[TriLUG] Bind question

Thu Oct 6 06:25:48 EDT 2005

I figured out the internal address issue. I'm not sure why I keyed it into
the nccumc.org <http://nccumc.org> zone but I did. I switched it to the
public addresses. I have transferred all of our domains (38!) and they are
all working properly. Thanks for your assistance!

On 10/5/05, Aaron Joyner <aaron at joyner.ws> wrote:
>
> Douglas Ward wrote:
>
> >I have set up two bind servers (one with master zones and the other with
> >slave zones). After much research and work I have all of my domains set
> up
> >and have verified that transfers are working properly. Now is the time
> for
> >the servers to go live. I have pointed two test domains to these name
> >servers before moving anything in full production. Requests aren't making
> it
> >through. I think I have missed a step. Here is what I have done so far:
> >
> >1) Set up servers
> >2) Verified that transfers are working properly from master to slave
> >3) Entered all of my zones, a records, ns records, mx records etc...
> >4) Opened port 53 on the firewall for both servers
> >(ns1.nccumc.org <http://ns1.nccumc.org><http://ns1.nccumc.org>and
> >ns2.nccumc.org <http://ns2.nccumc.org> <http://ns2.nccumc.org>)
> >5) Registered both name servers as public servers through my domain
> >registrar
> >6) Pointed two domains (nccumc.com <http://nccumc.com> <http://nccumc.com>
> and
> >nccumc.net <http://nccumc.net><http://nccumc.net>)
> >to the name servers
> >
> >I can't get through to them (name servers). While reading the O'Reilly
> book
> >on Bind it was suggested to use the following line in named.conf to
> restrict
> >all activity to port 53:
> >
> >query-source address * port 53;
> >
> >Have I missed a port (or range of ports) that should be opened? Maybe a
> >configuration step? Any suggestions would be most helpful. Thanks!
> >
> >
> Okay, let's work through this with the .com domains, and see where we
> end up. First, we query the .com name servers for nccumc.com<http://nccumc.com>(for you
> purists, yes I'm skipping the root nameservers, it's not relevant):
>
> $ dig +nocmd +nostats +noquery nccumc.com <http://nccumc.com> @
> a.gtld-servers.net <http://a.gtld-servers.net>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3539
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
>
> ;; AUTHORITY SECTION:
> nccumc.com <http://nccumc.com>. 172800 IN NS ns1.nccumc.org<http://ns1.nccumc.org>
> .
> nccumc.com <http://nccumc.com>. 172800 IN NS ns2.nccumc.org<http://ns2.nccumc.org>
> .
>
> Okay, so far so good. This shows us that your registrar has done their
> job, and they're delegating to ns{1,2}.nccumc.org (again, for the
> purists, we'll skip the step of trying to resolve nccumc.org<http://nccumc.org>,
> it's
> working fine).
>
>
> $ dig +nocmd +nostats +noquery nccumc.com <http://nccumc.com> @
> ns1.nccumc.org <http://ns1.nccumc.org>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42960
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; ANSWER SECTION:
> nccumc.com <http://nccumc.com>. 38400 IN A 70.150.217.67<http://70.150.217.67>
>
> ;; AUTHORITY SECTION:
> nccumc.com <http://nccumc.com>. 38400 IN NS ns1.nccumc.org<http://ns1.nccumc.org>
> .
> nccumc.com <http://nccumc.com>. 38400 IN NS ns2.nccumc.org<http://ns2.nccumc.org>
> .
>
> ;; ADDITIONAL SECTION:
> ns1.nccumc.org <http://ns1.nccumc.org>. 38400 IN A 192.168.10.59<http://192.168.10.59>
> ns2.nccumc.org <http://ns2.nccumc.org>. 38400 IN A 192.168.10.60<http://192.168.10.60>
>
> So here we see that we got the answer you probably wanted, an A record
> of 70.150.217.67 <http://70.150.217.67>. But there's a subtle problem. The
> authority section
> is correct, it gives us ns1.nccumc.org <http://ns1.nccumc.org> back as the
> authoritative DNS
> servers, but the name server is attempting to be helpful, and gives us
> some "additional" records back, giving us the IP addresses of those .org
> name servers, as 192.168.10.{59,60}. Unfortunately, that will poison
> the cache of any future dns requests, as they'll know that the most
> authoritative answer for ns1.nccumc.org <http://ns1.nccumc.org> should be
> 192.168.10.59 <http://192.168.10.59> and .60.
>
> So look at why ns1.nccumc.org <http://ns1.nccumc.org> believes that
> ns1.nccumc.org <http://ns1.nccumc.org> resolves to
> 192.168.10.59 <http://192.168.10.59>, and you'll be a lot better off. This
> might be a good
> time to consider views (read up on it, it'll help you do what you're
> probably trying to do, serve two views of internal vs external dns).
>
> Aaron S. Joyner
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>