Solved

URGENT: DNS / BIND configuration problem

Posted on 2004-09-05
6
320 Views
Last Modified: 2010-05-18
I have a dedicated server with 4 IP addresses in two different c-class nets that I need to get up and running as soon as possible.

The configuration I want is the following (IPs and names are just as an example):

216.118.172.196 - domain.com
216.118.172.197 - ns1.domain.com

216.118.173.148 - ns2.domain.com
216.118.173.149 - ns3.domain.com


The domain is already registered, and at my registrar I've setup ns1/ns2/ns3.domain.com to be nameservers based on domain.com.

The following are the files I have right now (named.root has not been posted though). I know I have to modify named.conf and most probably localhost.rev, and I figure there should be new and corresponding files for all the three nameservers in order for all three to work properly with reverse lookups, correct SOA records, and all.

I offer 500 points (would offer more if it was possible) to the one who can provide me a working solution (of course, based on the IPs and names mentioned) with the correct content of all files that has to be involved to make the three nameservers work as they should. Please observe that I do not want to use the first IP address (the actual host) as nameserver, only the three other ones.

Also - I have tried winbind and I have read the other posts about DNS setup, and I have tried to configure the server. It's just that since it's two different c-class nets I'm a bit lost on top of the regular lostness as far as BIND is concerned, so well, I figured it's safer to ask. ;-)

I truly appreciate all help to solve this.

Thanks you very much in advance
/j.

--------------------------------------------------
named.conf
--------------------------------------------------
zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};

zone "domain.com" {
        type master;
        file "domain.com";
        allow-transfer {
                216.118.172.196;
                common-allow-transfer;
        };
};

zone "172.118.216.in-addr.arpa" {
        type master;
        file "172.118.216.in-addr.arpa";
        allow-transfer {
                common-allow-transfer;
        };
};

acl common-allow-transfer {
        none;
};
--------------------------------------------------



--------------------------------------------------
localhost.rev
--------------------------------------------------
$TTL    86400

@       IN      SOA     domain.com. root.domain.com. (
                        20010626
                        3600
                        900
                        3600000
                        3600 )
        IN      NS      domain.com.
1       IN      PTR     localhost.
--------------------------------------------------



--------------------------------------------------
domain.com
--------------------------------------------------
$ttl 86400

domain.com.      IN     SOA domain.com. root.domain.com. (
                        1094297691
                        10800
                        3600
                        604800
                        86400 )

domain.com.             IN NS    domain.com.
domain.com.             IN A     216.118.172.196
webmail.i-lab.net.      IN A     216.118.172.196
mail.domain.com.        IN A     216.118.172.196
ftp.domain.com.         IN CNAME domain.com.
www.domain.com.         IN CNAME domain.com.
domain.com.             IN MX 10 mail.domain.com.
--------------------------------------------------
0
Comment
Question by:cozmoxos
  • 3
  • 3
6 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 500 total points
Comment Utility
The named config for this is pretty straight forward, but before getting to those files I need to point out a couple of things.

In your attempt above you allow zone transfers to a secondary name server. That's not necessary or useful if the secondary is on the same host as the primary. Zone transfers and scondary name servers only have meaning when two or more sparate systems are involved.

You also mention wanting reverse lookups to work. That's only possible if your provider has delegated one or more netblocks to you and is willing and able to delegate in-addr authority to your name server. From the IP's mentioned it doesn't should like you have two netblocks so you'll need to get your provider to host the PTR records for you domain.

You specify the hostname of the machine as domain.com and that's a bad idea. You really want the machine to have an FQDN, e.g., mail.domain.com, www.domain.com, etc. One can have "interesting problems" with some applications if this isn't done. I'll assume that you'll set the hostname of the machine to mail.domain.com.

And finally, in your domain.com zone file you have a reference to a different domain (webmail.i-lab.net). That's not allowed in the zone data for domain.com and would have to be in a zone file (mentioned in named.conf) for that domain (i-lab.net). And of course that would only be done if the root name servers point to your name servers for that domain.

It would be a big help to know what Linux this is, but I'm going to assume that it is modern and is using Bind 9.x. The named.conf should then look like:

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;
        listen-on { 10.1.0.254; 127.0.0.1; };
}

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.root";
};
                                                                               
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
                                                                               
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "localhost.rev";
        allow-update { none; };
};

zone "domain.com" IN {
        type master;
        file "domain.com.zone";
        allow-update { none; };
};

zone "172.118.216.in-addr.arpa" IN {
        type master;
        file "216.118.172.rev";
        allow-update { none; };
};

zone "173.118.216.in-addr.arpa" IN {
        type master;
        file "216.118.173.rev";
        allow-update { none; };
};

include "/etc/rndc.key";

File localhost.zone:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               2004090500 ; Serial
               28800             ; Refresh
               14400             ; Retry
               3600000        ; Expire
               86400 )          ; Minimum
                                                                               
               IN  NS     localhost.
               IN  MX 10  localhost.
                                                                               
localhost.     IN  A      127.0.0.1

File localhost.rev:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               2004090500 ; Serial
               28800             ; Refresh
               14400             ; Retry
               3600000        ; Expire
               86400 )          ; Minimum
                                                                               
               IN  NS     localhost.
                                                                               
1             IN  PTR  localhost.

File domain.com.zone:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.
               IN  MX  10 mail.domain.com.

               IN  A            216.118.172.196
mail       IN  A            216.118.172.196
ns1         IN  A            216.118.172.197
ns2         IN  A            216.118.173.148
ns3         IN  A            216.118.173.149
;; Aliases
www       IN  CNAME  mail.domain.com.
ftp           IN  CNAME  mail.domain.com.

File 216.118.172.rev:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.

196        IN  PTR       mail.domain.com.
197        IN  PTR       ns1.domain.com.

File 216.118.173.rev:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.

148        IN  PTR      ns2.domain.com.
149        IN  PTR      ns3.domain.com.
0
 

Author Comment

by:cozmoxos
Comment Utility
Thank you very much for your fast response, jlevie.

I will have a go at your solution the minute I get back to the server.

Point taken about the external domain - that one will be gone.

Uhm,  one question though:

The domain I've registered is indeed in the "domain.com" manner.
If I would change the name of the server to, say "mail.domain.com" or "www.domain.com", wouldn't that mess things up at the registrar? Wouldn't that result in that "www.domain.com" is there, but "domain.com" not? And should I in that case also change apache's httpd.conf and /etc/hosts and /etc/sysconfig/network ?

Btw, it's fedora core 1 I use.

Thank you
/j.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The machine itself should have a proper hostname, which will cotain two "."s in this case. I prefer to give machines names other than ns, mail, etc. and use CNAMES to alias ns, web, mail, etc. That makes it easier to move some service to another box.

And no it won't mess things up at the registar. The hostname (ns1.domain.com) is required, but for DNS to work it's the IP that's important. A DNS server on the Internet will query for the name servers for your domain and it'll use the returned IP's for the query. In practice it could care less what the hostname is.

The zone data for domain.com inludes:

               IN  A            216.118.172.196
mail       IN  A            216.118.172.196

which equate domain.com and mail.domain.com to 216.118.172.196. Since www.domain.com is an alias for mail.domain.com any request to domain.com, mail.com, or www.domain.com will all resolve to 216.118.172.196.

Yes, you should change /etc/hosts & /etc/sysconfig/network. And your hosts file should look like:

127.0.0.1                 localhost.localdomain localhost
216.118.172.196   mail.domain.com mail
216.118.172.197   ns1.domain.com ns1
216.118.173.148   ns2.domain.com ns2
216.118.173.149   ns3.domain.com ns2

Just so that ifconfig & friends can find things before DNS comes up. Also your resolv.conf should contain:

search domain.com
nameserver 127.0.0.1

Whether you'll need to make changes in httpd.conf depends on how you set it up. If you've explictly set the hostname that will need to change. Ordinarily Apache will get the hostname associated with the IP(s) it binds to via a reverse lookup. So if the hosts file and/or DNS is correct it'll figure it out. And, unless you are using Name Based Virtual hosts Apache doesn't care whether you access the server via http://domain.com, http://www.domain.com, http://216.118.179.196, etc. You'll wind up at the same htdocs directory. For other than Name Based virtual hosts only the IP matters.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:cozmoxos
Comment Utility
So...

I've changed name of the server - followed the mail.domain.com example.
"/etc/hosts", "/etc/sysconfig/network" and "/etc/resolv.conf" has been updated.
I've changed the named entries as you specified above
And I'm currently performing a reboot.

Just a few final, and somewhat dorky, questions:

in named.conf all "entries" starts like: "zone "something.here" IN {" <-- with the "IN".
My default settings didn't ahev this. What's the difference? What does the "IN" do?

Also in named.conf - each entry has the following value "allow-update { none; };"
Since my default settings didn't have that, I just wonder what it means exactly.

I also had the following at the end of named.conf:
acl common-allow-transfer {
        none;
};
Uhm, what does it do and why don't I need it?


All in all, many thanks and kudos to you for all your help and for guiding me through this. The whole named shebang is a lot clearer to me now.

I'll just do some checks on the server now as it has rebooted, and then, well, that should be it.

Thanks!
/j.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
The most correct form of a zone declaration would be:

zone "the-zone" IN {...};

which is what I used. For backwards compatibility named will accept a declaration of the form:

zone "the-zone" {...};

"allow-update { none; };" tells named not to allow anyone to dynamically change the data for a zone.  It is simply a protection mechanism to keep an attacker from futzing with your DNS data. The only time you'd not want that directive in a zone would be if you were using DHCP & dynamic DNS updates. And even then you'd restrict the update to the IP(s) of the DHCP server(s).
0
 

Author Comment

by:cozmoxos
Comment Utility
Ah, that explains it.

Well, once again, thank you very much. I truly appreciated it.

/j.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now