Please check Attached Log file - Web site and certain web addresses not loading according to DNS conf
Please check the Log file and see if you come to some kind of conclusion or if something ticks.
Please be patince with me, i have no freaking clue how to operate the shell i am used to GUIs all my life, but i will learn very fast whatever knowledge you will pass.
Set up:
Email Web Server | MySQL Database | DNS - BIND9 | APACHE Web Server | F5 Big IP Load Balacing these services.
All with redundancy build into it and auto sync, anything changed on any of the servers automatically replicates to the other.
DNS Service Loads OK
APACHE Loads OK
Email System Loads OK
MySQL is Authenticating and database is working for new requests and new IDs.
Issue:
have MyPHP database where my clients authenticate and also controls the size of their web space and FTP site Space, the web pages the clients need to load to log on to the E-Mail service are not opening, the error is page not found, i checked all services and they load ok and accept connections, i checked the DNS logs and make no sense out of it. I can ping all servers for the machine simulating the client access, from the same machine i can access the MyPHP server and create new accounts but the www.startel.ao and mail.startel.ao are not loading????
Any ideas?
Thanks for your patience and help.
dns-logs
dns-warnings
named
Please be patince with me, i have no freaking clue how to operate the shell i am used to GUIs all my life, but i will learn very fast whatever knowledge you will pass.
Set up:
Email Web Server | MySQL Database | DNS - BIND9 | APACHE Web Server | F5 Big IP Load Balacing these services.
All with redundancy build into it and auto sync, anything changed on any of the servers automatically replicates to the other.
DNS Service Loads OK
APACHE Loads OK
Email System Loads OK
MySQL is Authenticating and database is working for new requests and new IDs.
Issue:
have MyPHP database where my clients authenticate and also controls the size of their web space and FTP site Space, the web pages the clients need to load to log on to the E-Mail service are not opening, the error is page not found, i checked all services and they load ok and accept connections, i checked the DNS logs and make no sense out of it. I can ping all servers for the machine simulating the client access, from the same machine i can access the MyPHP server and create new accounts but the www.startel.ao and mail.startel.ao are not loading????
Any ideas?
Thanks for your patience and help.
dns-logs
dns-warnings
named
Jan Bacher
Post the contents of startel.ao.in file. The syntax is not correct.
And, startel.ao.out.
Why do I not see startel in named.conf?
Why do I not see startel in named.conf?
ASKER
Jasper
Here it goes all the DNS conf files located in /opt/named/var/m
The .ZIP extension change to .rev - the ones named "bkup" are files automatically created when the original is modified, nice trick, windows should have that :-).
I ahve also added the "angonet.in" and "angonet.out" files these web pages open but i cannot log on to them, i guess the old System admin used them has a backup or test web site, have a look as well in case it helps, the ones i need loading are the ones pointing to mail.startel.ao and www.startel.ao
Thanks
0.16.10.zip
236.222.41.zip
angonet-in.txt
angonet-out.txt
startel.ao.in-bkup.txt
startel.ao.in.txt
startel.ao.out-bkup.txt
startel.ao.out.txt
Here it goes all the DNS conf files located in /opt/named/var/m
The .ZIP extension change to .rev - the ones named "bkup" are files automatically created when the original is modified, nice trick, windows should have that :-).
I ahve also added the "angonet.in" and "angonet.out" files these web pages open but i cannot log on to them, i guess the old System admin used them has a backup or test web site, have a look as well in case it helps, the ones i need loading are the ones pointing to mail.startel.ao and www.startel.ao
Thanks
0.16.10.zip
236.222.41.zip
angonet-in.txt
angonet-out.txt
startel.ao.in-bkup.txt
startel.ao.in.txt
startel.ao.out-bkup.txt
startel.ao.out.txt
Did you create these files on a Windows machine and then upload them?
ASKER
no i copied them from the DNS server logs, i used the extension TXT because EE was not allowing me to upload them, nothing here was created on the windows environment.
Sorry for not answering sooner weekend here, had to go to a conference.
Sorry for not answering sooner weekend here, had to go to a conference.
ASKER
jasper
1. Logged on as root to the DNS1 server, ping mail.startel.ao -> host cannot be found
2. Logged on as root to the DNS1 server, ping mail.angonet.com -> i get a reply back from the DNS file saying "REPLY from MAIL.STARTEL.AO" so the dns recognizes angonet and returns mail.startel.ao, man i know the solution is right there i just cannot see it, i am gonna kick myself!!!
3. Logged on as root to the DNS1 server, ping www.startel.ao -> host cannot be found
4. Logged on as root to the DNS1 server, ping www.angonet.com -> reply back with pmaweb.startel.ao wich is the PhP Server
5. if i do a reverse look up to 10.16.0.39 it returns to me all my mail servers correctly, angonet and startel
6. If i do a reverse lookup to 10.16.0.38 it returns all my web servers correctly www.startel.ao and domain startel.ao - the foward lookup is the problem.
i hope this helps, i need to see a light - thanks for help so far.
1. Logged on as root to the DNS1 server, ping mail.startel.ao -> host cannot be found
2. Logged on as root to the DNS1 server, ping mail.angonet.com -> i get a reply back from the DNS file saying "REPLY from MAIL.STARTEL.AO" so the dns recognizes angonet and returns mail.startel.ao, man i know the solution is right there i just cannot see it, i am gonna kick myself!!!
3. Logged on as root to the DNS1 server, ping www.startel.ao -> host cannot be found
4. Logged on as root to the DNS1 server, ping www.angonet.com -> reply back with pmaweb.startel.ao wich is the PhP Server
5. if i do a reverse look up to 10.16.0.39 it returns to me all my mail servers correctly, angonet and startel
6. If i do a reverse lookup to 10.16.0.38 it returns all my web servers correctly www.startel.ao and domain startel.ao - the foward lookup is the problem.
i hope this helps, i need to see a light - thanks for help so far.
It looks like you are using views and TSIG to get the internal view. Verify your TSIG on the master and slave servers.
ASKER
Jasper
What is TSIG? where will it be located?
What is TSIG? where will it be located?
TSIG is an acronym for "transaction signature". It is used by matching keys to allow slaves to retrieve one view over another. You should see the key information within the view of named.conf.
ASKER
okie i think i see now, the Keys for internal and external are the same on both servers, but for the INET - i think this is for the internal network correct? They are not the same, now which key do i make the same is there a post procedure or do i simply copy/past to the other server and wait for replication?
You should have key information specified within each view of the master named.conf. If you are working on a slave server and you want the internal view, make sure that you are configured with the same key information in named.conf as the internal view on the master so that you will get the zone that you want.
If you have notify set to yes and your slave server is listed as an authoritative transfer IP, then a:
kill -HUP <process_id_of_named>
should reload the configuration file. rndc reload (if you're configured for it) will work, too.
If you have notify set to yes and your slave server is listed as an authoritative transfer IP, then a:
kill -HUP <process_id_of_named>
should reload the configuration file. rndc reload (if you're configured for it) will work, too.
ASKER
Jasper
thanks for your time.
Please give me a quick 2 word explanation for each below, so i understand better where all those options for internal and external fit on the Named.Conf
Notify is set to yes on both is this correct?
auth-nxdomain, it is set to NO on both, is this correct? The DNS1 should be set to yes right?
auth-nxdomain, is this option to identify the server has the authoritative for the domain?
Master View:
options {directory "/opt/named/var"; --------------> this is where the DNS Zone files are located
pid-file "named.pid";--------------
version "Bind";
listen-on {10.16.0.41;}; --------------> second DNS IP
allow-query { any; };
forwarders { 192.168.0.1; }; --------------> can i put an external DNS from our SAT provider here?
allow-transfer {10.16.0.42;}; --------------> I am allowing transfer to DNS2
auth-nxdomain no;notify yes;};
key "rndc-key" {algorithm hmac-md5;secret "aa1pa1vGzxWQ3Kav5xGcuA=="
controls {inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};
include "log.conf";
key internal ----------------> this is the same has DNS 2 is this correct?
key external ---------------------> this is the same has DNS 2 is this correct?
include "mundo.view.m"; ------------> this file contains a bunch of info regarding the zones internal and external to startel domain. is this correct?
i remember you said on 1st comment "Why do I not see startel in named.conf?" can you give more info on it, and why should startel be on named.conf now i understand a bit more about BIND and now it will make sense if you elaborate on your comment.
Thanks Jasper.
thanks for your time.
Please give me a quick 2 word explanation for each below, so i understand better where all those options for internal and external fit on the Named.Conf
Notify is set to yes on both is this correct?
auth-nxdomain, it is set to NO on both, is this correct? The DNS1 should be set to yes right?
auth-nxdomain, is this option to identify the server has the authoritative for the domain?
Master View:
options {directory "/opt/named/var"; --------------> this is where the DNS Zone files are located
pid-file "named.pid";--------------
version "Bind";
listen-on {10.16.0.41;}; --------------> second DNS IP
allow-query { any; };
forwarders { 192.168.0.1; }; --------------> can i put an external DNS from our SAT provider here?
allow-transfer {10.16.0.42;}; --------------> I am allowing transfer to DNS2
auth-nxdomain no;notify yes;};
key "rndc-key" {algorithm hmac-md5;secret "aa1pa1vGzxWQ3Kav5xGcuA=="
controls {inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };};
include "log.conf";
key internal ----------------> this is the same has DNS 2 is this correct?
key external ---------------------> this is the same has DNS 2 is this correct?
include "mundo.view.m"; ------------> this file contains a bunch of info regarding the zones internal and external to startel domain. is this correct?
i remember you said on 1st comment "Why do I not see startel in named.conf?" can you give more info on it, and why should startel be on named.conf now i understand a bit more about BIND and now it will make sense if you elaborate on your comment.
Thanks Jasper.
1) I set notify to "no" as recommended by the folks who put together the bind security template.
2) pid-file "named.pid";--------------
"pid" is an acronym for Process ID. This file contains the process ID number (shown via ps) of the service
3) forwarders { 192.168.0.1; }; --------------> can i put an external DNS from our SAT provider here?
If I am a DNS server, I don't forward queries except for those domains that I want an answer from elsewhere and I specify it within the zone statement. Otherwise, I don't use forwarders at all.
4) auth-nxdomain no
The default is yes. Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software won't like it.
5) key internal ----------------> this is the same has DNS 2 is this correct?
6) key external ---------------------> this is the same has DNS 2 is this correct?
These keys should be the same between the master server and the slave that is to do the transfer. You can (should) put your keys in an external file and include that file in your named.conf.
7) include "mundo.view.m
I did not know that your zone files were in a separate file than the named.conf and included with the "include" statement in named.conf.
If you are using TSIG:
This file for the master server should have a zone statement that looks like this:
zone "mydomain.com" {
type master;
file "mydomain.com.db";
allow-transfer { key dns1-dns2.mydomain.com.; };
};
The slave would look like this:
zone "mydomain.com" {
type slave;
masters { 10.1.2.3 key dns1-dns2.mydomain.com.; };
file "mydomain.com.db";
};
And the external key file (for example "/etc/dns.keys.conf") would have an entry:
key dns1-dns2.mydomain.com. {
algorithm hmac-md5;
secret "Somekeyishere==";
};
The point is that if you want the data for a zone from a view transfered during an AXFR to the slave, you need TSIG. If you aren't using views and security isn't a concern, then just specify which access-list can transfer the zone data. If you are using TSIG, then the keys in the configuration need to match. The error in the dns-warnings file indicated that there was a key mismatch.
2) pid-file "named.pid";--------------
"pid" is an acronym for Process ID. This file contains the process ID number (shown via ps) of the service
3) forwarders { 192.168.0.1; }; --------------> can i put an external DNS from our SAT provider here?
If I am a DNS server, I don't forward queries except for those domains that I want an answer from elsewhere and I specify it within the zone statement. Otherwise, I don't use forwarders at all.
4) auth-nxdomain no
The default is yes. Do not turn off auth-nxdomain unless you are sure you know what you are doing, as some older software won't like it.
5) key internal ----------------> this is the same has DNS 2 is this correct?
6) key external ---------------------> this is the same has DNS 2 is this correct?
These keys should be the same between the master server and the slave that is to do the transfer. You can (should) put your keys in an external file and include that file in your named.conf.
7) include "mundo.view.m
I did not know that your zone files were in a separate file than the named.conf and included with the "include" statement in named.conf.
If you are using TSIG:
This file for the master server should have a zone statement that looks like this:
zone "mydomain.com" {
type master;
file "mydomain.com.db";
allow-transfer { key dns1-dns2.mydomain.com.; };
};
The slave would look like this:
zone "mydomain.com" {
type slave;
masters { 10.1.2.3 key dns1-dns2.mydomain.com.; };
file "mydomain.com.db";
};
And the external key file (for example "/etc/dns.keys.conf") would have an entry:
key dns1-dns2.mydomain.com. {
algorithm hmac-md5;
secret "Somekeyishere==";
};
The point is that if you want the data for a zone from a view transfered during an AXFR to the slave, you need TSIG. If you aren't using views and security isn't a concern, then just specify which access-list can transfer the zone data. If you are using TSIG, then the keys in the configuration need to match. The error in the dns-warnings file indicated that there was a key mismatch.
ASKER
quick question:
the file named.conf after i did a few alterations (bear in mind i have not finished everything yet) after a few minutes went from looking like this: named.conf to this: #named.conf# is this a protection from the server when something is not right?
sorry for been such a noob, please bear with me, i don't know Linux at all.
ok will finish all the alterations following your suggestions, be back later with the results.
the file named.conf after i did a few alterations (bear in mind i have not finished everything yet) after a few minutes went from looking like this: named.conf to this: #named.conf# is this a protection from the server when something is not right?
sorry for been such a noob, please bear with me, i don't know Linux at all.
ok will finish all the alterations following your suggestions, be back later with the results.
Perhaps this is something SUSE specific. I've not seen that before on other Linux platforms.
ASKER
jasper
i have done all the modifications, but looks like something is not ok:
Please check both named and mundo.view files see if you can spot anything not correct please.
when i try to run using rndc it gives me the following error:
rndc: connect failed: 127.0.0.1#953: connection refused
it was running before !!!!!
Cheers
named.conf.slave.pdf
named.conf.master.pdf
mundo.view.s.pdf
mundo.view.m.pdf
i have done all the modifications, but looks like something is not ok:
Please check both named and mundo.view files see if you can spot anything not correct please.
when i try to run using rndc it gives me the following error:
rndc: connect failed: 127.0.0.1#953: connection refused
it was running before !!!!!
Cheers
named.conf.slave.pdf
named.conf.master.pdf
mundo.view.s.pdf
mundo.view.m.pdf
ASKER
Jasper
it is Friday 18:00 got go home will try to come tomorrow and work on the DNS server to test your response, not sure what happened bu i returned all the files to their old state and still the rndc does not allow it to start.
1. Are the RNDC keys generated by a tool?
2. Are the RNDC keys connected to a service and if i change them can i change them simply by writign with KWrite like i did? or do i need the to be generated?
3. if i change these keys what manually can this cause the RNDC to fail the startup?
Thanks man.
it is Friday 18:00 got go home will try to come tomorrow and work on the DNS server to test your response, not sure what happened bu i returned all the files to their old state and still the rndc does not allow it to start.
1. Are the RNDC keys generated by a tool?
2. Are the RNDC keys connected to a service and if i change them can i change them simply by writign with KWrite like i did? or do i need the to be generated?
3. if i change these keys what manually can this cause the RNDC to fail the startup?
Thanks man.
ASKER
Jasper
I learned a bit more about BIND9 commands and found out the rndc-checkconf an rndc-checkzone but to my dismay both commands do not work on this server, it tells me "command not found" and the rndc command is on the same folder has those 2 rndc works but those 2 dont; ii am about to format this thing and install from scratch if this was my server i would do it. ;-)
I learned a bit more about BIND9 commands and found out the rndc-checkconf an rndc-checkzone but to my dismay both commands do not work on this server, it tells me "command not found" and the rndc command is on the same folder has those 2 rndc works but those 2 dont; ii am about to format this thing and install from scratch if this was my server i would do it. ;-)
ASKER
jasper
i will just award you the points and start a new question about Installing bind9 without loosing current domain information, is this ok by you or can we continue on this saga?
if i wanted to install bind9 from scratch what files are most important to me right now so i don't loose any zone info created, root servers info and any other info realted to startel and mundo and angonet.
Cheers
i will just award you the points and start a new question about Installing bind9 without loosing current domain information, is this ok by you or can we continue on this saga?
if i wanted to install bind9 from scratch what files are most important to me right now so i don't loose any zone info created, root servers info and any other info realted to startel and mundo and angonet.
Cheers
Are you still receiving the TSIG error messages in the logs?
One more question:
With which registrar did you register "startel.ao"?
With which registrar did you register "startel.ao"?
ASKER
it is not registered yet, I need to get the DNS service working internally first so the Angola Registrar will give us the permission to advertise our domain.
i have a machine simulating external access and resolving names from the outside on the external zones and from the inside on the internal zones.
Regarding the TSIG errors, the RNDC command does not start the DNS service and i cannot get new informaton out of the logs.
RNDC is giving an error: connection refused.
i have a machine simulating external access and resolving names from the outside on the external zones and from the inside on the internal zones.
Regarding the TSIG errors, the RNDC command does not start the DNS service and i cannot get new informaton out of the logs.
RNDC is giving an error: connection refused.
Can you not put your implementation on public address space for remote testing?
For rndc to run, you need the control section in your named.conf and the appropriate key file configured.
For rndc to run, you need the control section in your named.conf and the appropriate key file configured.
ASKER
I can show you the RNDC conf file and the Named.conf so you can check it, will this be enought?
you can try getting to the public IP: 41.222.236.17 this is the DNS1 server, see if you can get to it, i will give you then the needed ID and password.
you can try getting to the public IP: 41.222.236.17 this is the DNS1 server, see if you can get to it, i will give you then the needed ID and password.
Are you authoritative for other domains and are you using TSIG to pull the internal view?
ASKER
yes i am authoritative for other domains and i am using TSIG to pull the internal view.
If it can't be determined by the TSIG key doesn't match between test servers, can you not add startel.ao to your production name server?
ASKER
there is no production DNS server at the moment, we are using an external DNS from our provider.
The DNS / E-mail / FTP and Web Services are all on test servers.
I need to fix DNS before i can make this servers a production server.
The DNS / E-mail / FTP and Web Services are all on test servers.
I need to fix DNS before i can make this servers a production server.
Let's start with not using the include files and setting all information within the named.conf (for easier readability). I'll grab the zone info above and put together a sample config.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I apreciate the help, i just wanted to say please bear with me, this week i have 2 V-SAT dishes to set up, as soon as i finish i will get back to the DNS issue, so don't forget me please. :-)
ASKER
I just cracked the file by looking at your statement, i revised everything again and corrected 2 important areas, for some reason my eyes where not sharp enought to catch it at first time.
if you notice on the startel.IN and startel.OUT both referrals to domain startel do ot have the "L" in startel.ao it is written starte.ao and should be startel.ao.
The command to run is rcnamed and not rcnd as i was expecting, sorry for this one, only after a few hours of searching and debuggin i was able to find this command, last used dat was 6 months ago so i tried again and BUM the DNS server is working.
I am happy with this and will awrad the point for your help.
Thanks Jasper.
if you notice on the startel.IN and startel.OUT both referrals to domain startel do ot have the "L" in startel.ao it is written starte.ao and should be startel.ao.
The command to run is rcnamed and not rcnd as i was expecting, sorry for this one, only after a few hours of searching and debuggin i was able to find this command, last used dat was 6 months ago so i tried again and BUM the DNS server is working.
I am happy with this and will awrad the point for your help.
Thanks Jasper.
ASKER
By looking at your file i was able to detected the error in syntax of my file, thanks Jasper.