Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

new records in bind aren't being given out when doing nslookup....

Posted on 2011-03-02
16
Medium Priority
?
447 Views
Last Modified: 2012-06-21
we had an old DNS server and I moved everything to a new box. DNS is working and it resolves names and internet, etc.

However, when I add a new record and then update the serial in named.soa and then restart the named service computers don't see the new records. Even if I do the lookup from the server itself it says it can't find it even though I can see it in the zone file.

Can anyone tell me what I'm missing?
0
Comment
Question by:willlandymore
  • 8
  • 8
16 Comments
 
LVL 2

Expert Comment

by:PortableTech
ID: 35020890
Can you give me the domain name so I can run some tests on it?  I plan to use the dig tool to try and trace where teh fault lies to make sure it is that system.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35020897
mercyships.org
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35020943
Ok, based on the trace below, it appears that this is hosted with rackspace, and is using their name servers.  Can you verify that the ip address at the end also appears correct?

=========================

; <<>> DiG 9.7.1-P2 <<>> +trace mercyships.org
;; global options: +cmd
.                       32380   IN      NS      b.root-servers.net.
.                       32380   IN      NS      d.root-servers.net.
.                       32380   IN      NS      i.root-servers.net.
.                       32380   IN      NS      c.root-servers.net.
.                       32380   IN      NS      g.root-servers.net.
.                       32380   IN      NS      f.root-servers.net.
.                       32380   IN      NS      l.root-servers.net.
.                       32380   IN      NS      k.root-servers.net.
.                       32380   IN      NS      m.root-servers.net.
.                       32380   IN      NS      e.root-servers.net.
.                       32380   IN      NS      h.root-servers.net.
.                       32380   IN      NS      a.root-servers.net.
.                       32380   IN      NS      j.root-servers.net.
;; Received 500 bytes from 192.168.1.34#53(192.168.1.34) in 27 ms

org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
;; Received 434 bytes from 128.8.10.90#53(d.root-servers.net) in 35 ms

mercyships.org.         86400   IN      NS      ns2.rackspace.com.
mercyships.org.         86400   IN      NS      ns1.mercyships.org.
;; Received 97 bytes from 2001:500:b::1#53(c0.org.afilias-nst.info) in 64 ms

mercyships.org.         86400   IN      A       70.42.57.90
mercyships.org.         86400   IN      NS      ns.rackspace.com.
mercyships.org.         86400   IN      NS      ns2.rackspace.com.
;; Received 128 bytes from 65.61.188.4#53(ns2.rackspace.com) in 42 ms
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 2

Expert Comment

by:PortableTech
ID: 35021047
Also, can you provide me with a specific FQDN (Fully qualified domain name) that you are attempting to look up. Also, when you are doing this lookup are you on the new DNS server testing it, or on a client system.  If on the DNS server, can you verify that it is set to look at itself DNS resolution and not some other name server?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021082
well the rackspace one is in there, but then you can see the ns1.mercyships.org which is this box. I'm using:

nslookup server.mercyships.org ns1.mercyships.org

so that it specifically goes to itself to check that record. It's not finding it which means that it's looking at itself and not getting it even though it's sitting right there in /var/named/mercyships.org

0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021117
Just to confirm, this is your current SOA serial number (2011030200).  Also, server.mercyships.org is the FQDN of the item that is not working, and not just an example, correct?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021151
no the name of the box is thunderball.mercyships.org and the serial number now is 2011030201.
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021225
This is actually a bit odd.  The SOA for your ns1.mercyships.org seems to have regressed since I last loaded it, and is now stating (2011012600) and your rackspace servers are showing a completely different answer.  Are you intending to even use the rackspace servers any more?  

Are you seeing any bind error messages in your /var/log/syslog?


=======================

; <<>> DiG 9.7.1-P2 <<>> thunderball.mercyships.org. @ns1.mercyships.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9062
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 64 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:04:50 2011
;; MSG SIZE  rcvd: 89

root@ryoko:~# dig thunderball.mercyships.org. @ns1.rackspace.com                                                                                                    

; <<>> DiG 9.7.1-P2 <<>> thunderball.mercyships.org. @ns1.rackspace.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19926
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns.rackspace.com. hostmaster.rackspace.com. 1293861717 3600 300 1814400 300

;; Query time: 40 msec
;; SERVER: 69.20.95.4#53(69.20.95.4)
;; WHEN: Wed Mar  2 15:05:15 2011
;; MSG SIZE  rcvd: 107


0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021440
No, I plan on removing the Rackspace hosts, but I need 2 external DNS servers before I can replace it.
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021640
Well, my concern is the rackspace and your dns are not in sync and are returning much different info, that could be causing problems with people being able to connect to you.  Not sure that is related to your initial issue, but a concern either way.  Other than that, are you seeing any errors in

/var/log/syslog

that are from the named process?
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021679
there are lots of entries in /var/log/messages concerning bind but it's to do with people trying zone transfers, etc.
0
 
LVL 2

Accepted Solution

by:
PortableTech earned 2000 total points
ID: 35021780
Ok,  Try the following commands for me and post the results.  I am assuming these are being done on the DNS server itself.

dig thunderball.mercyships.org

dig thunderball.mercyships.org @127.0.0.1

dig thunderball.mercyships.org @ns1.mercyships.org
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021857
dig thunderball.mercyships.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6158
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 56 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:03:44 2011
;; MSG SIZE  rcvd: 89

===============


dig thunderball.mercyships.org @127.0.0.1

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org @127.0.0.1
;; global options:  printcmd
;; connection timed out; no servers could be reached
[root@excalibur named]# dig thunderball.mercyships.org @ns1.mercyships.org

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> thunderball.mercyships.org @ns1.mercyships.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30159
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;thunderball.mercyships.org.    IN      A

;; AUTHORITY SECTION:
mercyships.org.         300     IN      SOA     ns1.mercyships.org. root.mercyships.org. 2011012600 1800 900 3600 1800

;; Query time: 0 msec
;; SERVER: 198.97.51.1#53(198.97.51.1)
;; WHEN: Wed Mar  2 15:05:06 2011
;; MSG SIZE  rcvd: 89

That serial number it's getting is from the old named.soa on the old server, but the record for ns1 points to the new box and the service on the old one is stopped...
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021890
Okay, I found something. The default install of bind puts things in /var/named, but ours uses the /var/named/chroot/var/named.....so it's looking at the original copies of what's in the /var/named directory instead of using the links going to the deeper one.

Should I just delete the contents of that directory and then make the links pointing to the other ones?
0
 
LVL 2

Expert Comment

by:PortableTech
ID: 35021967
Well, you will either need to place the files where it is looking as you have a chrooted server, or change the bind startup scripts to point it to where you want them to be.

The -t option will allow you to point it to the chrooted directory

-t /var/named/chroot/var/named

generally that is used with the -u option if you are trying to enhance security by running it as a non-root user.  But I am unsure what you were trying to accomplish with the chroot initially so I can only guess.
0
 
LVL 1

Author Comment

by:willlandymore
ID: 35021986
eh, I just removed the chroot and then updated the files where it was actually looking.

Thanks.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
Resolve DNS query failed errors for Exchange
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question