[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 295
  • Last Modified:

DNS Setup Problem

Hello,

I am trying to setup 2 dns servers, the OS is Fedora 2 runing BIND, and I am not using the GUI. I can post any info. that would be of help.

I receive this error message when I check the "named status"

"rndc: connect failed: connection refused"

I have searched everywhere for what can cause this and I am comming up with nothing. Any help would be greatly appreciated.
0
mark951
Asked:
mark951
  • 13
  • 11
  • +1
1 Solution
 
jlevieCommented:
That error probably means that you've got errors in named.conf or one or more of your zone files that is keeping named from starting. To see what's happening run a 'tail -f /var/log/messages' in one window while you attempt to start named in another. We can more easily help with the fix if we can see your named.conf and your zone files.
0
 
mark951Author Commented:
jlevie

thanks for the info!  i will get the named.conf and my zone files and post them.
0
 
aashishkunteCommented:
hi mark951 ,

             Your two dns servers are master slave ?  
         
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
mark951Author Commented:
jlevie & aashishkunte

Yes ns1 will be the mast ns2 will be the slave.

I am trying to setup a very standard and scalable network. I current have a LAN (inside) and am building my WAN (outside network). My 2 DNS servers both have two network cards and are connected to my LAN so I can use SAMBA to backup files on my Windows 2003 server. I use the 2003 server for internal DNS so I don’t need the Linux boxes to do anything for my LAN.

Please let me know if I need to clarify anything else. I have already registered the IP’s of the DNS servers with Network Solutions.

Here is the named.conf


options {
      directory "/var/named";
      
};

view "outside" {
     match-clients { any; };
     recursion no;

     zone "." IN {
     type hint;
     file "named.ca";
     };

     zone "vcsnetworks.net" {
     type master;
     file "db.vcsnetworks.net.outside";
     allow-transfer { 64.213.221.96; };
     };
};

include "/etc/rndc.key";



Here is the db.vcsnetworks.net

$TTL      86400
@      IN      SOA      vcsnetworks.net. hostmaster.vcsnetworks.net.(

                              2004102904      ; Serial
                              28800            ; Refresh
                              14400            ; Retry
                              3600000            ; Expire
                              86400 )            ; Minimum

; Name servers
            IN      NS      ns1.vcsnetworks.net.
            IN      NS      ns2.vcsnetworks.net.

; Mail server for domain
            
            IN      MX       10      mail.vcsnetworks.net.

; Public servers

ns1            IN      A      64.213.220.123
ns2            IN      A      64.213.217.231
mail            IN      A      64.213.219.42
www            IN      A      64.213.221.96
nova            IN      A      64.213.216.227

; EOF

------

Thanks in adavance for working with me throught this.
0
 
jlevieCommented:
If you are locating your DNS servers outside of your firewall you don't need to set up views. And you do need to zone files for localhost and the reverse zone file for 127.0.0.1. Otherthan that I don't see any thing wrong with what you have so far.

It sounds like each of the DNS servers has one interface outside of the firewall and on inside. From a security standpoint that's a really bad idea. Anyone that penetrates either of the servers has carte blanc access to your windows server. To store backups on the 2k box it makes more sense to me to backup data (just config and user data, not the OS) into a file and use scp from the 2k box to pull it down. That eliminates the need for the interfaces into the protected LAN.
0
 
mark951Author Commented:
jlevie,

thanks for the tip on security. this is my first attempt at DNS i may be missing something simple that is causing this not to work. i will post my localhost zone file and i don't know if i have a reverse zone file for 127.0.0.1. what would it be named? i do have a named.local. i will post that.

Localhost.zone


$TTL      86400
$ORIGIN localhost.
@                  1D IN SOA      @ root (
                              2004110201      ; serial (d. adams)
                              3H            ; refresh
                              15M            ; retry
                              1W            ; expiry
                              1D )            ; minimum

                  1D IN NS      @
                  1D IN A            127.0.0.1



named.local


$TTL      86400
@       IN      SOA     0.0.127.in-addr.arpa. hostmaster.localhost.  (
                                      2004110201 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
             
        IN      NS      0.0.127.in-addr.arpa.

1       IN      PTR     vcsnetworks.net.
2      IN      PTR      www.vcsnetworks.net.
2      IN      PTR      nova.vcsnetworks.net.

;EOF


i hope this helps shed some light on where i am tripping up. thanks!!
0
 
jlevieCommented:
Your localhost zones are wrong. The local.zone file must contain:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               1997022700 ; Serial
               28800      ; Refresh
               14400      ; Retry
               3600000    ; Expire
               86400 )    ; Minimum
                                                                               
               IN  NS     localhost.
               IN  MX 10  localhost.
                                                                               
localhost.     IN  A      127.0.0.1

and the reverse zone must contain:

$TTL 86400
@    IN  SOA   localhost. root.localhost.  (
               1997022700 ; Serial
               28800      ; Refresh
               14400      ; Retry
               3600000    ; Expire
               86400 )    ; Minimum
                                                                               
               IN  NS     localhost.
                                                                               
1              IN  PTR    localhost.
0
 
mark951Author Commented:
just to help me clarify the named.local is the reverse zone for local.zone?
0
 
jlevieCommented:
To help keel things straight I'd name the forward zone file local.zone and the reverse (surprisingly) local.rev. In a like manner I name the hints file root.zone. That results in named.conf containing:

options {
        directory "/var/named";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;
        listen-on {64.213.220.123 ; 127.0.0.1; };
};
                                                                               
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
                                                                               
zone "." IN {
        type hint;
        file "root.zone";
};
                                                                               
zone "localhost" IN {
        type master;
        file "local.zone";
        allow-update { none; };
};
                                                                               
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "local.rev";
        allow-update { none; };
};

...Site zones follow...
0
 
mark951Author Commented:
thank you, that helps me clarify things.
i just made all the changes that you suggested and ran named-checkconf, named-checkzone, with no errors.
i unfortunally still have the: "rndc: connect failed: connection refused" error when i start named. is there a key i need to generate somewhere or something to make this work?

0
 
jlevieCommented:
Yes, there's a key, usually in /etc/rndc.key on a RedHat system. Including:

include "/etc/rndc.key";

in named.conf will make it operational.
0
 
mark951Author Commented:
that is what is confusing me. i have a rndc.key in my /etc/, and if you look above to my named.conf you will see i have include "/etc/rndc.key"; there also.......anything else i can look for?
0
 
jlevieCommented:
There are three cases where rndc won't work:

1) The rndc key is invalid
2) No key is provided in the config
3) named is failing to start du to errors.

Assuming that /etc/rndc.key contains data the most cedible cause if (3). What do you see in /var/log/messages when you attempt to start named?
0
 
mark951Author Commented:
i found two errors

couldn't add command channel 127.0.0.1#953: not found

couldn't add command channel ::1#953
0
 
jlevieCommented:
Are you sure that there wasn't a copy of named running when you tried to start it?
0
 
cyb3rj0hnCommented:
The key that gets placed there by the installation of Bind is a dummy key. You will need to generate a new key using the following command:

rndc-confgen

You can find additional details here:

http://linuxreviews.org/man/rndc-confgen/

This should take care of your problem. Hope this helps.

Regards,
John
0
 
mark951Author Commented:
jlevie,

to answer your question yes there was, i had restarted the service.

cyb3rrj0hn,

thanks for the info. i followed the instructions but with no change in the outcome. i am going to reload the os on my server and start over. i am going to save the zone files and my named.conf that jlevie helped me create. i'll try the rndc-confgen again and see what happens. i hope to have this completed by the 28th.

thanks for all the help. i am really excited to get this running. i'll let you know as soon as i have it back online.
0
 
mark951Author Commented:
well i just finished reloading my server. all went well except i still have been unable to get dns to work. i have actually talken a step back it seems. now i can't do a dig for vcsnetworks at all.

in the 'tail -f /var/log/messages'  i receive:

couldn't add command channel 127.0.0.1#953: not found
couldn't add command channel ::1#953

and when i do a dig on vcsnetworks.net i receive:

lame server resolving 'vcsnetworks.net' (in 'vcsnetworks.net'/): 64.213.216.231#53

i also still have the "rndc: connect failed: connection refused" in the services windows when i restart named.

i will post any files you guys think might help. i am about at the end of my rope with this. i have read through many tutorials and have bought a couple of linx books and still can't see what i am doing wrong.

i also tried the "rndc-confgen -a" to automatically take care of the key, that didn't work so i did "rndc-confgen" and copied the key into my named.conf but to no avail.

any help would be greatly appreciated.
0
 
jlevieCommented:
Are those the only messages related to named when it starts?

Does the hosts file have:

127.0.0.1     localhost.localdomain localhost

What does '/sbin/ifconfig lo' show?
0
 
mark951Author Commented:
here is the complete output related to named from when i restart it

Dec  1 00:10:00 ns1 named: named shutdown succeeded
Dec  1 05:10:02 ns1 named[28557]: starting BIND 9.2.3 -u named -t /var/named/chroot
Dec  1 05:10:02 ns1 named[28557]: using 1 CPU
Dec  1 05:10:02 ns1 named[28557]: loading configuration from '/etc/named.conf'
Dec  1 05:10:02 ns1 named[28557]: listening on IPv4 interface lo, 127.0.0.1#53
Dec  1 05:10:02 ns1 named[28557]: listening on IPv4 interface eth0, 10.10.10.251#53
Dec  1 05:10:02 ns1 named[28557]: listening on IPv4 interface eth1, 64.213.217.231#53
Dec  1 05:10:02 ns1 named[28557]: couldn't add command channel 127.0.0.1#953: not found
Dec  1 05:10:02 ns1 named[28557]: couldn't add command channel ::1#953: not found
Dec  1 05:10:02 ns1 named[28557]: running
Dec  1 00:10:03 ns1 named: named startup succeeded

here is my /etc/hosts

127.0.0.1    ns1.vcsnetworks.net   ns1 localhost.
localdomain   local host

-----

here is the output of /sbin/ifconfig lo

[root@ns1 root]# /sbin/ifconfig lo
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9711 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9711 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11018461 (10.5 Mb)  TX bytes:11018461 (10.5 Mb)

0
 
jlevieCommented:
What do you have in /var/named/chroot (hint 'ls -R /var/named/chroo' will show everything)?
0
 
mark951Author Commented:
var, etc, dev
0
 
jlevieCommented:
Yes, but what are the contents of those directories. Please post the results of 'ls -R /var/named/chroot'.
0
 
mark951Author Commented:
[root@ns1 root]# ls -R /var/named/chroot
/var/named/chroot:
dev  etc  var
 
/var/named/chroot/dev:
null  random
 
/var/named/chroot/etc:
named.conf  rndc.key
 
/var/named/chroot/var:
named  run
 
/var/named/chroot/var/named:
localhost.zone  named.ca  named.local
 
/var/named/chroot/var/run:
named
 
/var/named/chroot/var/run/named:
named.pid
[root@ns1 root]#

----
i have never edited anything in the chroot dir. is this a mistake? is my etc hosts file correct?

here is an overview of what i have done.

reinstalled Fedora Core 2
set the hostname upon install
set the network settings
copied my named.conf to /etc/
copied my zone files to the /var/named/
started the named service
0
 
jlevieCommented:
named.conf and rndc.key in /var/named/chroot/etc must be exact copies of the corresponding files in /etc. Your zone files need to be in /var/named/chroot/var/named, not in /var/named. This is because named is starting as chrooted into /var/named/chroot and once it starts it doesn't look in /etc or /var/named, but rather it looks for those dirs within the chrooted environment.
0
 
mark951Author Commented:
YES!! the rndc problem has been solved....i had no idea the files were supposed to be in the /var/named/chroot/etc instead of the /var/named.

my dns is still not resolving but at least i can move on from this problem. thank you so much jlevie for sticking with me all the way through this and also for helping me with my reverse lookup zone...i will start a new question if i can't get my dns to resolve correctly.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 13
  • 11
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now