Solved

BIND configuration

Posted on 2011-03-24
23
653 Views
Last Modified: 2012-05-11
I´ve installed LAMP (Ubuntu 10) and BIND9. But my site is working only on the server. I have one external fixed IP  to internet and another one (192.168.0.253)  to my network. My configurations files are :


rev.medicinaperiop.com.br

; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
;

$TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br (
                                201103241  ; Serial
                                86400    ; Refresh
                                7200     ; Retry
                                3600000    ; Expire
                                3600 )  ; Minimum

@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
3                       IN      PTR     www.medicinaperiop.com.br.

------------------------------------------------------------------------------------
master.medicinaperiop.com.br

; zone for medicinaperiop.com.br
; built on 2011-03-23 04:23:08
$TTL    604800
medicinaperiop.com.br   IN      SOA     sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br (
                                2011032310; Serial
                                86400    ; Refresh
                                7200     ; Retry
                                3600000    ; Expire
                                3600 )  ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       192.168.0.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      NS      186.215.205.253
@                       IN      A       192.168.0.253
53                              PTR     medicinaperiop.com.br.

--------------------------------------------------------------------------------------
named.conf.local

zone "medicinaperiop.com.br" {
type master;
file "/etc/bind/master.medicinaperiop.com.br";
};

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/rev.medicinaperiop.com.br";
};
-----------------------------------------------------------------------------------
named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


--------------------------------------------------------------------------------------
\etc\hosts


127.0.0.1       localhost.medicinaperiop.com.br localhost
192.168.0.253   sbaubuntusr10.medicinaperiop.com.br     medicinaperiop.com.br

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
---------------------------------------------------------------------------------------
\etc\hostname

sbaubuntusr10
0
Comment
Question by:Jose Bredariol
  • 13
  • 10
23 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 35206469
can you run:
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinaperiop.com.br
Do you get errors dealing with the MX line?
The other issue is that your system is not reflected as Authoritative for the domain.  You need to configure your domain's settings with afraid.org. one and the simplest option is for you to add the records within the afraid.org interface.
The other options is to configure the afraid.org DNS servers as BACKUPs to your which will mean that you have to make sure that their DNS server can connect to yours and transfer the data while at the same time, you would have to adjust the configuration of your local zone by adding NS records that point to the afraid.org DNS servers.

Internet queries -> afraid.org DNS They will inturn connect periodically to your name server to check if an update is occured or when their servers receive a notification from your server that a change has been made.

Note that IPs in the ranges:
10.x.x.x
172.16-31.255
192.168.x.x
are Private IP space and are nonroutable. Such that your www record when available on the net would tell any visitor to www.medicinaperiop.com.br to go to 192.168.0.253.  Provided you configured port forwarding, you should point www A record to 186.215.205.253 as is the case for @ IN A.
A person will see a local website if and only if they have a local LAN web server on that IP.

Not sure why you have a PTR record for 53 within a forward zone.
0
 

Author Comment

by:Jose Bredariol
ID: 35206863
Ok, I was getting some erros, now I´ve changed the file master.medicinaperiop.com.br and the command
named-checkzone medicinaperiop.com.br /etc/bind/master.medicinaperiop.com.br is resulting Ok.
Here´s the changes : But nothing yet.

----------------------

TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br.   $
                                2011032401      ; Serial
                                86400           ; Refresh
                                7200            ; Retry
                                3600000         ; Expire
                                3600 )          ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       186.215.205.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      A       192.168.0.253

0
 
LVL 76

Expert Comment

by:arnold
ID: 35207244
Your domain on the internet is pointed at affraid.org.  When affraid.org DNS servers are asked about your domain they do not have the information.

run the following command on the local system and paste the output
dig @localhost axfr medicinaperiop.com.br
The above command connects to your named and gets the whole zone retrieved.
your dns server is inaccessible from outside.
0
 

Author Comment

by:Jose Bredariol
ID: 35207266
The result of dig @localhost axfr medicinaperiop.com.br is :

; <<>> DiG 9.7.1-P2 <<>> @localhost axfr medicinaperiop.com.br
; (2 servers found)
;; global options: +cmd
medicinaperiop.com.br.      604800      IN      SOA      sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br. 2011032410 86400 7200 3600000 3600
medicinaperiop.com.br.      604800      IN      MX      5 sbaubuntusr10.medicinaperiop.com.br.
medicinaperiop.com.br.      604800      IN      NS      ns1.afraid.org.
medicinaperiop.com.br.      604800      IN      NS      ns2.afraid.org.
medicinaperiop.com.br.      604800      IN      NS      sbaubuntusr10.medicinaperiop.com.br.
sbaubuntusr10.medicinaperiop.com.br. 604800 IN A 186.215.205.253
www.medicinaperiop.com.br. 604800 IN      A      186.215.205.253
medicinaperiop.com.br.      604800      IN      SOA      sbaubuntusr10.medicinaperiop.com.br. root.sbaubuntusr10.medicinaperiop.com.br. 2011032410 86400 7200 3600000 3600
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 24 11:34:13 2011
;; XFR size: 8 records (messages 1, bytes 242)
0
 

Author Comment

by:Jose Bredariol
ID: 35207286
The master.medicinaperiop.com.br is now :

$TTL    604800
@                       IN      SOA     sbaubuntusr10.medicinaperiop.com.br.   $
                                2011032410      ; Serial
                                86400           ; Refresh
                                7200            ; Retry
                                3600000         ; Expire
                                3600 )          ; Minimum
;
sbaubuntusr10           IN      A       186.215.205.253
www                     IN      A       186.215.205.253

@                       IN      MX      5       sbaubuntusr10.medicinaperiop.co$
@                       IN      NS      sbaubuntusr10.medicinaperiop.com.br.
@                       IN      NS      ns1.afraid.org.
@                       IN      NS      ns2.afraid.org.
0
 

Author Comment

by:Jose Bredariol
ID: 35207516
New information, now, on my lan, If I change the DNS to 192.168.0.253 I can get the page www.medicinaperiop.com.br.
0
 
LVL 76

Expert Comment

by:arnold
ID: 35207768
Did you setup a port forwarding on your router to allow requests comming in on port 80 to get to the internal system with IP 192.168.0.253?
Did you make changes to your external firewall to allow port 53 UDP and TCP packets to get to the server where you have bind running?
Does your bind configuration includes listening directive listen {any;} or do you have it restricted?
You would need to define an allow-transfer under the zone definition in named.conf to allow ns1.afraid.org , ns2.afraid.org, ns3.afraid.org, ns4.afraid.org etc. the right to retrieve the zone information from your server.

Did you make changes with afraid.org note that your current external setup is different from the one you are listing here.
I would recommend that if you are transitioning from managing your domain through their web interface to managing the domain on your own system, that you use the existing setting until you can confirm that they are able to retrieve the information from your system. Once you confirm that and a sufficient amount of time passed (7 days based on your $TTL 604800).

To speed up the process for the transition, you should change your local zone settings to something smaller i.e. 3600,7200 seconds (1 or 2 hours)
0
 

Author Comment

by:Jose Bredariol
ID: 35208085
My named.conf.options is :
options {
        directory "/var/cache/bind";

        listen-on port 53 {any;};
        allow-query {any;};

        // forwarders {
        //      0.0.0.0;
        // };
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};
---------------------------------------------------------------------
named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "medicinaperiop.com.br" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/master.medicinaperiop.com.br";
};

zone "0.168.192.in-addr.arpa" {
type master;
allow-transfer {67.19.72.206;};
file "/etc/bind/rev.medicinaperiop.com.br";
};
-----------------------------------------------------------------------------
Answering the questions :
The firewall is disable now for testing
The computer is conect directly now for testing
I din´t undertand the changes with afraid.org. How to do that ?
I change the TTL to 3600
   


0
 
LVL 76

Expert Comment

by:arnold
ID: 35208196
You do not need to allow transfer on the private IP space (reverse Zone)

Check with afraid.org to see the source of their requests when they are setup in a backup role.
If the IP you added is not the right one.

Do not disable the firewall, configure the rules you need:
port 80/443 web
port 53 DNS
port 25 mailserver if any

Which firewall did you disable?  You may have iptables disabled on the localsystem while the external firewall/router is preventing the access.
Internet <=> router/firewall <=> LAN <=> yoursystem
Check to make sure you have prot forwarding configured on the router/firewall first. Then check your local system on whether it has iptables running iptables -L and then add the rules to allow the specific traffic.
0
 

Author Comment

by:Jose Bredariol
ID: 35208252
My iptables :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere            
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        
0
 
LVL 76

Expert Comment

by:arnold
ID: 35208353
what about your external router/firewall?
You need to setup a rule on the router/firewall that faces the internet and has the public IP 186.215.
i.e. port 80 -> 192.168.0.253 port 80
port 53 UDP/TCP -> 192.168.0.253 53
etc.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:Jose Bredariol
ID: 35208745
I didn´t have one on this network yet. We´re changing our ISP that´s because I´m doing all those configurations. 186.215.205.253 is directly from my new ISP provider. This domain is for test only medicinaperiop.com.br
0
 
LVL 76

Expert Comment

by:arnold
ID: 35209133
Any particular reason you want to host the domain's DNS in house versus managing these records via the web at afraid.org?
0
 

Author Comment

by:Jose Bredariol
ID: 35209153
No, I just want it working. How can I finished the configuration using afraid.org ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 35209188
Do you have an account with them since it seems they are reflected as managing the domain's DNS records.
Access their web interface, login and go to the DNS management interface and add www to point to your IP when it is connected.
0
 

Author Comment

by:Jose Bredariol
ID: 35209428
My DNS configuration on afraid.org

4 subdomains
medicinaperiop.com.br      [ add ]
      ftp.medicinaperiop.com.br (G)      Not Yet Configured.
      irc.medicinaperiop.com.br (G)      Not Yet Configured.
      mail.medicinaperiop.com.br (G)      Not Yet Configured.
      medicinaperiop.com.br (G)      A      186.215.205.253
0
 
LVL 76

Expert Comment

by:arnold
ID: 35210454
you need to add
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.

which are one and the same
@ represents the zone name.
And you should be set.
Note that the $TTL that you have set is rather large and that may explain why it takes a long time for changes you make to propagate.
0
 

Author Comment

by:Jose Bredariol
ID: 35210602
I chenged the TTL to 3600
Where do I need to add those values ?
www IN CNAME @
or
www IN CNAME medicinaperiop.com.br.
on my master.medicinaperiop.com.br ?
0
 
LVL 76

Expert Comment

by:arnold
ID: 35210659
Click the add botton displayed in your post.
The hostname/subdomain is www
The record type is CNAME (Alias)
The entry on the right is your domain medicinaperiop.com.br
Once you add and these changes propagate, everyong going to www.medicinaperiop.com.br will be directed to your IP/webserver.
0
 

Author Comment

by:Jose Bredariol
ID: 35210682
Like this :

      ftp.medicinaperiop.com.br (G)      Not Yet Configured.
      irc.medicinaperiop.com.br (G)      Not Yet Configured.
      medicinaperiop.com.br (G)      A      186.215.205.253
      mail.medicinaperiop.com.br (G)      A      186.215.205.253
      www.medicinaperiop.com.br (G)      CNAME      medicinaperiop.com.br
      
0
 
LVL 76

Accepted Solution

by:
arnold earned 250 total points
ID: 35211026
Yes.  Not sure whether on the rights side medicinaperiop.com.br is terminated with a period(.) implicitly or whether you have to added explicitly.
The record seems fine.
You should give this information time to propagate max is the 7 days that your default zone TTL ($TTL 604800) was set before.
0
 

Author Comment

by:Jose Bredariol
ID: 35216330
But I´ve changed the value to 3600. I´m still having to wait this time (7 days)
0
 

Author Closing Comment

by:Jose Bredariol
ID: 35219034
Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now