Solved

Help to configure nameservers

Posted on 2004-04-26
46
886 Views
Last Modified: 2012-05-04
Hi

I need help to configure new primary and secondary nameservers. I've tried but it does not work, so, what I need is something like this:

My Info:

primary server: 777.777.777.777  primary.nameserver.com
secondary server:  888.888.888.888 secondary.nameserver.com

What are all the files that I need to edit on my servers, and if possible, examples of how they should look.


Here is what I have done:

/etc/named.conf (on master) ( it has this line "caching only nameserver by default, but i want it to be "proper" nameservers.
***********************************************************************************************************************************
// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         query-source address * port 53;
};

//
// a caching only nameserver config
//
include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "777.777.777.in-addr.arpa" {
        type master;
        file "nameserver.com.rev";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

zone "nameserver.com" {
        type master;
        file "nameserver.com.zone";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};
***********************************************************************************************************************************


/etc/resolv.conf (on master)
***********************************************************************************************************************************
domain nameserver.com
nameserver 127.0.0.1
nameserver 888.888.888.888
***********************************************************************************************************************************



/var/named/namserver.com.rev (on master)
***********************************************************************************************************************************
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA         primary.nameserver.com. internet.nameserver.com. (
      2004042601   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     primary.namserver.com.
              IN  NS     secondary.namserver.com.

777           IN  PTR    primary.namserver.com.
***********************************************************************************************************************************


/var/named/namserver.com.zone (on master)
***********************************************************************************************************************************
;
; Forward resolution zone file for a primary nameserver
;
$TTL 86400
@ IN  SOA          primary.nameserver.com. internet.namserver.com. (
      2004042601   ; Serial
           10800   ; Refresh
            3600   ; Retry
          604800   ; Expire
           86400)  ; Minimum

              IN  NS     primary.nameserver.com.
              IN  NS     secondary.nameserver.com.

              IN  MX 10  primary.nameserver.com.

              A          777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.
***********************************************************************************************************************************

The files on the secondary server looks similar, with the obvious changes of Ip's and the "type slave" bits in the named.conf etc. If needed, I will post as well.

the 777.777.777.777 (primary.nameserver.com) server is on a separate network than the 888.888.888.888 (secondary.nameserver.com) and I'm not sure how to handle the reverse DNS entries for the secondary server?
Any help appreciated.

Thanks
0
Comment
Question by:psimation
  • 20
  • 19
  • 7
46 Comments
 
LVL 8

Expert Comment

by:da99rmd
ID: 10917296
add the notify part to your named.conf maybe add a entry
options {
   directory "/var/named";
allow-query {
                192.168.0/24;
                777.777.777.777;
                888.888.888.888;
                };
   forwarders {
           (the ip of a real named);
     };

zone "777.777.777.in-addr.arpa" {
        type master;
        notify yes;
        file "nameserver.com.rev";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

zone "nameserver.com" {
        type master;
        notify yes;
        file "nameserver.com.zone";
        allow-transfer { 888.888.888.888; };
        allow-query { any; };
};

>the 777.777.777.777 (primary.nameserver.com) server is on a separate network than the 888.888.888.888 (secondary.nameserver.com) and I'm not sure how to >handle the reverse DNS entries for the secondary server?
>Any help appreciated.
add the reverse for that network to the sec dns.

/Rob


0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10917380
Den restart the named and try a
dig any nameserver.com

/Rob

0
 
LVL 17

Author Comment

by:psimation
ID: 10917423
Hi Rob
I am just waiting for the reverse entries to take effect... Meanwhile, my "main' problenm is that the zone files are not transferred to the secondary box.  A tail of my var/log/messages clearly shows that the transfer process "starts", but the files never appears on the secondary nameserver, not do I get errors...
0
 
LVL 17

Author Comment

by:psimation
ID: 10917448
Ahh, wait, on the secondary server's messges, it says:
Apr 26 13:29:06 secondary named[10969]: transfer of '777.777.777.in-addr.arpa/IN' from 777.777.777.777#53: failed while receiving responses: permission denied
How do I "set permission?"
0
 
LVL 8

Accepted Solution

by:
da99rmd earned 250 total points
ID: 10917490
The sec dns should have zones like this:
zone "nameserver.com" IN {
   type slave;
   notify yes;
   file "nameserver.com";
   allow-query{ any;};
   // IP addresses of slave servers allowed to transfer trollis.net
    masters { 777.777.777; };
   };

And when you later the zone files you have to change the serial number for the changes to take effect.

you can do a
dig any nameserver.com @(ip number)

/Rob
0
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 250 total points
ID: 10917781
Another problem that I see is that the forward zone for the domain includes this data:

              A          777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.

But it does not include an A record for primary.nameserver.com. That data should be:

              A          777.777.777.777
primary  IN  A  777.777.777.777
ftp           IN  CNAME  primary.nameserver.com.
mail          IN  CNAME  primary.nameserver.com.
www           IN  CNAME  primary.nameserver.com.
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10917863
Thats correct,
you sad the master file contained the above one in your first post.

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10918101
Yes, sorry, I realized that and added it as well as

secondary  IN  A  888.888.888.888

as secondary is also of domain nameserver.com, however, I still get the "no permission" on the secondary box. I've made sure that port 53 is open in firewall...
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10918245
And you added the following line to the slave ?
masters { 777.777.777.777; };

/Rob
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10918300
For permission check the files in /var/named so that named owns and can write this files.

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10918550
yes, slave named.conf look slike this:

// generated by named-bootconf.pl

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         query-source address * port 53;
};

//
// a caching only nameserver config
//

include "/etc/rndc.key";
controls {
        inet 127.0.0.1 allow { localhost; 777.777.777.777; } keys { rndckey; };
};
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "777.777.777.in-addr.arpa" {
        type slave;
        masters { 777.777.777.777; };
        file "nameserver.com.rev";
        allow-transfer { 777.777.777.777; };
        allow-query { any; };
};

zone "nameserver.com" {
        type slave;
        masters { 777.777.777.777; };
        file "nameserver.com.zone";
        allow-transfer{ 777.777.777.777; };
        allow-query { any; };
};
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10918611
I dont think is good to have allow-transfer{ 777.777.777.777; };
on both sides just have this on the master side.

What about the perms of the files in /var/named ?

/Rob

0
 
LVL 17

Author Comment

by:psimation
ID: 10918634
I don't have it on both sides. This is the named.conf on the secondary (888.888.888.888) server...
Permissions on folder is fine...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10918684
Have you checked on the primary for any errors when starting named? If it attempts to start with
errors it will disallow zone transfers to the secondary.
0
 
LVL 17

Author Comment

by:psimation
ID: 10920484
Hi Jim.

No errors on startup, the only errors are on the secondary server that states "no permission".
Can the fact that the reverse resolutions  mihjt not have gone through yet have anything to to with it?
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10921043
I don't think so. If the primary and slave are correctly configured and there are no firewalls in between
interfering with the zone transfers they will work.

A thought...

Are these servers inside of a NAT'ing firewall? That requires a special, more complicated named.conf
and system configuration.
0
 
LVL 17

Author Comment

by:psimation
ID: 10921117
Yes, I think it is, but only the master, the master has an "internal" 10.0.0.25 Ip, which the ISp is then relaying to 777.777.777.777, but the secondary server is configured as 888.888.888.888 directly.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10921293
Hmm, that might be a problem. While the primary will receive the request from the secondary I think
it will reply as being 10.0.0.25, which the secondary should reject. To verify if that's the case and
investigate a solution I'd need to set up a test case.
0
 
LVL 17

Author Comment

by:psimation
ID: 10921477
if you want, I will mail you the root passwords for both boxes? Just send me your e-mail address again if you want to have a look at it?
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10926009
Just add the 10.0.0.25 to masters section and the allow transfer on the slave.

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10926516
Hi Rob
I tried that, but it times out, I don't think it will work as the secondary now searches directly for 10.0.0.25 on it's local network, yet the two machines are not on the same network, and subsequently, won't find it. Would I need to set up some higher level routing?
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10926556
Yes probobly, how have you made the port forwarding masquerading for the master ?

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10926716
That was done by my service provider, I'm behind a firewall and they simply nat the 10.0.0.25 to the 777.777.777.777 address.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 8

Expert Comment

by:da99rmd
ID: 10926743
Then this is the problem as jilevie thought, maybe there is a way of cheating the master so that he thinks he is 777.777.777.777 ill look in to that.

/Rob
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10926779
Try just adding the 10.0.0.25 to the allow-transfer not to the master and have 777.777.777.777 adress int both

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10926786
So what you're saying is that named itself is having difficulties with providing services as 777.777.777.777 when it's local Ip is NOT 777.777.777.777?
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10926802
Yes it will tell the slave server that its ip is the local one and it will refuse that ip.

/Rob
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10930454
I haven't had any time to play with a test set up yet and now it looks like I won't for a while. You
might try including "transfer-source 777.777.777.777;" in each zone declaration on the master that
is to be transfered to the secondary.
0
 
LVL 17

Author Comment

by:psimation
ID: 10932833
Hi Jim
If I add it to the named.conf on the master server, named says it is not a valid entry for a master server, so I proceeded to enter it on the slave server, but now it does not even attempt a transfer...

I believe that the problems are just with the transfer of the zone file to the slave, and if I created the slave zone file manually that things should work, correct?
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10936306
Yes that correct the name server should work as wanted.

Have you tried it out ?

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10938572
Hey guys, I found it! ( I hope)

I added

forward only;

to the zone declaration in the named.conf file on the master and it seems that it is now transferring zones.

It's early days yet, so I will wait for your comments/thoughts on this.
0
 
LVL 17

Author Comment

by:psimation
ID: 10938620
Disregard...

still not working :(
0
 
LVL 17

Author Comment

by:psimation
ID: 10938892
I thought things worked, but they are even worse...
When I am logged into the master server, and I do a dig primary.nameserver.com (FQDN), it returns all the expected results. Yet, when I do a ping FQDN, it times out, as it tries to ping the 777.777.777.777 address as if it is outside the firewall, when in fact it should ping 10.0.0.25... But I guess that is what you both have been saying?

Would this also cause mail reception problems from outside? When I send mail to FQDN from outside, it never reaches the server, but I never ( untill now) receive any bounced mail either...
Sheesh, the day I get to configure a server with no hickups....
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10938997
hehe,
The problem with the pinging is a firewall issue you should be able to reach the 777.... adress as well from inside. If you want the firewall to give the local adress when acessed from inside you have to do a little modification to your named configs read this how to:
http://www.tldp.org/HOWTO/DNS-HOWTO.html

You maybe must have 2 dns 1 for the inside that listens to your 10 adress and one that listens to your 777 adress and the 10 dns just knows the internal net and then forrwards to the 777 dns for internet resolve.

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10939072
HI Rob, that's the doc I read where I thought the forward only; thing was the answer, I missed the part about 2 DNS's though, is it in there?
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10939283
Nope that came from my head and thats not online :)

/Rob
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10939310
You have to have 2 because you can nerver share internal adresses on the net 10 adresses. Dont know maybe there is some conf metod to get it working with one
but its easier with 2.
Have you checked this one out:
The problem with the pinging is a firewall issue you should be able to reach the 777.... adress as well from inside.


/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10939681
OK, slap me silly, and damned if I know how it changed...
The problem is solved ( with the transfers), the $%^$%@#$# permissions on the /var/named folder was not correct on the slave server... ( I swear I did not touch it!!!!!)

Anyway, I will still endeavour to try and get my machine to ping itself on the public address...
 
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10939827
hehe, as usual the easiest problem that seems worst.
check the post Date: 04/26/2004 06:38AM PDT :)

The pinging, will be solved by allowing this i think, i had the same problem once.
iptables -A INPUT -p ALL -s 777.777.777.777 -j ACCEPT
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

Then check if you can both reach the httpd server and ping by the adress 777 from inside.

/Rob
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10939853
From inside of an IPtables firewall (or most other NAT'ing firewalls like a Cisco PIX, Checkpoint, etc) you can't ping
your outside IP or otherwise connect to it. That IP(s) can only be reached from outside of the firewall. While that explains
that failure it has nothing to do with what's going on with the DNS servers.

While I suspect that the failure to transfer the zones to the secondary is a result of the primary being behind
a NAT'ing firewall and thus contains its private IP in the data sent, I don't know for certain that to be the case.
And I won't be able to investigate that until I can take the time to set up a similar configuration.
0
 
LVL 17

Author Comment

by:psimation
ID: 10940299
Another thing I just noticed:
I added one of my other domains so my nameservers will already propagate by the time I do the actual ticker request for the move,  now the slave says:

zone dom.co.za/IN: refresh: non-authoritative answer from master 777.777.777.777#53

I recon this is just a continuation of my problems, and nothing new?

Also, Jim, will these DNS errors have anything to do with me getting "relaying denied" messages as sson as I try to send mail via this server? ( I've followed your installation instructions to the letter with the exception of commenting out the generics-domains in your sendmail.mc file. Further, I've used it and other instructions to the letter...
0
 
LVL 40

Expert Comment

by:jlevie
ID: 10940485
No, I just added a comment to your other question about that problem.
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10946720
I have configured sp that i can access the outside ip from inside, it kind of handy for me that is.
/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 10946735
Care to share? :)
0
 
LVL 8

Expert Comment

by:da99rmd
ID: 10946799
Do you run iptables ?
if so paste your iptables file here and ill take a look at it.

/Rob
0
 
LVL 17

Author Comment

by:psimation
ID: 11029734
Hi Guys, this question is so long and (as perusual) I have the gift to go off topic before I've even completed posting the question title...

AFAIK, the only issue here still is me being able to ping the box from itself while returning the correct IP???

To be honest, things seem to be working 100% fine on bmy boxes, ie, I can add domains and host mail and web services etc, so UNLESS there is a good reason why I should be able to ping myself with the correct IP, I am willing to close the question and award points.

PS, please provide said good reasons... ;)
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

rdate is a Linux command and the network time protocol for immediate date and time setup from another machine. The clocks are synchronized by entering rdate with the -s switch (command without switch just checks the time but does not set anything). …
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now