• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 707
  • Last Modified:

BIND configuration

I´ve installed LAMP (Ubuntu 10) and BIND9. But my site is working only on the server. I have one external fixed IP  to internet and another one (192.168.0.253)  to my network. My configurations files are :


rev.medicinaperiop.com.br

; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
;

$TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br (
                                201103241  ; Serial
                                86400    ; Refresh
                                7200     ; Retry
                                3600000    ; Expire
                                3600 )  ; Minimum

@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
3                       IN      PTR     www.medicinaperiop.com.br.

------------------------------------------------------------------------------------
master.medicinaperiop.com.br

; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
$TTL    604800
medicinaperiop.com.br   IN      SOA     sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br (
                                2011032310; Serial
                                86400    ; Refresh
                                7200     ; Retry
                                3600000    ; Expire
                                3600 )  ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       192.168.0.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      NS      186.215.205.253
@                       IN      A       192.168.0.253
53                              PTR     medicinaperiop.com.br.

--------------------------------------------------------------------------------------
named.conf.local

zone "medicinaperiop.com.br" {
type master;
file "/etc/bind/master.medicinaperiop.com.br";
};

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.medicinaperiop.com.br";
};
-----------------------------------------------------------------------------------
named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


--------------------------------------------------------------------------------------
\etc\hosts


127.0.0.1       localhost.medicinaperiop.com.br localhost
192.168.0.253   sbaubuntusr10.medicinaperiop.com.br     medicinaperiop.com.br

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
---------------------------------------------------------------------------------------
\etc\hostname

sbaubuntusr10
0
Jose Bredariol
Asked:
Jose Bredariol
  • 13
  • 10
1 Solution
 
arnoldCommented:
can you run:
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinaperiop.com.br
Do you get errors dealing with the MX line?
The other issue is that your system is not reflected as Authoritative for the domain.  You need to configure your domain's settings with afraid.org. one and the simplest option is for you to add the records within the afraid.org interface.
The other options is to configure the afraid.org DNS servers as BACKUPs to your which will mean that you have to make sure that their DNS server can connect to yours and transfer the data while at the same time, you would have to adjust the configuration of your local zone by adding NS records that point to the afraid.org DNS servers.

Internet queries -> afraid.org DNS They will inturn connect periodically to your name server to check if an update is occured or when their servers receive a notification from your server that a change has been made.

Note that IPs in the ranges:
10.x.x.x
172.16-31.255
192.168.x.x
are Private IP space and are nonroutable. Such that your www record when available on the net would tell any visitor to www.medicinaperiop.com.br to go to 192.168.0.253.  Provided you configured port forwarding, you should point www A record to 186.215.205.253 as is the case for @ IN A.
A person will see a local website if and only if they have a local LAN web server on that IP.

Not sure why you have a PTR record for 53 within a forward zone.
0
 
Jose BredariolPMPAuthor Commented:
Ok, I was getting some erros, now I´ve changed the file master.medicinaperiop.com.br and the command
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinaperiop.com.br is resulting Ok.
Here´s the changes : But nothing yet.

----------------------

TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br.   $
                                2011032401      ; Serial
                                86400           ; Refresh
                                7200            ; Retry
                                3600000         ; Expire
                                3600 )          ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       186.215.205.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      A       192.168.0.253

0
 
arnoldCommented:
Your domain on the internet is pointed at affraid.org.  When affraid.org DNS servers are asked about your domain they do not have the information.

run the following command on the local system and paste the output
dig @localhost axfr medicinaperiop.com.br
The above command connects to your named and gets the whole zone retrieved.
your dns server is inaccessible from outside.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Jose BredariolPMPAuthor Commented:
The result of dig @localhost axfr medicinaperiop.com.br is :

; <<>> DiG 9.7.1-P2 <<>> @localhost axfr medicinaperiop.com.br
; (2 servers found)
;; global options: +cmd
medicinaperiop.com.br.      604800      IN      SOA      sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br. 2011032410 86400 7200 3600000 3600
medicinaperiop.com.br.      604800      IN      MX      5 sbaubuntusr10.medicinaperiop.com.br.
medicinaperiop.com.br.      604800      IN      NS      ns1.afraid.org.
medicinaperiop.com.br.      604800      IN      NS      ns2.afraid.org.
medicinaperiop.com.br.      604800      IN      NS      sbaubuntusr10.medicinaperiop.com.br.
sbaubuntusr10.medicinaperiop.com.br. 604800 IN A 186.215.205.253
www.medicinaperiop.com.br. 604800 IN      A      186.215.205.253
medicinaperiop.com.br.      604800      IN      SOA      sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br. 2011032410 86400 7200 3600000 3600
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 11:34:13 2011
;; XFR size: 8 records (messages 1, bytes 242)
0
 
Jose BredariolPMPAuthor Commented:
The master.medicinaperiop.com.br is now :

$TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br.   $
                                2011032410      ; Serial
                                86400           ; Refresh
                                7200            ; Retry
                                3600000         ; Expire
                                3600 )          ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       186.215.205.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      NS      ns1.afraid.org.
@                       IN      NS      ns2.afraid.org.
0
 
Jose BredariolPMPAuthor Commented:
New information, now, on my lan, If I change the DNS to 192.168.0.253 I can get the page www.medicinaperiop.com.br.
0
 
arnoldCommented:
Did you setup a port forwarding on your router to allow requests comming in on port 80 to get to the internal system with IP 192.168.0.253?
Did you make changes to your external firewall to allow port 53 UDP and TCP packets to get to the server where you have bind running?
Does your bind configuration includes listening directive listen {any;} or do you have it restricted?
You would need to define an allow-transfer under the zone definition in named.conf to allow ns1.afraid.org , ns2.afraid.org, ns3.afraid.org, ns4.afraid.org etc. the right to retrieve the zone information from your server.

Did you make changes with afraid.org note that your current external setup is different from the one you are listing here.
I would recommend that if you are transitioning from managing your domain through their web interface to managing the domain on your own system, that you use the existing setting until you can confirm that they are able to retrieve the information from your system. Once you confirm that and a sufficient amount of time passed (7 days based on your $TTL 604800).

To speed up the process for the transition, you should change your local zone settings to something smaller i.e. 3600,7200 seconds (1 or 2 hours)
0
 
Jose BredariolPMPAuthor Commented:
My named.conf.options is :
options {
        directory "/var/cache/bind";

        listen-on port 53 {any;};
        allow-query {any;};

        // forwarders {
        //      0.0.0.0;
        // };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
---------------------------------------------------------------------
named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "medicinaperiop.com.br" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/master.medicinaperiop.com.br";
};

zone "0.168.192.in-addr.arpa" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/rev.medicinaperiop.com.br";
};
-----------------------------------------------------------------------------
Answering the questions :
The firewall is disable now for testing
The computer is conect directly now for testing
I din´t undertand the changes with afraid.org. How to do that ?
I change the TTL to 3600
   


0
 
arnoldCommented:
You do not need to allow transfer on the private IP space (reverse Zone)

Check with afraid.org to see the source of their requests when they are setup in a backup role.
If the IP you added is not the right one.

Do not disable the firewall, configure the rules you need:
port 80/443 web
port 53 DNS
port 25 mailserver if any

Which firewall did you disable?  You may have iptables disabled on the localsystem while the external firewall/router is preventing the access.
Internet <=> router/firewall <=> LAN <=> yoursystem
Check to make sure you have prot forwarding configured on the router/firewall first. Then check your local system on whether it has iptables running iptables -L and then add the rules to allow the specific traffic.
0
 
Jose BredariolPMPAuthor Commented:
My iptables :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
0
 
arnoldCommented:
what about your external router/firewall?
You need to setup a rule on the router/firewall that faces the internet and has the public IP 186.215.
i.e. port 80 -> 192.168.0.253 port 80
port 53 UDP/TCP -> 192.168.0.253 53
etc.
0
 
Jose BredariolPMPAuthor Commented:
I didn´t have one on this network yet. We´re changing our ISP that´s because I´m doing all those configurations. 186.215.205.253 is directly from my new ISP provider. This domain is for test only medicinaperiop.com.br
0
 
arnoldCommented:
Any particular reason you want to host the domain's DNS in house versus managing these records via the web at afraid.org?
0
 
Jose BredariolPMPAuthor Commented:
No, I just want it working. How can I finished the configuration using afraid.org ?
0
 
arnoldCommented:
Do you have an account with them since it seems they are reflected as managing the domain's DNS records.
Access their web interface, login and go to the DNS management interface and add www to point to your IP when it is connected.
0
 
Jose BredariolPMPAuthor Commented:
My DNS configuration on afraid.org

4 subdomains
medicinaperiop.com.br      [ add ]
      ftp.medicinaperiop.com.br (G)      Not Yet Configured.
      irc.medicinaperiop.com.br (G)      Not Yet Configured.
      mail.medicinaperiop.com.br (G)      Not Yet Configured.
      medicinaperiop.com.br (G)      A      186.215.205.253
0
 
arnoldCommented:
you need to add
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.

which are one and the same
@ represents the zone name.
And you should be set.
Note that the $TTL that you have set is rather large and that may explain why it takes a long time for changes you make to propagate.
0
 
Jose BredariolPMPAuthor Commented:
I chenged the TTL to 3600
Where do I need to add those values ?
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
on my master.medicinaperiop.com.br ?
0
 
arnoldCommented:
Click the add botton displayed in your post.
The hostname/subdomain is www
The record type is CNAME (Alias)
The entry on the right is your domain medicinaperiop.com.br
Once you add and these changes propagate, everyong going to www.medicinaperiop.com.br will be directed to your IP/webserver.
0
 
Jose BredariolPMPAuthor Commented:
Like this :

      ftp.medicinaperiop.com.br (G)      Not Yet Configured.
      irc.medicinaperiop.com.br (G)      Not Yet Configured.
      medicinaperiop.com.br (G)      A      186.215.205.253
      mail.medicinaperiop.com.br (G)      A      186.215.205.253
      www.medicinaperiop.com.br (G)      CNAME      medicinaperiop.com.br
      
0
 
arnoldCommented:
Yes.  Not sure whether on the rights side medicinaperiop.com.br is terminated with a period(.) implicitly or whether you have to added explicitly.
The record seems fine.
You should give this information time to propagate max is the 7 days that your default zone TTL ($TTL 604800) was set before.
0
 
Jose BredariolPMPAuthor Commented:
But I´ve changed the value to 3600. I´m still having to wait this time (7 days)
0
 
Jose BredariolPMPAuthor Commented:
Thanks
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now