Setting up nameserver - bind

Discussion related to network/web services such as Apache, BIND Sendmail, etc.

Setting up nameserver - bind

Postby NuLL3rr0r » 22 Jan 2010, 17:19

Hi,

First of all sorry for bad English.

I'm a newcomer to FreeBSD, and I'm going to like it.
Before I tried FreeBSD, I had a Linux VPS (My ISP set it up for me). I decide to drop it in favor of FreeBSD and installed FreeBSD from scratch on VMWare ESXi 4.0 (My ISP just offers Linux VPS, but they agreed to let me set it up myself).

The problem is I know nothing about setting up DNS and Nameserver.

I followed this guide to setup bind nameserver:
http://www.freebsd.org/doc/handbook/network-dns.html


The Server Spec:
Code: Select all
http://91.194.91.7/
ns1.babaei.net 91.194.90.11
ns2.babaei.net 91.194.90.12
ns3.babaei.net 193.200.241.6
ns4.babaei.net 93.104.209.252




I edit /etc/rc.conf:
Code: Select all
named_enable="YES"



/etc/namedb/named.conf
Code: Select all
zone "babaei.net" {
    type master;
    file "master/babaei.net";
};

zone "1.168.192.in-addr.arpa" {
        type slave;
        file "slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.1;
        };
};



/etc/namedb/master/babaei.net
Code: Select all
$TTL 3600        ; 1 hour default TTL
babaei.net.    IN      SOA      ns1.babaei.net. root.babaei.net. (
                                2010012208      ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                300             ; Negative Reponse TTL
                        )

; DNS Servers
                IN      NS      ns1.babaei.net.
                IN      NS      ns2.babaei.net.
                IN      NS      ns3.babaei.net.
                IN      NS      ns4.babaei.net.

; MX Records
                IN      MX 10   mx.babaei.net.
                IN      MX 20   mail.babaei.net.

                IN      A       91.194.91.7

; Machine Names
localhost       IN      A       127.0.0.1
ns1             IN      A       91.194.90.11
ns2             IN      A       93.104.209.252
ns3             IN      A       193.200.241.6
ns4             IN      A       91.194.90.12
mx              IN      A       91.194.91.7
mail            IN      A       91.194.91.7

; Aliases
www             IN      CNAME   babaei.net.



/etc/namedb/slave/1.168.192.in-addr.arpa
Code: Select all
$TTL 3600

1.168.192.in-addr.arpa. IN SOA ns1.babaei.net. root.babaei.net. (
                        2010012208      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        300 )           ; Negative Reponse TTL

        IN      NS      ns1.babaei.net.
        IN      NS      ns2.babaei.net.
        IN      NS      ns3.babaei.net.
        IN      NS      ns4.babaei.net.

1       IN      PTR     babaei.net.
2       IN      PTR     ns1.babaei.net.
3       IN      PTR     ns2.babaei.net.
4       IN      PTR     ns3.babaei.net.
5       IN      PTR     ns4.babaei.net.
6       IN      PTR     mx.babaei.net.
7       IN      PTR     mail.babaei.net.



Code: Select all
# named-checkzone babaei.net /etc/namedb/master/babaei.net
zone babaei.net/IN: loaded serial 2010012208
OK

# /etc/rc.d/named reload
// or
# rndc reload




When I tried this from the VPS itself:
Code: Select all
# host -t ns babaei.net
babaei.net name server ns4.babaei.net.
babaei.net name server ns2.babaei.net.
babaei.net name server ns3.babaei.net.
babaei.net name server ns1.babaei.net.



I tried this for 5 days, and still I can't browse my website:

http://checkdns.net/quickcheck.aspx?domain=www.babaei.net&detailed=1

Code: Select all
  Tried to fetch SOA record for domain, but DNS server ns1.babaei.net [91.194.90.11] returned error code Refused
  Error fetching SOA from ns2.babaei.net [93.104.209.252]: Connection reset. Probably DNS server is offline.
  Tried to fetch SOA record for domain, but DNS server ns3.babaei.net [193.200.241.6] returned error code Refused
  Tried to fetch SOA record for domain, but DNS server ns4.babaei.net [91.194.90.12] returned error code Refused



It's an rock-solid OS and I didn't want to ignore it just because I can't setup DNS in bind or my ISP doesn't support FreeBSD.


Thanks in Advance.
User avatar
NuLL3rr0r
Member
 
Posts: 105
Joined: 19 Jan 2010, 04:17

Postby DutchDaemon » 22 Jan 2010, 20:01

As far as I can see, your domain registration lacks glue records. Glue records are needed when a domain's nameservers are within that domain. So the problem is that nobody can find the IP address for the nameservers, because there's no way to ask the nameservers for the IP address, because the IP address for the nameservers is not known, making it impossible to find .... you see where this is going? So your domain registration needs to contain the IP addresses for your nameservers as well as their names.

Code: Select all
Domain servers in listed order:
    ns4.babaei.net
    ns3.babaei.net
    ns2.babaei.net
    ns1.babaei.net


Code: Select all
$ dnscheck -c -r -v -z babaei.net
[   ] /usr/bin/dig +norecurse ns "babaei.net" "@a.root-servers.net"
[net] /usr/bin/dig +norecurse ns "babaei.net" "@h.gtld-servers.net"
      + babaei.net. IN NS ns1.babaei.net. (serial 0)
      + babaei.net. IN NS ns2.babaei.net. (serial 0)
      + babaei.net. IN NS ns3.babaei.net. (serial 0)
      + babaei.net. IN NS ns4.babaei.net. (serial 0)

[   ] /usr/bin/dig ns "babaei.net" "@localhost"
babaei.net (serial 0)
 ns1.babaei.net                    -
 ns2.babaei.net                    -
 ns3.babaei.net                    -
 ns4.babaei.net                    -


This may or may not relate to the errors you're experiencing, but it's an error nonetheless.
User avatar
DutchDaemon
Old Fart
 
Posts: 10467
Joined: 16 Nov 2008, 20:17
Location: The Netherlands

Postby NuLL3rr0r » 22 Jan 2010, 21:02

Thanks for the answer.

Well this is the first time I've heard of a glue records. but from what I read and understood the Glue Record is simply an IP:

http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records
http://faq.domainmonster.com/dns/glue_record/

I checked my Domain Panel on Directi and found each dns registered with an IP address (If I'm not wrong, a glue record). My ISP did that for me.

I attached a pic that shows each dns and it's registered IP.

The problem is my ISP's technical support does know nothing about BSD and usually they setup DNS's with web interfaces like CPANEL or Webmin.

I'm not sure about my config files. Is the syntax and situation OK??
If I'll be sure the I can ask them for help (Maybe somethings on their side is wrong.).


However thanks for responding.
Attachments
nsip.jpg
nsip.jpg (96.15 KiB) Viewed 444 times
User avatar
NuLL3rr0r
Member
 
Posts: 105
Joined: 19 Jan 2010, 04:17

Postby NuLL3rr0r » 05 Feb 2010, 00:44

Finally it works:

I just changed everything to VPS IP itself:

Code: Select all
ns1             IN      A       91.194.91.7
ns2             IN      A       91.194.91.7
ns3             IN      A       91.194.91.7
ns4             IN      A       91.194.91.7


(This happens in domain panel also).


I also needed to change this line in

/etc/namedb/named.conf
Code: Select all
//     listen-on       { 127.0.0.1; };
// Changed to:
        listen-on       { 91.194.91.7; };


or simply it's not working.


I added

/etc/rc.conf
Code: Select all
sendmail_enable="YES"


or I'll get:
Code: Select all
error connecting to mail server port 25 : connection refused.



I'm still waiting till DNS databases across the NET is updating.
Code: Select all
http://checkdns.net/quickcheck.aspx?domain=www.babaei.net&detailed=1




That's a shame!! They told me these IP's are authoritative for my domain, But it's not. I think these are my ISP's DNS Server, since I can browse them by a browser. I really don't know how they can handle this, But I'm happy for now.
User avatar
NuLL3rr0r
Member
 
Posts: 105
Joined: 19 Jan 2010, 04:17

Postby Alt » 05 Feb 2010, 06:47

You must add allow-query for every world if this server ansers for domain zone.
User avatar
Alt
Member
 
Posts: 726
Joined: 18 Nov 2008, 12:22
Location: Mother Russia

Postby NuLL3rr0r » 06 Feb 2010, 08:53

You must add allow-query for every world if this server ansers for domain zone.



Thanks for the tip. But as you can see here
http://student.ing-steen.se/unix/named.conf.html
it says:
allow-query
Specifies which hosts are allowed to ask ordinary questions. The allow-query option may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.


As it says I think this is the default option for all zones:
Code: Select all
allow-query { any; };


Now it's just works fine.

I also found this nice brief tip for securing bind:
http://www.cyberciti.biz/tips/howto-restrict-unauthorized-zone-transfers-dns-bind.html

As a good security practice I'm going to try this.
User avatar
NuLL3rr0r
Member
 
Posts: 105
Joined: 19 Jan 2010, 04:17

Postby Alt » 06 Feb 2010, 09:52

Dunno whats default, i just see error "returned error code Refused" in your logs xD
User avatar
Alt
Member
 
Posts: 726
Joined: 18 Nov 2008, 12:22
Location: Mother Russia

Postby NuLL3rr0r » 08 Feb 2010, 11:32

Well!!

I just listen to your advice and put allow-query for every zone in named.conf.

If I use nameserver other than 91.194.91.7 in resolv.conf the DNS query failed. But with allow-query set to any now I can use any nameserver that I want in resolv.conf.

tnx,
for the advise.
User avatar
NuLL3rr0r
Member
 
Posts: 105
Joined: 19 Jan 2010, 04:17


Return to Web & Network Services

Who is online

Users browsing this forum: No registered users and 1 guest