Solved

How do I properly configure a secondary nameserver?

Posted on 2009-04-06
5
1,127 Views
Last Modified: 2012-05-06
Formerly, our domain company.net used Register.com's name servers - since they are the registrar.  My DNS skills were sufficient to configure the necessary A, MX, CNAME, and TXT records.  All was well until their servers were taken out by a ddos  attack last week.

My first priority was to get off of Register.com's nameservers... and I setup a new account with DNSMadeEasy - and cloned my A, MX, CNAME, and TXT records.  Then I updated the domain on Register.com - changing the nameserver entries to reflect NS0.dnsmadeeasy.com thru NS5.dnsmadeeasy.com -- and that all went well.  I get a clean bill of health using the DNS Report on dnsstuff.com and everything seems to be resolving A-OK.

I'm now trying to configure a secondary nameserver with a separate vendor to avoid a repeat of the service interruptions we had last week.  The primary reason I chose DNSMadeEasy.com is that they allow Zone Transfers with an ACL.  I chose the vendor dynDNS.com as my secondary nameserver (for both DNS and MX failover) since they seemed to be a good choice for a reasonable price.

I've tried to follow the helpful FAQ's from both DNSMadeEasy and dynDNS but I'm stumped.  I've successfully configured my DNSMadeEasy account to *allow* AXFR - and I've created and ACL with the 4 DNS IP addresses as per dynDNS.  I then applied the ACL to the domain on DNSMadeEasy... and waited for them to status my change (from updating to active)

However... dynDNS reports that the zone transfer is failing "Your domain delegation does not include required ns2.mydyndns.org nameserver." - and it's tried several times (about 1 hour apart)

Part of my confusion stems from the DNSMadeEasy demo on configuring a secondary nameserver... whereby they would have me configure an A record and CNAME record.  I don't think that's required to facilitate the zone transfer - but I'm wondering if it's required at all... given that I *think* I need to configure the secondary nameservers (ns2.mydyndns.org thru ns5.mydyndns.org) on Register.com -- am I right?  Also, I seem to recall reading some information that suggests limiting primary and secondary name servers to a maximum of 7 -- but is 9 really that bad?

I think I'm a little confused on this because my situation doesn't seem to match the examples in the various FAQ/HowTo's.  I've really got 3 parties in the equation:
Register.com -- the registrar for my domain
DNSMadeEasy.com -- the vendor providing managed DNS services
dynDNS.com -- the vendor providing secondary DNS services

Any examples would be appreciated... or links to configurations or instructions on how to proceed.

Thanks very much
Shawn
 
0
Comment
Question by:Shawn_SanDiego
  • 3
  • 2
5 Comments
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 24085186

> am I right?

From the error message and what you've said, yes.

> Also, I seem to recall reading some information that suggests limiting primary and secondary
> name servers to a maximum of 7 -- but is 9 really that bad?

9 should be fine. Although some registrars do limit the number of name servers they'll add as Glue to fewer than that.

The limit is normally 13, because that was as many as would fit in the UDP packet response without causing fragmentation. EDNS extends that but may not necessarily be universally adopted.

Chris
0
 
LVL 3

Author Comment

by:Shawn_SanDiego
ID: 24098651
Chris... thanks for your feedback... dynDNS requires a minimum of one of their nameservers... so that's where I've started.

OK... Here is what I've done so far...

1)  On Register.Com (the registrar for my domain) I *added* ns2.mydyndns.org as a nameserver.  Doing this seemed to satisfy dynDNS because a short time later the status on my secondary DNS changed from "inactive" to "active" - I believe that means the zone transfer succeeded.  dynDNS now suggests that I add their additional nameservers (ns3, ns4, and ns5) - but I'm going to hold off on that for now.

2)  I ran a DNS Report (www.dnsstuff.com) and there were a few complaints that pointed to missing info on my domain's DNS configuration... so I performed the following actions on my DNS at DNSMadeEasy.com
  A)  I added an A record:  ns2.mydyndns.org w/IP 204.13.249.76
  B)  I added an NS record: ns2.mydyndns.org

This morning I ran another DNS Report... and I get the following warnings and errors (pasted as a code snippet)

It feels odd creating an A record on my DNS with the dynDNS nameserver "name" - since the end result is... ns2.mydyndns.org.mydomain.net -- but it also feels odd to create a name like dynDNS2.mydomain.net (with the actual IP of 204.13.249.76) since then I'd have to change the NS entry to be dynDNS2.mydomain.net ... and I don't think that makes sense... since nothing refers to that name on any of my systems... it seems like a useless configuration to me --- unless it is the A record IP that is significant to the whole process... in which case... I would think the name would  not matter one hoot.

Am I almost there... or do I have a long way to go to get where I need to be?  My goal is to keep Register.com as the domain's registrar only, use DNSMadeEasy as my primary DNS, and dynDNS as my secondary DNS.

Thanks Experts!
-------------------------------------------------------------------------------
 

INFO	NS records at parent servers	Your NS records at the parent servers are:

ns0.dnsmadeeasy.com. [208.94.148.2] [TTL=172800] [US]

ns1.dnsmadeeasy.com. [208.80.124.2] [TTL=172800] [US]

ns2.dnsmadeeasy.com. [208.80.126.2] [TTL=172800] [US]

ns2.mydyndns.org. [204.13.249.76 (NO GLUE)] [US]

ns3.dnsmadeeasy.com. [208.80.125.2] [TTL=172800] [US]

ns4.dnsmadeeasy.com. [208.80.127.2] [TTL=172800] [US]

[These were obtained from d.gtld-servers.net]
 

-------------------------------------------------------------------------------
 

WARN	Glue at parent nameservers	WARNING. The parent servers (I checked with d.gtld-servers.net.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain.
 

-------------------------------------------------------------------------------
 

INFO	NS records at your nameservers	Your NS records at your nameservers are:

ns4.dnsmadeeasy.com.

ns2.mydyndns.org.mydomain.net. [204.13.249.76] [TTL=86400]

ns2.dnsmadeeasy.com.

ns3.dnsmadeeasy.com.

ns0.dnsmadeeasy.com.

ns1.dnsmadeeasy.com.
 

-------------------------------------------------------------------------------
 

FAIL	Missing (stealth) nameservers	FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNSreport will not query these servers, so you need to be very careful that they are working properly.
 

ns2.mydyndns.org.mydomain.net.

This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example). 
 

-------------------------------------------------------------------------------
 

FAIL	Missing nameservers 2	ERROR: One or more of the nameservers listed at the parent servers are not listed as NS records at your nameservers. The problem NS records are:

ns2.mydyndns.org.
 

-------------------------------------------------------------------------------
 

FAIL	Stealth NS record leakage	Your DNS servers leak stealth information in non-NS requests:
 

Stealth nameservers are leaked [ns2.mydyndns.org.mydomain.net.]!
 

This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries.
 

-------------------------------------------------------------------------------

Open in new window

0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 24105365

You're almost there. It's just a problem of proper termination.

> It feels odd creating an A record on my DNS with the dynDNS nameserver "name"

It should be fine provided you terminate the name. e.g.:

ns2.mydyndns.org.  IN A  <IP>

Rather than:

ns2.mydyndns.org IN A <IP>

The first is properly terminated and will not have your domain applied as a suffix. The second is not terminated and will have it appended.

The same applies for your NS Records. This is correct:

@ IN NS ns2.mydyndns.org.

This is not:

@ IN NS ns2.mydyndns.org

Is that something the interface you have allows you to do?

Chris
0
 
LVL 3

Author Comment

by:Shawn_SanDiego
ID: 24106830
Chris -
I think I am there!  Modifying the NS record with the terminating . worked.  The A record wouldn't allow a termination... so I just deleted it.
DNS Report gives me a warning... but I think it's beneign given my situation.
Thanks for your help.

WARN 

Glue at parent nameservers 
 

WARNING. The parent servers (I checked with c.gtld-servers.net.) are not providing glue for all your nameservers. This means that they are supplying the NS records (host.example.com), but not supplying the A records (192.0.2.53), which can cause slightly slower connections, and may cause incompatibilities with some non-RFC-compliant programs. This is perfectly acceptable behavior per the RFCs. This will usually occur if your DNS servers are not in the same TLD as your domain (for example, a DNS server of "ns1.example.org" for the domain "example.com"). In this case, you can speed up the connections slightly by having NS records that are in the same TLD as your domain. 

Open in new window

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 24135971

Excellent :)

And yes, you can ignore the warning above, hard to fix that one anyway unless you have a fair amount of control over what the registrar is doing.

Chris
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now