Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

URGENT: DNS / BIND configuration problem

I have a dedicated server with 4 IP addresses in two different c-class nets that I need to get up and running as soon as possible.

The configuration I want is the following (IPs and names are just as an example):

216.118.172.196 - domain.com
216.118.172.197 - ns1.domain.com

216.118.173.148 - ns2.domain.com
216.118.173.149 - ns3.domain.com


The domain is already registered, and at my registrar I've setup ns1/ns2/ns3.domain.com to be nameservers based on domain.com.

The following are the files I have right now (named.root has not been posted though). I know I have to modify named.conf and most probably localhost.rev, and I figure there should be new and corresponding files for all the three nameservers in order for all three to work properly with reverse lookups, correct SOA records, and all.

I offer 500 points (would offer more if it was possible) to the one who can provide me a working solution (of course, based on the IPs and names mentioned) with the correct content of all files that has to be involved to make the three nameservers work as they should. Please observe that I do not want to use the first IP address (the actual host) as nameserver, only the three other ones.

Also - I have tried winbind and I have read the other posts about DNS setup, and I have tried to configure the server. It's just that since it's two different c-class nets I'm a bit lost on top of the regular lostness as far as BIND is concerned, so well, I figured it's safer to ask. ;-)

I truly appreciate all help to solve this.

Thanks you very much in advance
/j.

--------------------------------------------------
named.conf
--------------------------------------------------
zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "localhost.rev";
};

zone "domain.com" {
        type master;
        file "domain.com";
        allow-transfer {
                216.118.172.196;
                common-allow-transfer;
        };
};

zone "172.118.216.in-addr.arpa" {
        type master;
        file "172.118.216.in-addr.arpa";
        allow-transfer {
                common-allow-transfer;
        };
};

acl common-allow-transfer {
        none;
};
--------------------------------------------------



--------------------------------------------------
localhost.rev
--------------------------------------------------
$TTL    86400

@       IN      SOA     domain.com. root.domain.com. (
                        20010626
                        3600
                        900
                        3600000
                        3600 )
        IN      NS      domain.com.
1       IN      PTR     localhost.
--------------------------------------------------



--------------------------------------------------
domain.com
--------------------------------------------------
$ttl 86400

domain.com.      IN     SOA domain.com. root.domain.com. (
                        1094297691
                        10800
                        3600
                        604800
                        86400 )

domain.com.             IN NS    domain.com.
domain.com.             IN A     216.118.172.196
webmail.i-lab.net.      IN A     216.118.172.196
mail.domain.com.        IN A     216.118.172.196
ftp.domain.com.         IN CNAME domain.com.
www.domain.com.         IN CNAME domain.com.
domain.com.             IN MX 10 mail.domain.com.
--------------------------------------------------
0
cozmoxos
Asked:
cozmoxos
  • 3
  • 3
1 Solution
 
jlevieCommented:
The named config for this is pretty straight forward, but before getting to those files I need to point out a couple of things.

In your attempt above you allow zone transfers to a secondary name server. That's not necessary or useful if the secondary is on the same host as the primary. Zone transfers and scondary name servers only have meaning when two or more sparate systems are involved.

You also mention wanting reverse lookups to work. That's only possible if your provider has delegated one or more netblocks to you and is willing and able to delegate in-addr authority to your name server. From the IP's mentioned it doesn't should like you have two netblocks so you'll need to get your provider to host the PTR records for you domain.

You specify the hostname of the machine as domain.com and that's a bad idea. You really want the machine to have an FQDN, e.g., mail.domain.com, www.domain.com, etc. One can have "interesting problems" with some applications if this isn't done. I'll assume that you'll set the hostname of the machine to mail.domain.com.

And finally, in your domain.com zone file you have a reference to a different domain (webmail.i-lab.net). That's not allowed in the zone data for domain.com and would have to be in a zone file (mentioned in named.conf) for that domain (i-lab.net). And of course that would only be done if the root name servers point to your name servers for that domain.

It would be a big help to know what Linux this is, but I'm going to assume that it is modern and is using Bind 9.x. The named.conf should then look like:

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;
        listen-on { 10.1.0.254; 127.0.0.1; };
}

controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.root";
};
                                                                               
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
                                                                               
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "localhost.rev";
        allow-update { none; };
};

zone "domain.com" IN {
        type master;
        file "domain.com.zone";
        allow-update { none; };
};

zone "172.118.216.in-addr.arpa" IN {
        type master;
        file "216.118.172.rev";
        allow-update { none; };
};

zone "173.118.216.in-addr.arpa" IN {
        type master;
        file "216.118.173.rev";
        allow-update { none; };
};

include "/etc/rndc.key";

File localhost.zone:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               2004090500 ; Serial
               28800             ; Refresh
               14400             ; Retry
               3600000        ; Expire
               86400 )          ; Minimum
                                                                               
               IN  NS     localhost.
               IN  MX 10  localhost.
                                                                               
localhost.     IN  A      127.0.0.1

File localhost.rev:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               2004090500 ; Serial
               28800             ; Refresh
               14400             ; Retry
               3600000        ; Expire
               86400 )          ; Minimum
                                                                               
               IN  NS     localhost.
                                                                               
1             IN  PTR  localhost.

File domain.com.zone:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.
               IN  MX  10 mail.domain.com.

               IN  A            216.118.172.196
mail       IN  A            216.118.172.196
ns1         IN  A            216.118.172.197
ns2         IN  A            216.118.173.148
ns3         IN  A            216.118.173.149
;; Aliases
www       IN  CNAME  mail.domain.com.
ftp           IN  CNAME  mail.domain.com.

File 216.118.172.rev:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.

196        IN  PTR       mail.domain.com.
197        IN  PTR       ns1.domain.com.

File 216.118.173.rev:

$TTL 3600
@    IN  SOA   mail.domain.com. root.domain.com.  (
               2004090500 ; Serial
               10800             ; Refresh
               3600               ; Retry
               604800          ; Expire
               3600 )             ; Minimum
                                                                               
               IN  NS         ns1.domain.com.
               IN  NS         ns2.domain.com.
               IN  NS         ns3.domain.com.

148        IN  PTR      ns2.domain.com.
149        IN  PTR      ns3.domain.com.
0
 
cozmoxosAuthor Commented:
Thank you very much for your fast response, jlevie.

I will have a go at your solution the minute I get back to the server.

Point taken about the external domain - that one will be gone.

Uhm,  one question though:

The domain I've registered is indeed in the "domain.com" manner.
If I would change the name of the server to, say "mail.domain.com" or "www.domain.com", wouldn't that mess things up at the registrar? Wouldn't that result in that "www.domain.com" is there, but "domain.com" not? And should I in that case also change apache's httpd.conf and /etc/hosts and /etc/sysconfig/network ?

Btw, it's fedora core 1 I use.

Thank you
/j.
0
 
jlevieCommented:
The machine itself should have a proper hostname, which will cotain two "."s in this case. I prefer to give machines names other than ns, mail, etc. and use CNAMES to alias ns, web, mail, etc. That makes it easier to move some service to another box.

And no it won't mess things up at the registar. The hostname (ns1.domain.com) is required, but for DNS to work it's the IP that's important. A DNS server on the Internet will query for the name servers for your domain and it'll use the returned IP's for the query. In practice it could care less what the hostname is.

The zone data for domain.com inludes:

               IN  A            216.118.172.196
mail       IN  A            216.118.172.196

which equate domain.com and mail.domain.com to 216.118.172.196. Since www.domain.com is an alias for mail.domain.com any request to domain.com, mail.com, or www.domain.com will all resolve to 216.118.172.196.

Yes, you should change /etc/hosts & /etc/sysconfig/network. And your hosts file should look like:

127.0.0.1                 localhost.localdomain localhost
216.118.172.196   mail.domain.com mail
216.118.172.197   ns1.domain.com ns1
216.118.173.148   ns2.domain.com ns2
216.118.173.149   ns3.domain.com ns2

Just so that ifconfig & friends can find things before DNS comes up. Also your resolv.conf should contain:

search domain.com
nameserver 127.0.0.1

Whether you'll need to make changes in httpd.conf depends on how you set it up. If you've explictly set the hostname that will need to change. Ordinarily Apache will get the hostname associated with the IP(s) it binds to via a reverse lookup. So if the hosts file and/or DNS is correct it'll figure it out. And, unless you are using Name Based Virtual hosts Apache doesn't care whether you access the server via http://domain.com, http://www.domain.com, http://216.118.179.196, etc. You'll wind up at the same htdocs directory. For other than Name Based virtual hosts only the IP matters.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
cozmoxosAuthor Commented:
So...

I've changed name of the server - followed the mail.domain.com example.
"/etc/hosts", "/etc/sysconfig/network" and "/etc/resolv.conf" has been updated.
I've changed the named entries as you specified above
And I'm currently performing a reboot.

Just a few final, and somewhat dorky, questions:

in named.conf all "entries" starts like: "zone "something.here" IN {" <-- with the "IN".
My default settings didn't ahev this. What's the difference? What does the "IN" do?

Also in named.conf - each entry has the following value "allow-update { none; };"
Since my default settings didn't have that, I just wonder what it means exactly.

I also had the following at the end of named.conf:
acl common-allow-transfer {
        none;
};
Uhm, what does it do and why don't I need it?


All in all, many thanks and kudos to you for all your help and for guiding me through this. The whole named shebang is a lot clearer to me now.

I'll just do some checks on the server now as it has rebooted, and then, well, that should be it.

Thanks!
/j.
0
 
jlevieCommented:
The most correct form of a zone declaration would be:

zone "the-zone" IN {...};

which is what I used. For backwards compatibility named will accept a declaration of the form:

zone "the-zone" {...};

"allow-update { none; };" tells named not to allow anyone to dynamically change the data for a zone.  It is simply a protection mechanism to keep an attacker from futzing with your DNS data. The only time you'd not want that directive in a zone would be if you were using DHCP & dynamic DNS updates. And even then you'd restrict the update to the IP(s) of the DHCP server(s).
0
 
cozmoxosAuthor Commented:
Ah, that explains it.

Well, once again, thank you very much. I truly appreciated it.

/j.
0

Featured Post

Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now