BIND Setup Issue

Home » CentOS » BIND Setup Issue
CentOS 12 Comments

Dear All I have a CentOS 6.3 machine. I am trying to setup DNS BIND setup in that machine. It is having a static global IP. I have done lot of reading , google search and tried all possible option, but still not able to resolve the issue.

My named.conf looks as below.

*
*
*
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 10.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
query-source address * port 53;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; 10.0.0.1/24; 10.0.0.254/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};zone “netcloudjobs.com” {
type master;
file “netcloudjobs.com.fwd”;
allow-update { none; };
};

zone “189.201.173.in-addr.arpa” {
type master;
file “netcloudjobs.com.rev”;
allow-update { none; };
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
*
Next my forward zone file looks as below
*
$TTL 86400
@ IN SOA ns1.netcloudjobs.com. root.netcloudjobs.com. (
2021071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)

@ IN NS ns1.netcloudjobs.com.
@ IN NS ns2.netcloudjobs.com.

ns1 IN A 173.201.189.43
ns2 IN A 173.201.189.43
*
And my reverse zone file looks as

*$TTL 86400
@ IN SOA ns1.netcloudjobs.com. root.netcloudjobs.com. (
2021071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)

@ IN NS ns1.netcloudjobs.com.
@ IN NS ns2.netcloudjobs.com. ns1 IN A 173.201.189.43
ns2 IN A 173.201.189.43
43 IN PTR ns1.netcloudjobs.com.
44 IN PTR ns2.netcloudjobs.com.
*
I hope I am doing something wrong with configuration. I have done this since more than 60 hours. Still I am not able to resolve ns1.netcloudjobs.com.

Can somebody help here.

Best Regards Austin

12 thoughts on - BIND Setup Issue

  • Dear All My resolv.conf looks as below

    search netcloudjobs.com nameserver 10.0.0.1
    nameserver 8.8.8.8
    nameserver 127.0.0.1

    I do not have any error logs.

    I just did one modification in named.conf.

    *allow-query { localhost; 10.0.0.1/24; 10.0.0.254/24; };

    *
    *Line I modified to

    *
    *allow-query { any; };*

    With this change, now I am able to ping to ns1.netcloudjobs.com . Problem is 50% resolved.

    Kindly guide me if allow-query any is right thing to do or not.

    Next, how do I make sure http://www.netcloudjobs.com should resolve to my IP.

    In my BIND server the, the command “dig http://www.netcloudjobs.com” gives below output.

    [root@ip-173-201-189-43 named]#
    [root@ip-173-201-189-43 named]#
    [root@ip-173-201-189-43 named]# dig http://www.netcloudjobs.com

    ; < <>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.2 < <>> http://www.netcloudjobs.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 16461 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.netcloudjobs.com. IN A ;; ANSWER SECTION: http://www.netcloudjobs.com. 86400 IN A 173.201.189.43

    ;; AUTHORITY SECTION:
    netcloudjobs.com. 86400 IN NS ns2.netcloudjobs.com. netcloudjobs.com. 86400 IN NS ns1.netcloudjobs.com.

    ;; ADDITIONAL SECTION:
    ns1.netcloudjobs.com. 86400 IN A 173.201.189.43
    ns2.netcloudjobs.com. 86400 IN A 173.201.189.43

    ;; Query time: 0 msec
    ;; SERVER: 10.0.0.1#53(10.0.0.1)
    ;; WHEN: Sun Mar 10 06:04:00 2013
    ;; MSG SIZE rcvd: 122

    [root@ip-173-201-189-43 named]#

    Can I assume that my configuration is proper? As just now I am able to ping ns1.netcloudjobs.com from remote machines, so pinging to http://www.netcloudjobs.com will take some more time.

    Please guide me…

    Austin

  • Who is your registrar for netcloudjobs.com and have they listed your two servers and their IP addresses?

    .44?

    .44?

  • Hi Austin,

    since your A record is fine and can be resolved, the issue is obviously not BIND related but lies somewhere in your network/firewall configuration.

    The last address that is visible in the tracereoute output from here is

    so the issue must be somewhere between 208.109.113.174 and 173.201.189.43. Another IP (probably another customer of GoDaddy) in your /24 range is directly connected to 208.109.113.174 which makes it likely to be your next hop as well:

    So probably the issue is in your router setup (packet filters and/or NAT, if applicable) or in the configuration of your own machine (iptables?).

    Regards,

    Peter.

  • Austin already did that, and it doesn’t help.

    The name can already be resolved, and the address cannot be pinged either. I checked before I replied.

  • And along with this, you have DNSSEC enabled, so your firewall and router have to support EDNS. I am fighting that for my domain right now….

  • Am 10.03.2013 12:57, schrieb Austin Einter:

    After reading the entire thread I am still not sure what your actual issue is. I can only guess some name resolution is not working as expected.

    Please state:
    – From which machine are you trying to resolve?
    – Which name are you trying to resolve?
    – Which result are you expecting?
    – Which result do you get?

    In the meantime, a few comments on your config.

    That doesn’t look right. You said your machine has a public IP address but you make it listen on a private IP address and localhost only.

    That doesn’t look right either. If your machine does IPv6, why have it listen only on localhost? If it doesn’t, why have it listen on IPv6 at all?

    This doesn’t look right at all. Neither 10.0.0.1 nor 10.0.0.254 are compatible with a /24 netmask.

    I don’t think it’s a good idea to activate DNSSEC before you have the basics running.

    It’s very strange to declare two nameservers with the same address. Why put in ns2 in the first place if it’s actually the same machine as ns1?
    That doesn’t make sense.

    These entries are wrong here. Simple explanation: A RRs belong in the forward zone, not the reverse zone. Complex explanation: The RRs you actually create by this look like this:

    ns1.189.201.173.in-addr.arpa. IN A 173.201.189.43
    ns2.189.201.173.in-addr.arpa. IN A 173.201.189.43

    You have a forward/reverse mismatch here. Your reverse zone resolves
    173.201.189.44 to ns2.netcloudjobs.com but your forward zone resolves that to 173.201.189.43 instead of 173.201.189.44.

    I am:

    [ts@dns01 ~]$ host ns1.netcloudjobs.com ns1.netcloudjobs.com has address 173.201.189.43
    [ts@dns01 ~]$

    Looks fine to me. So again, please state from where you are trying the resolution, which result you expect and which result you get.

  • Am 10.03.2013 14:50, schrieb Austin Einter:

    It seems you already fixed that and just forgot to tell the list.

    This zone file does not contain an A RR for netcloudjobs.com itself, but if I dig netcloudjobs.com now I do get one. So obviously you have added it it the meantime.

    Generally speaking:
    1. fix the name resolution (you already did that)
    2. fix the network connectivity and/or firewall issues preventing your ping packets from getting through

    HTH
    T.

  • Am 10.03.2013 16:34, schrieb Peter Eckel:

    Yes it does. The name can now be resolved.

    Only since he added the A RR.

    That’s a separate problem, and has nothing to do with BIND. What’s more, given the complete lack of information about the network topology and involved components, we cannot even guess what may be the issue here. Routing? Firewall? NAT? Hardware? Everything’s possible.

LEAVE A COMMENT