[TriLUG] Bind question
Aaron Joyner
aaron at joyner.ws
Wed Oct 5 18:16:06 EDT 2005
Douglas Ward wrote:
>I have set up two bind servers (one with master zones and the other with
>slave zones). After much research and work I have all of my domains set up
>and have verified that transfers are working properly. Now is the time for
>the servers to go live. I have pointed two test domains to these name
>servers before moving anything in full production. Requests aren't making it
>through. I think I have missed a step. Here is what I have done so far:
>
>1) Set up servers
>2) Verified that transfers are working properly from master to slave
>3) Entered all of my zones, a records, ns records, mx records etc...
>4) Opened port 53 on the firewall for both servers
>(ns1.nccumc.org<http://ns1.nccumc.org>and
>ns2.nccumc.org <http://ns2.nccumc.org>)
>5) Registered both name servers as public servers through my domain
>registrar
>6) Pointed two domains (nccumc.com <http://nccumc.com> and
>nccumc.net<http://nccumc.net>)
>to the name servers
>
>I can't get through to them (name servers). While reading the O'Reilly book
>on Bind it was suggested to use the following line in named.conf to restrict
>all activity to port 53:
>
>query-source address * port 53;
>
>Have I missed a port (or range of ports) that should be opened? Maybe a
>configuration step? Any suggestions would be most helpful. Thanks!
>
>
Okay, let's work through this with the .com domains, and see where we
end up. First, we query the .com name servers for nccumc.com (for you
purists, yes I'm skipping the root nameservers, it's not relevant):
$ dig +nocmd +nostats +noquery nccumc.com @a.gtld-servers.net
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3539
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; AUTHORITY SECTION:
nccumc.com. 172800 IN NS ns1.nccumc.org.
nccumc.com. 172800 IN NS ns2.nccumc.org.
Okay, so far so good. This shows us that your registrar has done their
job, and they're delegating to ns{1,2}.nccumc.org (again, for the
purists, we'll skip the step of trying to resolve nccumc.org, it's
working fine).
$ dig +nocmd +nostats +noquery nccumc.com @ns1.nccumc.org
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; ANSWER SECTION:
nccumc.com. 38400 IN A 70.150.217.67
;; AUTHORITY SECTION:
nccumc.com. 38400 IN NS ns1.nccumc.org.
nccumc.com. 38400 IN NS ns2.nccumc.org.
;; ADDITIONAL SECTION:
ns1.nccumc.org. 38400 IN A 192.168.10.59
ns2.nccumc.org. 38400 IN A 192.168.10.60
So here we see that we got the answer you probably wanted, an A record
of 70.150.217.67. But there's a subtle problem. The authority section
is correct, it gives us ns1.nccumc.org back as the authoritative DNS
servers, but the name server is attempting to be helpful, and gives us
some "additional" records back, giving us the IP addresses of those .org
name servers, as 192.168.10.{59,60}. Unfortunately, that will poison
the cache of any future dns requests, as they'll know that the most
authoritative answer for ns1.nccumc.org should be 192.168.10.59 and .60.
So look at why ns1.nccumc.org believes that ns1.nccumc.org resolves to
192.168.10.59, and you'll be a lot better off. This might be a good
time to consider views (read up on it, it'll help you do what you're
probably trying to do, serve two views of internal vs external dns).
Aaron S. Joyner
More information about the TriLUG
mailing list