Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

BIND and Webmin with Google Apps

Posted on 2011-02-19
28
Medium Priority
?
2,580 Views
Last Modified: 2012-05-11
Domain Name: pcelements.com
Issue Description: I had my domain hosted with GoDaddy and my mail was being managed through Google Apps without problems. Yesterday, I configured my own web server. It has BIND and Webmin. I tried to setup the MX records as explained in this tutorial http://www.robmcghee.com/web/bind-setup-for-google-apps-in-webmin/  , and now I'm not able to receive emails for this domain.

I'm still not able to see my page through my domain name, only by writing the IP address in my browser. I don't know if the problem with not receiving my emails will be solved in 1 or 2 days automatically or if I have something wrong in my DNS configuration file.

This is the configuration file for my domain:
$ttl 38400
pcelements.com.      IN      SOA      ns1.pcelements.com. xyz.pcelements.com. (
                  1298125782
                  10800
                  3600
                  604800
                  38400 )
pcelements.com.      IN      A      173.243.84.34
www.pcelements.com.      IN      A      173.243.84.34
mail.pcelements.com.      IN      CNAME      ghs.google.com.
pcelements.com.      IN      MX      1 ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pcelements.com.      IN      MX      10 ASPMX3.GOOGLEMAIL.COM.
pcelements.com.      IN      NS      ns1.pcelements.com.
pcelements.com.      IN      NS      ns2.pcelements.com.

Thanks for your help.
0
Comment
Question by:pcelements
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 14
  • 13
28 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34933745

Is that the entire zone file? Where are the A records for your name servers (ns1 and ns2)?

I get server-fail when I try to query your domain, and although there's nothing wrong with your MX records, something is wrong with your name servers.

Chris
0
 

Author Comment

by:pcelements
ID: 34934008
This is my named.conf file if it helps:
options {
      directory "/etc";
      pid-file "/var/run/named/named.pid";
      };

zone "." {
      type hint;
      file "/etc/db.cache";
      };

zone "pcelements.com" {
      type master;
      file "/var/named/pcelements.com.hosts";
      };
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934038
I'd like to see this file if possible? /var/named/pcelements.com.hosts

And are you willing to share your server IP? The address I have from the registrar is not responding to DNS requests (173.243.84.34).

Chris
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:pcelements
ID: 34934060
The content of the pcelements.com.hosts file is the one I already posted with the question. The IP address is 173.243.84.34
0
 

Author Comment

by:pcelements
ID: 34934320
Somebody Help Please!!!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934433
Sorry, dinner time. Family takes precedence over internet stuff.

Anyway. You need NS records, initially I suggest you make these changes:
$ttl 38400
pcelements.com.      IN      SOA      ns1.pcelements.com. xyz.pcelements.com. (
                  1298125782
                  10800
                  3600
                  604800
                  38400 )

pcelements.com.      IN      NS      ns1.pcelements.com.
pcelements.com.      IN      NS      ns2.pcelements.com.

pcelements.com.      IN      A      173.243.84.34

ns1.pcelements.com.  IN A  173.243.84.34
ns2.pcelements.com.  IN A  173.243.84.34

www.pcelements.com.      IN      A      173.243.84.34

mail.pcelements.com.      IN      CNAME      ghs.google.com.
pcelements.com.      IN      MX      1 ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pcelements.com.      IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pcelements.com.      IN      MX      10 ASPMX3.GOOGLEMAIL.COM.

Open in new window

We *must* address the last problem. Your server is not responding to DNS requests, it's possible the service is failing to start with the zone file you've defined, but this has to be checked after you modify the zone.

Chris
0
 

Author Comment

by:pcelements
ID: 34934474
I replaced the content of the file with yours. I restarted BIND. I'm still unable to receive emails and access my domain without the IP address.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934484

Your server still does not respond to DNS requests. Firewall? IPTables?

Can you verify the service is actually up?

Chris
0
 

Author Comment

by:pcelements
ID: 34934508
I turned off the Firewall and restarted named service.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934527

If you're not sure, try running:

iptables --list

You'd be looking for a rule set like this:

ACCEPT    udp  --   anywhere     anywhere     udp dpt:domain
ACCEPT    tcp  --   anywhere     anywhere     tcp dpt:domain

The first is the most important, the majority of traffic to your DNS service will use that.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934537

Still nothing, I can get to your web service, but no response to DNS.

Is there another firewall in front of this server? What kind of host are you running this on?

Chris
0
 

Author Comment

by:pcelements
ID: 34934544
[root@apollo ~]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
[root@apollo ~]#
0
 

Author Comment

by:pcelements
ID: 34934581
There is a router in front of the server, but http port is open. The IP address used for the server is the same for ns1.pcelements.com and ns2.pcelements.com.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934586

Yeah, I saw :)

You'll need to open more than HTTP for this to work. Can you open UDP 53 (DNS / Domain) there as well?

Chris
0
 

Author Comment

by:pcelements
ID: 34934629
I'll need to go to my office for that. Give me 30 min more or less.
0
 

Author Comment

by:pcelements
ID: 34934822
Were getting somewhere!
Ok, I opened the DNS port at my router, turned on Centos firewall and now I am able to access my domain using pcelements.com!!!

I am also able to receive and send emails!!!

But, when I access http://www.intodns.com/pcelements.com to check the DNS records, I still receive errors. Also, when I access http://www.google.com/support/a/bin/answer.py?hl=en&answer=33313
to check my MX records, I still get errors.

Is there something else I need to do?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934839

I still can't contact your DNS server, I get the same error if I pop that into "intodns.com":

ERROR: One or more of your nameservers did not respond:
The ones that did not responded are:
173.243.84.34

That is the right IP isn't it?

The firewall on CentOS, now it's back on can you post "iptables --list"?

Chris
0
 

Author Comment

by:pcelements
ID: 34934862
That is the only IP. It is used for the domains and both nameservers.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934897
Thanks.

Lets see if I remember this stuff well enough. Please run:

iptables -A RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT

Then run this to make sure it's present:

iptables -L -v

If it is, we can test it, and if that works, running this should save the rule set:

service iptables save

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934929

Actually, we might run it this way instead:

iptables -I RH-Firewall-1-INPUT 10 -p udp --dport 53 -j ACCEPT

That should insert it half way down, and should avoid the REJECT rule at the bottom which is a bit troubling.

Chris
0
 

Author Comment

by:pcelements
ID: 34934934
I ran the commands and this is the  iptables --list result: I still receive the errors when checking DNS

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ndmp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1000 total points
ID: 34934949
Yeah, it's added it below REJECT, I was afraid it would do that (sorry, I don't use this very often).

Back to the command above, can we run these two:

iptables -D RH-Firewall-1-INPUT -p udp --dport 53 -j ACCEPT
iptables -I RH-Firewall-1-INPUT 10 -p udp --dport 53 -j ACCEPT

The first should delete the rule at the bottom, the second should insert it half way up the list.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34934963

Bingo, I just got a reply from your name server :-D

Chris
0
 

Author Comment

by:pcelements
ID: 34934978
I think it is Perfect Now!!!
Please check in http://www.intodns.com/pcelements.com to see the warnings shown, to see if it is something that I can improve.
Thank You Very Much for your time and expertise!!!!!!!!!!!!!!!!!!!!!!!!!!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34935006
Right, you're still getting a few errors flagged on IntoDNS, so I figure I'll pop up my thoughts about those in case you want to follow up on any of them.

> Recursive Queries

Generally speaking this is bad practice for public DNS servers as it opens you up to denial of service attacks. You can disable these in named.conf as follows (options section already exists, only here to indicate that's where it should go):
options {
  allow-recursion { none; };
};

Open in new window

If you use this as an internal resolver (if internal clients on the network use the DNS service) you should treat that a little more carefully.

If you only expect this to answer requests for pcelements.com, and not resolve www.google.com for someone else (for example) you should do this.

> WARNING: Not all of your nameservers are in different subnets
> WARNING: Single point of failure

The second message says it, both basically amount to the same thing, you have no fault tolerance. A hard one to resolve unless you get another site.

> Your SOA serial number is: 1298125783. This can be ok if you know what you are doing.

Convention / tradition has us build serial numbers in this format:

<Year><Month><Day><RevisionNumber>

e.g.

2011021901

This indicates the first change today, the second change today would be 02 instead of 01, etc. Then tomorrows changes would start back at 2011022001.

It's not critical, if you wish to continue with the serial you have you can.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34935024

I'm off to bed now, so if I don't reply it's because I'm snoring :) Hopefully this is enough to keep you going for now anyway.

All the best,

Chris
0
 

Author Comment

by:pcelements
ID: 34935044
Thank You Again :) !!!
0
 
LVL 4

Expert Comment

by:nemagee
ID: 34937002
Port 53 is definitely needed for your DNS. Also, have you updated your domain record to point to your NS servers and you have to register each NS with ICANN. This last step is the least obvious, but is one reason your NS can be seen/queried even if your DNS isn't bug-free.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses
Course of the Month8 days, 13 hours left to enroll

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question