Solved

new records in bind aren't being given out when doing nslookup....

Posted on 2011-03-02
16
433 Views
Last Modified: 2012-06-21
we had an old DNS server and I moved everything to a new box. DNS is working and it resolves names and internet, etc.

However, when I add a new record and then update the serial in named.soa and then restart the named service computers don't see the new records. Even if I do the lookup from the server itself it says it can't find it even though I can see it in the zone file.

Can anyone tell me what I'm missing?
0
Comment
Question by:willlandymore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 2

Expert Comment

by:PortableTech
ID: 35020890
Can you give me the domain name so I can run some tests on it?  I plan to use the dig tool to try and trace where teh fault lies to make sure it is that system.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35020897
mercyships.org
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35020943
Ok, based on the trace below, it appears that this is hosted with rackspace, and is using their name servers.  Can you verify that the ip address at the end also appears correct?

=========================

; <<>> DiG 9.7.1-P2 <<>> +trace mercyships.org
;; global options: +cmd
.                       32380   IN      NS      b.root-servers.net.
.                       32380   IN      NS      d.root-servers.net.
.                       32380   IN      NS      i.root-servers.net.
.                       32380   IN      NS      c.root-servers.net.
.                       32380   IN      NS      g.root-servers.net.
.                       32380   IN      NS      f.root-servers.net.
.                       32380   IN      NS      l.root-servers.net.
.                       32380   IN      NS      k.root-servers.net.
.                       32380   IN      NS      m.root-servers.net.
.                       32380   IN      NS      e.root-servers.net.
.                       32380   IN      NS      h.root-servers.net.
.                       32380   IN      NS      a.root-servers.net.
.                       32380   IN      NS      j.root-servers.net.
;; Received 500 bytes from 192.168.1.34#53(192.168.1.34) in 27 ms

org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
;; Received 434 bytes from 128.8.10.90#53(d.root-servers.net) in 35 ms

mercyships.org.         86400   IN      NS      ns2.rackspace.com.
mercyships.org.         86400   IN      NS      ns1.mercyships.org.
;; Received 97 bytes from 2001:500:b::1#53(c0.org.afilias-nst.info) in 64 ms

mercyships.org.         86400   IN      A       70.42.57.90
mercyships.org.         86400   IN      NS      ns.rackspace.com.
mercyships.org.         86400   IN      NS      ns2.rackspace.com.
;; Received 128 bytes from 65.61.188.4#53(ns2.rackspace.com) in 42 ms
0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 2

Expert Comment

by:PortableTech
ID: 35021047
Also, can you provide me with a specific FQDN (Fully qualified domain name) that you are attempting to look up. Also, when you are doing this lookup are you on the new DNS server testing it, or on a client system.  If on the DNS server, can you verify that it is set to look at itself DNS resolution and not some other name server?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021082
well the rackspace one is in there, but then you can see the ns1.mercyships.org which is this box. I'm using:

nslookup server.mercyships.org ns1.mercyships.org

so that it specifically goes to itself to check that record. It's not finding it which means that it's looking at itself and not getting it even though it's sitting right there in /var/named/mercyships.org

0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021117
Just to confirm, this is your current SOA serial number (2011030200).  Also, server.mercyships.org is the FQDN of the item that is not working, and not just an example, correct?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021151
no the name of the box is thunderball.mercyships.org and the serial number now is 2011030201.
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021225
This is actually a bit odd.  The SOA for your ns1.mercyships.org seems to have regressed since I last loaded it, and is now stating (2011012600) and your rackspace servers are showing a completely different answer.  Are you intending to even use the rackspace servers any more?  

Are you seeing any bind error messages in your /var/log/syslog?


=======================

; <<>> DiG 9.7.1-P2 <<>> thunderball.mercyships.org. @ns1.mercyships.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9062
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 64 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:04:50 2011
;; MSG SIZE  rcvd: 89

root@ryoko:~# dig thunderball.mercyships.org. @ns1.rackspace.com                                                                                                    

; <<>> DiG 9.7.1-P2 <<>> thunderball.mercyships.org. @ns1.rackspace.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19926
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns.rackspace.com. hostmaster.rackspace.com. 1293861717 3600 300 1814400 300

;; Query time: 40 msec
;; SERVER: 69.20.95.4#53(69.20.95.4)
;; WHEN: Wed Mar  2 15:05:15 2011
;; MSG SIZE  rcvd: 107


0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021440
No, I plan on removing the Rackspace hosts, but I need 2 external DNS servers before I can replace it.
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021640
Well, my concern is the rackspace and your dns are not in sync and are returning much different info, that could be causing problems with people being able to connect to you.  Not sure that is related to your initial issue, but a concern either way.  Other than that, are you seeing any errors in

/var/log/syslog

that are from the named process?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021679
there are lots of entries in /var/log/messages concerning bind but it's to do with people trying zone transfers, etc.
0
 
LVL 2

Accepted Solution

by:
PortableTech earned 500 total points
ID: 35021780
Ok,  Try the following commands for me and post the results.  I am assuming these are being done on the DNS server itself.

dig thunderball.mercyships.org

dig thunderball.mercyships.org @127.0.0.1

dig thunderball.mercyships.org @ns1.mercyships.org
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021857
dig thunderball.mercyships.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6158
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 56 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:03:44 2011
;; MSG SIZE  rcvd: 89

===============


dig thunderball.mercyships.org @127.0.0.1

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org @127.0.0.1
;; global options:  printcmd
;; connection timed out; no servers could be reached
[root@excalibur named]# dig thunderball.mercyships.org @ns1.mercyships.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org @ns1.mercyships.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30159
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 0 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:05:06 2011
;; MSG SIZE  rcvd: 89

That serial number it's getting is from the old named.soa on the old server, but the record for ns1 points to the new box and the service on the old one is stopped...
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021890
Okay, I found something. The default install of bind puts things in /var/named, but ours uses the /var/named/chroot/var/named.....so it's looking at the original copies of what's in the /var/named directory instead of using the links going to the deeper one.

Should I just delete the contents of that directory and then make the links pointing to the other ones?
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021967
Well, you will either need to place the files where it is looking as you have a chrooted server, or change the bind startup scripts to point it to where you want them to be.

The -t option will allow you to point it to the chrooted directory

-t /var/named/chroot/var/named

generally that is used with the -u option if you are trying to enhance security by running it as a non-root user.  But I am unsure what you were trying to accomplish with the chroot initially so I can only guess.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021986
eh, I just removed the chroot and then updated the files where it was actually looking.

Thanks.
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question