BIND configuration
I´ve installed LAMP (Ubuntu 10) and BIND9. But my site is working only on the server. I have one external fixed IP to internet and another one (192.168.0.253) to my network. My configurations files are :
rev.medicinaperiop.com.br
; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
;
$TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
201103241 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
@ IN NS sbaubuntusr10.medicinaperi
3 IN PTR www.medicinaperiop.com.br.
--------------------------
master.medicinaperiop.com.
; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
$TTL 604800
medicinaperiop.com.br IN SOA sbaubuntusr10.medicinaperi
2011032310; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 192.168.0.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN NS 186.215.205.253
@ IN A 192.168.0.253
53 PTR medicinaperiop.com.br.
--------------------------
named.conf.local
zone "medicinaperiop.com.br" {
type master;
file "/etc/bind/master.medicina
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.medicinaper
};
--------------------------
named.conf
include "/etc/bind/named.conf.opti
include "/etc/bind/named.conf.loca
include "/etc/bind/named.conf.defa
--------------------------
\etc\hosts
127.0.0.1 localhost.medicinaperiop.c
192.168.0.253 sbaubuntusr10.medicinaperi
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
--------------------------
\etc\hostname
sbaubuntusr10
rev.medicinaperiop.com.br
; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
;
$TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
201103241 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
@ IN NS sbaubuntusr10.medicinaperi
3 IN PTR www.medicinaperiop.com.br.
--------------------------
master.medicinaperiop.com.
; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
$TTL 604800
medicinaperiop.com.br IN SOA sbaubuntusr10.medicinaperi
2011032310; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 192.168.0.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN NS 186.215.205.253
@ IN A 192.168.0.253
53 PTR medicinaperiop.com.br.
--------------------------
named.conf.local
zone "medicinaperiop.com.br" {
type master;
file "/etc/bind/master.medicina
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.medicinaper
};
--------------------------
named.conf
include "/etc/bind/named.conf.opti
include "/etc/bind/named.conf.loca
include "/etc/bind/named.conf.defa
--------------------------
\etc\hosts
127.0.0.1 localhost.medicinaperiop.c
192.168.0.253 sbaubuntusr10.medicinaperi
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
--------------------------
\etc\hostname
sbaubuntusr10
ASKER
Ok, I was getting some erros, now I´ve changed the file master.medicinaperiop.com.
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinap
Here´s the changes : But nothing yet.
----------------------
TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
2011032401 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 186.215.205.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN A 192.168.0.253
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinap
Here´s the changes : But nothing yet.
----------------------
TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
2011032401 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 186.215.205.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN A 192.168.0.253
Your domain on the internet is pointed at affraid.org. When affraid.org DNS servers are asked about your domain they do not have the information.
run the following command on the local system and paste the output
dig @localhost axfr medicinaperiop.com.br
The above command connects to your named and gets the whole zone retrieved.
your dns server is inaccessible from outside.
run the following command on the local system and paste the output
dig @localhost axfr medicinaperiop.com.br
The above command connects to your named and gets the whole zone retrieved.
your dns server is inaccessible from outside.
ASKER
The result of dig @localhost axfr medicinaperiop.com.br is :
; <<>> DiG 9.7.1-P2 <<>> @localhost axfr medicinaperiop.com.br
; (2 servers found)
;; global options: +cmd
medicinaperiop.com.br. 604800 IN SOA sbaubuntusr10.medicinaperi
medicinaperiop.com.br. 604800 IN MX 5 sbaubuntusr10.medicinaperi
medicinaperiop.com.br. 604800 IN NS ns1.afraid.org.
medicinaperiop.com.br. 604800 IN NS ns2.afraid.org.
medicinaperiop.com.br. 604800 IN NS sbaubuntusr10.medicinaperi
sbaubuntusr10.medicinaperi
www.medicinaperiop.com.br. 604800 IN A 186.215.205.253
medicinaperiop.com.br. 604800 IN SOA sbaubuntusr10.medicinaperi
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 11:34:13 2011
;; XFR size: 8 records (messages 1, bytes 242)
; <<>> DiG 9.7.1-P2 <<>> @localhost axfr medicinaperiop.com.br
; (2 servers found)
;; global options: +cmd
medicinaperiop.com.br. 604800 IN SOA sbaubuntusr10.medicinaperi
medicinaperiop.com.br. 604800 IN MX 5 sbaubuntusr10.medicinaperi
medicinaperiop.com.br. 604800 IN NS ns1.afraid.org.
medicinaperiop.com.br. 604800 IN NS ns2.afraid.org.
medicinaperiop.com.br. 604800 IN NS sbaubuntusr10.medicinaperi
sbaubuntusr10.medicinaperi
www.medicinaperiop.com.br. 604800 IN A 186.215.205.253
medicinaperiop.com.br. 604800 IN SOA sbaubuntusr10.medicinaperi
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 11:34:13 2011
;; XFR size: 8 records (messages 1, bytes 242)
ASKER
The master.medicinaperiop.com.
$TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
2011032410 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 186.215.205.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN NS ns1.afraid.org.
@ IN NS ns2.afraid.org.
$TTL 604800
@ IN SOA sbaubuntusr10.medicinaperi
2011032410 ; Serial
86400 ; Refresh
7200 ; Retry
3600000 ; Expire
3600 ) ; Minimum
;
sbaubuntusr10 IN A 186.215.205.253
www IN A 186.215.205.253
@ IN MX 5 sbaubuntusr10.medicinaperi
@ IN NS sbaubuntusr10.medicinaperi
@ IN NS ns1.afraid.org.
@ IN NS ns2.afraid.org.
ASKER
New information, now, on my lan, If I change the DNS to 192.168.0.253 I can get the page www.medicinaperiop.com.br.
Did you setup a port forwarding on your router to allow requests comming in on port 80 to get to the internal system with IP 192.168.0.253?
Did you make changes to your external firewall to allow port 53 UDP and TCP packets to get to the server where you have bind running?
Does your bind configuration includes listening directive listen {any;} or do you have it restricted?
You would need to define an allow-transfer under the zone definition in named.conf to allow ns1.afraid.org , ns2.afraid.org, ns3.afraid.org, ns4.afraid.org etc. the right to retrieve the zone information from your server.
Did you make changes with afraid.org note that your current external setup is different from the one you are listing here.
I would recommend that if you are transitioning from managing your domain through their web interface to managing the domain on your own system, that you use the existing setting until you can confirm that they are able to retrieve the information from your system. Once you confirm that and a sufficient amount of time passed (7 days based on your $TTL 604800).
To speed up the process for the transition, you should change your local zone settings to something smaller i.e. 3600,7200 seconds (1 or 2 hours)
Did you make changes to your external firewall to allow port 53 UDP and TCP packets to get to the server where you have bind running?
Does your bind configuration includes listening directive listen {any;} or do you have it restricted?
You would need to define an allow-transfer under the zone definition in named.conf to allow ns1.afraid.org , ns2.afraid.org, ns3.afraid.org, ns4.afraid.org etc. the right to retrieve the zone information from your server.
Did you make changes with afraid.org note that your current external setup is different from the one you are listing here.
I would recommend that if you are transitioning from managing your domain through their web interface to managing the domain on your own system, that you use the existing setting until you can confirm that they are able to retrieve the information from your system. Once you confirm that and a sufficient amount of time passed (7 days based on your $TTL 604800).
To speed up the process for the transition, you should change your local zone settings to something smaller i.e. 3600,7200 seconds (1 or 2 hours)
ASKER
My named.conf.options is :
options {
directory "/var/cache/bind";
listen-on port 53 {any;};
allow-query {any;};
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
--------------------------
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "medicinaperiop.com.br" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/master.medicina
};
zone "0.168.192.in-addr.arpa" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/rev.medicinaper
};
--------------------------
Answering the questions :
The firewall is disable now for testing
The computer is conect directly now for testing
I din´t undertand the changes with afraid.org. How to do that ?
I change the TTL to 3600
options {
directory "/var/cache/bind";
listen-on port 53 {any;};
allow-query {any;};
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
--------------------------
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "medicinaperiop.com.br" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/master.medicina
};
zone "0.168.192.in-addr.arpa" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/rev.medicinaper
};
--------------------------
Answering the questions :
The firewall is disable now for testing
The computer is conect directly now for testing
I din´t undertand the changes with afraid.org. How to do that ?
I change the TTL to 3600
You do not need to allow transfer on the private IP space (reverse Zone)
Check with afraid.org to see the source of their requests when they are setup in a backup role.
If the IP you added is not the right one.
Do not disable the firewall, configure the rules you need:
port 80/443 web
port 53 DNS
port 25 mailserver if any
Which firewall did you disable? You may have iptables disabled on the localsystem while the external firewall/router is preventing the access.
Internet <=> router/firewall <=> LAN <=> yoursystem
Check to make sure you have prot forwarding configured on the router/firewall first. Then check your local system on whether it has iptables running iptables -L and then add the rules to allow the specific traffic.
Check with afraid.org to see the source of their requests when they are setup in a backup role.
If the IP you added is not the right one.
Do not disable the firewall, configure the rules you need:
port 80/443 web
port 53 DNS
port 25 mailserver if any
Which firewall did you disable? You may have iptables disabled on the localsystem while the external firewall/router is preventing the access.
Internet <=> router/firewall <=> LAN <=> yoursystem
Check to make sure you have prot forwarding configured on the router/firewall first. Then check your local system on whether it has iptables running iptables -L and then add the rules to allow the specific traffic.
ASKER
My iptables :
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
what about your external router/firewall?
You need to setup a rule on the router/firewall that faces the internet and has the public IP 186.215.
i.e. port 80 -> 192.168.0.253 port 80
port 53 UDP/TCP -> 192.168.0.253 53
etc.
You need to setup a rule on the router/firewall that faces the internet and has the public IP 186.215.
i.e. port 80 -> 192.168.0.253 port 80
port 53 UDP/TCP -> 192.168.0.253 53
etc.
ASKER
I didn´t have one on this network yet. We´re changing our ISP that´s because I´m doing all those configurations. 186.215.205.253 is directly from my new ISP provider. This domain is for test only medicinaperiop.com.br
Any particular reason you want to host the domain's DNS in house versus managing these records via the web at afraid.org?
ASKER
No, I just want it working. How can I finished the configuration using afraid.org ?
Do you have an account with them since it seems they are reflected as managing the domain's DNS records.
Access their web interface, login and go to the DNS management interface and add www to point to your IP when it is connected.
Access their web interface, login and go to the DNS management interface and add www to point to your IP when it is connected.
ASKER
My DNS configuration on afraid.org
4 subdomains
medicinaperiop.com.br [ add ]
ftp.medicinaperiop.com.br (G) Not Yet Configured.
irc.medicinaperiop.com.br (G) Not Yet Configured.
mail.medicinaperiop.com.br
medicinaperiop.com.br (G) A 186.215.205.253
4 subdomains
medicinaperiop.com.br [ add ]
ftp.medicinaperiop.com.br (G) Not Yet Configured.
irc.medicinaperiop.com.br (G) Not Yet Configured.
mail.medicinaperiop.com.br
medicinaperiop.com.br (G) A 186.215.205.253
you need to add
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
which are one and the same
@ represents the zone name.
And you should be set.
Note that the $TTL that you have set is rather large and that may explain why it takes a long time for changes you make to propagate.
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
which are one and the same
@ represents the zone name.
And you should be set.
Note that the $TTL that you have set is rather large and that may explain why it takes a long time for changes you make to propagate.
ASKER
I chenged the TTL to 3600
Where do I need to add those values ?
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
on my master.medicinaperiop.com.
Where do I need to add those values ?
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
on my master.medicinaperiop.com.
Click the add botton displayed in your post.
The hostname/subdomain is www
The record type is CNAME (Alias)
The entry on the right is your domain medicinaperiop.com.br
Once you add and these changes propagate, everyong going to www.medicinaperiop.com.br will be directed to your IP/webserver.
The hostname/subdomain is www
The record type is CNAME (Alias)
The entry on the right is your domain medicinaperiop.com.br
Once you add and these changes propagate, everyong going to www.medicinaperiop.com.br will be directed to your IP/webserver.
ASKER
Like this :
ftp.medicinaperiop.com.br (G) Not Yet Configured.
irc.medicinaperiop.com.br (G) Not Yet Configured.
medicinaperiop.com.br (G) A 186.215.205.253
mail.medicinaperiop.com.br
www.medicinaperiop.com.br (G) CNAME medicinaperiop.com.br
ftp.medicinaperiop.com.br (G) Not Yet Configured.
irc.medicinaperiop.com.br (G) Not Yet Configured.
medicinaperiop.com.br (G) A 186.215.205.253
mail.medicinaperiop.com.br
www.medicinaperiop.com.br (G) CNAME medicinaperiop.com.br
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
But I´ve changed the value to 3600. I´m still having to wait this time (7 days)
ASKER
Thanks
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinap
Do you get errors dealing with the MX line?
The other issue is that your system is not reflected as Authoritative for the domain. You need to configure your domain's settings with afraid.org. one and the simplest option is for you to add the records within the afraid.org interface.
The other options is to configure the afraid.org DNS servers as BACKUPs to your which will mean that you have to make sure that their DNS server can connect to yours and transfer the data while at the same time, you would have to adjust the configuration of your local zone by adding NS records that point to the afraid.org DNS servers.
Internet queries -> afraid.org DNS They will inturn connect periodically to your name server to check if an update is occured or when their servers receive a notification from your server that a change has been made.
Note that IPs in the ranges:
10.x.x.x
172.16-31.255
192.168.x.x
are Private IP space and are nonroutable. Such that your www record when available on the net would tell any visitor to www.medicinaperiop.com.br to go to 192.168.0.253. Provided you configured port forwarding, you should point www A record to 186.215.205.253 as is the case for @ IN A.
A person will see a local website if and only if they have a local LAN web server on that IP.
Not sure why you have a PTR record for 53 within a forward zone.