************************************************************************************************************************


/var/named/namserver.com.zone (on master)
***********************************************************************************************************************************
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          primary.nameserver.com. internet.namserver.com. (
      2004042601   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     primary.nameserver.com.
              IN  NS     secondary.nameserver.com.

              IN  MX 10  primary.nameserver.com.

              A          777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.
***********************************************************************************************************************************

The files on the secondary server looks similar, with the obvious changes of Ip's and the "type slave" bits in the named.conf etc. If needed, I will post as well.

the 777.777.777.777 (primary.nameserver.com) server is on a separate network than the 888.888.888.888 (secondary.nameserver.com) and I'm not sure how to handle the reverse DNS entries for the secondary server?
Any help appreciated.

Thanks
0
psimation
Asked:
psimation
  • 20
  • 19
  • 7
2 Solutions
 
da99rmdCommented:
add the notify part to your named.conf maybe add a entry
options {
   directory "/var/named";
allow-query {
                192.168.0/24;
                777.777.777.777;
                888.888.888.888;
                };
   forwarders {
           (the ip of a real named);
     };

zone "777.777.777.in-addr.arpa" {
        type master;
        notify yes;
        file "nameserver.com.rev";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

zone "nameserver.com" {
        type master;
        notify yes;
        file "nameserver.com.zone";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

>the 777.777.777.777 (primary.nameserver.com) server is on a separate network than the 888.888.888.888 (secondary.nameserver.com) and I'm not sure how to >handle the reverse DNS entries for the secondary server?
>Any help appreciated.
add the reverse for that network to the sec dns.

/Rob


0
 
da99rmdCommented:
Den restart the named and try a
dig any nameserver.com

/Rob

0
 
psimationAuthor Commented:
Hi Rob
I am just waiting for the reverse entries to take effect... Meanwhile, my "main' problenm is that the zone files are not transferred to the secondary box.  A tail of my var/log/messages clearly shows that the transfer process "starts", but the files never appears on the secondary nameserver, not do I get errors...
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
psimationAuthor Commented:
Ahh, wait, on the secondary server's messges, it says:
Apr 26 13:29:06 secondary named[10969]: transfer of '777.777.777.in-addr.arpa/IN' from 777.777.777.777#53: failed while receiving responses: permission denied
How do I "set permission?"
0
 
da99rmdCommented:
The sec dns should have zones like this:
zone "nameserver.com" IN {
   type slave;
   notify yes;
   file "nameserver.com";
   allow-query{ any;};
   // IP addresses of slave servers allowed to transfer trollis.net
    masters { 777.777.777; };
   };

And when you later the zone files you have to change the serial number for the changes to take effect.

you can do a
dig any nameserver.com @(ip number)

/Rob
0
 
jlevieCommented:
Another problem that I see is that the forward zone for the domain includes this data:

              A          777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.

But it does not include an A record for primary.nameserver.com. That data should be:

              A          777.777.777.777
primary  IN  A  777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.
0
 
da99rmdCommented:
Thats correct,
you sad the master file contained the above one in your first post.

/Rob
0
 
psimationAuthor Commented:
Yes, sorry, I realized that and added it as well as

secondary  IN  A  888.888.888.888

as secondary is also of domain nameserver.com, however, I still get the "no permission" on the secondary box. I've made sure that port 53 is open in firewall...
0
 
da99rmdCommented:
And you added the following line to the slave ?
masters { 777.777.777.777; };

/Rob
0
 
da99rmdCommented:
For permission check the files in /var/named so that named owns and can write this files.

/Rob
0
 
psimationAuthor Commented:
yes, slave named.conf look slike this:

// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         query-source address * port 53;
};

//
// a caching only nameserver config
//

include "/etc/rndc.key";
controls {
        inet 127.0.0.1 allow { localhost; 777.777.777.777; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "777.777.777.in-addr.arpa" {
        type slave;
        masters { 777.777.777.777; };
        file "nameserver.com.rev";
        allow-transfer { 777.777.777.777; };
        allow-query { any; };
};

zone "nameserver.com" {
        type slave;
        masters { 777.777.777.777; };
        file "nameserver.com.zone";
        allow-transfer{ 777.777.777.777; };
        allow-query { any; };
};
0
 
da99rmdCommented:
I dont think is good to have allow-transfer{ 777.777.777.777; };
on both sides just have this on the master side.

What about the perms of the files in /var/named ?

/Rob

0
 
psimationAuthor Commented:
I don't have it on both sides. This is the named.conf on the secondary (888.888.888.888) server...
Permissions on folder is fine...
0
 
jlevieCommented:
Have you checked on the primary for any errors when starting named? If it attempts to start with
errors it will disallow zone transfers to the secondary.
0
 
psimationAuthor Commented:
Hi Jim.

No errors on startup, the only errors are on the secondary server that states "no permission".
Can the fact that the reverse resolutions  mihjt not have gone through yet have anything to to with it?
0
 
jlevieCommented:
I don't think so. If the primary and slave are correctly configured and there are no firewalls in between
interfering with the zone transfers they will work.

A thought...

Are these servers inside of a NAT'ing firewall? That requires a special, more complicated named.conf
and system configuration.
0
 
psimationAuthor Commented:
Yes, I think it is, but only the master, the master has an "internal" 10.0.0.25 Ip, which the ISp is then relaying to 777.777.777.777, but the secondary server is configured as 888.888.888.888 directly.
0
 
jlevieCommented:
Hmm, that might be a problem. While the primary will receive the request from the secondary I think
it will reply as being 10.0.0.25, which the secondary should reject. To verify if that's the case and
investigate a solution I'd need to set up a test case.
0
 
psimationAuthor Commented:
if you want, I will mail you the root passwords for both boxes? Just send me your e-mail address again if you want to have a look at it?
0
 
da99rmdCommented:
Just add the 10.0.0.25 to masters section and the allow transfer on the slave.

/Rob
0
 
psimationAuthor Commented:
Hi Rob
I tried that, but it times out, I don't think it will work as the secondary now searches directly for 10.0.0.25 on it's local network, yet the two machines are not on the same network, and subsequently, won't find it. Would I need to set up some higher level routing?
0
 
da99rmdCommented:
Yes probobly, how have you made the port forwarding masquerading for the master ?

/Rob
0
 
psimationAuthor Commented:
That was done by my service provider, I'm behind a firewall and they simply nat the 10.0.0.25 to the 777.777.777.777 address.
0
 
da99rmdCommented:
Then this is the problem as jilevie thought, maybe there is a way of cheating the master so that he thinks he is 777.777.777.777 ill look in to that.

/Rob
0
 
da99rmdCommented:
Try just adding the 10.0.0.25 to the allow-transfer not to the master and have 777.777.777.777 adress int both

/Rob
0
 
psimationAuthor Commented:
So what you're saying is that named itself is having difficulties with providing services as 777.777.777.777 when it's local Ip is NOT 777.777.777.777?
0
 
da99rmdCommented:
Yes it will tell the slave server that its ip is the local one and it will refuse that ip.

/Rob
0
 
jlevieCommented:
I haven't had any time to play with a test set up yet and now it looks like I won't for a while. You
might try including "transfer-source 777.777.777.777;" in each zone declaration on the master that
is to be transfered to the secondary.
0
 
psimationAuthor Commented:
Hi Jim
If I add it to the named.conf on the master server, named says it is not a valid entry for a master server, so I proceeded to enter it on the slave server, but now it does not even attempt a transfer...

I believe that the problems are just with the transfer of the zone file to the slave, and if I created the slave zone file manually that things should work, correct?
0
 
da99rmdCommented:
Yes that correct the name server should work as wanted.

Have you tried it out ?

/Rob
0
 
psimationAuthor Commented:
Hey guys, I found it! ( I hope)

I added

forward only;

to the zone declaration in the named.conf file on the master and it seems that it is now transferring zones.

It's early days yet, so I will wait for your comments/thoughts on this.
0
 
psimationAuthor Commented:
Disregard...

still not working :(
0
 
psimationAuthor Commented:
I thought things worked, but they are even worse...
When I am logged into the master server, and I do a dig primary.nameserver.com (FQDN), it returns all the expected results. Yet, when I do a ping FQDN, it times out, as it tries to ping the 777.777.777.777 address as if it is outside the firewall, when in fact it should ping 10.0.0.25... But I guess that is what you both have been saying?

Would this also cause mail reception problems from outside? When I send mail to FQDN from outside, it never reaches the server, but I never ( untill now) receive any bounced mail either...
Sheesh, the day I get to configure a server with no hickups....
0
 
da99rmdCommented:
hehe,
The problem with the pinging is a firewall issue you should be able to reach the 777.... adress as well from inside. If you want the firewall to give the local adress when acessed from inside you have to do a little modification to your named configs read this how to:
http://www.tldp.org/HOWTO/DNS-HOWTO.html

You maybe must have 2 dns 1 for the inside that listens to your 10 adress and one that listens to your 777 adress and the 10 dns just knows the internal net and then forrwards to the 777 dns for internet resolve.

/Rob
0
 
psimationAuthor Commented:
HI Rob, that's the doc I read where I thought the forward only; thing was the answer, I missed the part about 2 DNS's though, is it in there?
0
 
da99rmdCommented:
Nope that came from my head and thats not online :)

/Rob
0
 
da99rmdCommented:
You have to have 2 because you can nerver share internal adresses on the net 10 adresses. Dont know maybe there is some conf metod to get it working with one
but its easier with 2.
Have you checked this one out:
The problem with the pinging is a firewall issue you should be able to reach the 777.... adress as well from inside.


/Rob
0
 
psimationAuthor Commented:
OK, slap me silly, and damned if I know how it changed...
The problem is solved ( with the transfers), the $%^$%@#$# permissions on the /var/named folder was not correct on the slave server... ( I swear I did not touch it!!!!!)

Anyway, I will still endeavour to try and get my machine to ping itself on the public address...
 
0
 
da99rmdCommented:
hehe, as usual the easiest problem that seems worst.
check the post Date: 04/26/2004 06:38AM PDT :)

The pinging, will be solved by allowing this i think, i had the same problem once.
iptables -A INPUT -p ALL -s 777.777.777.777 -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

Then check if you can both reach the httpd server and ping by the adress 777 from inside.

/Rob
0
 
jlevieCommented:
From inside of an IPtables firewall (or most other NAT'ing firewalls like a Cisco PIX, Checkpoint, etc) you can't ping
your outside IP or otherwise connect to it. That IP(s) can only be reached from outside of the firewall. While that explains
that failure it has nothing to do with what's going on with the DNS servers.

While I suspect that the failure to transfer the zones to the secondary is a result of the primary being behind
a NAT'ing firewall and thus contains its private IP in the data sent, I don't know for certain that to be the case.
And I won't be able to investigate that until I can take the time to set up a similar configuration.
0
 
psimationAuthor Commented:
Another thing I just noticed:
I added one of my other domains so my nameservers will already propagate by the time I do the actual ticker request for the move,  now the slave says:

zone dom.co.za/IN: refresh: non-authoritative answer from master 777.777.777.777#53

I recon this is just a continuation of my problems, and nothing new?

Also, Jim, will these DNS errors have anything to do with me getting "relaying denied" messages as sson as I try to send mail via this server? ( I've followed your installation instructions to the letter with the exception of commenting out the generics-domains in your sendmail.mc file. Further, I've used it and other instructions to the letter...
0
 
jlevieCommented:
No, I just added a comment to your other question about that problem.
0
 
da99rmdCommented:
I have configured sp that i can access the outside ip from inside, it kind of handy for me that is.
/Rob
0
 
psimationAuthor Commented:
Care to share? :)
0
 
da99rmdCommented:
Do you run iptables ?
if so paste your iptables file here and ill take a look at it.

/Rob
0
 
psimationAuthor Commented:
Hi Guys, this question is so long and (as perusual) I have the gift to go off topic before I've even completed posting the question title...

AFAIK, the only issue here still is me being able to ping the box from itself while returning the correct IP???

To be honest, things seem to be working 100% fine on bmy boxes, ie, I can add domains and host mail and web services etc, so UNLESS there is a good reason why I should be able to ping myself with the correct IP, I am willing to close the question and award points.

PS, please provide said good reasons... ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 20
  • 19
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now