DNS Set-up: Ubuntu 10.4, NSD, GoDaddy, twisted4life.com

Less than 24 hours ago I completed a DNS set-up on Ubuntu 10.4 using NSD, twisted4life.com, and GoDaddy. While the system may need at least another 24 hours to propagate through the Internet, I am pretty sure that my configuration is not quite correct.

As a template I followed Monarch's method, which outlined a method of setting up DNS with bind9, twisted4life and GoDaddy. Through a recommendation from a member of Linode staff, who believes NSD to be a world easier than bind, I installed NSD instead.

Here is the link to Monarch's method: ~~[http://www-loadbal3.linode.com/forums/viewtopic.php?p=9715&sid=d7e336cd417c6c71dd72842723e2aec5" target="_blank">](http://www-loadbal3.linode.com/forums/v … 2723e2aec5">http://www-loadbal3.linode.com/forums/viewtopic.php?p=9715&sid=d7e336cd417c6c71dd72842723e2aec5](

(1) Register name(s) with GoDaddy.com. I registered FELDMAND.COM along with some other names.

(2) Sign up for an account at twisted4life.com. They provide secondary DNS. You will need 3 things: your own domain of which you have control of the DNS settings, an existing primary DNS server, a working email account.

Here is an example edited domain. Note that 74.207.241.5 is ns1.linode.com.
> Domain name feldmand.com

IP of primary DNS 74.207.241.5 (ns1.linode.com)

Active Yes

Queued for forced reload No

[ Save ] [ Cancel ]

Make any changes to this domain you wish, then click Save. By default new domains are queued for a forced reload prior to the regular refresh of the whole DNS server. You can un-queue the domain from the forced list using this form, and it will be transferred along with the normal process provided it is marked as Active.

The system also provided the secondary DNS nameserver we seek.
> Add the following to your list of NS records and registrar delegation for your domains: ns1.twisted4life.com

Here are the properties for feldmand.com.
> Primary DNS IP

74.207.241.5

Last try (UTC)

2010-08-24 06:02:22

Last transfer (UTC)

none yet

Zone serial number

none yet

Here are the current results from the twisted4life.com supplied DNS config checker.

> DNS Configuration Checker

…..

Domain to check:

DNS diagnosis for feldmand.com

Test being performed Results and explanation Status

Listed in Root servers Is your domain feldmand.com listed at the Root servers?

This is bad. There was no response for that entry from the Root servers

Root server that was queried: a.gtld-servers.net.

Responding nameservers Checking each of your individual authoritative nameservers:

Gee, looks like you have no nameservers. Perhaps this domain has not been registered yet?

Missing/Stealth nameserver

You don't have any valid nameservers

Nameservers have identical SOA serial Aha! You don't even have any valid DNS servers

Nameserver response times No responding nameservers

Nameservers on different networks No

We recommend that you locate your servers on seperate networks to give you better resilience against failures

SOA Refresh value Your SOA refresh value was reported to be:

This value is too low. The RFC 1912 recommends that this value be between 1200 to 43200. This value determines how often slave nameservers check with the master for changes

SOA Retry value Your SOA retry value was reported to be:

This value is too low. The RCC 1912 specification recommends a value between 120 to 7200. This value determines how often slave nameservers would contact the master nameserver if the previous XFER failed

SOA Expire value Your SOA expire value was reported to be:

This value is too low. The RFC 1912 specification recommends a value between 1209600 to 2419200. This value determines how long a slave nameserver will wait before considering its DNS data stale if it can't reach your primary nameserver

SOA TTL value Your SOA minimum TTL value was reported to be:

This value is too low. The RFC 1912 specification recommends a value between 60 to 86400. This value determines how long nameservers should cache the value before attempting to fetch the latest value from an authoritative nameserver. Setting this value too low would cause uncessary traffic to your DNS server.

Mail Exchangers You have 0 mail exchangers. Checking also if mail exchangers accept mail for your domain

This is not good. You do not have any MX records defined

I believe everything is configured correctly at twisted4life.com. The only aspect that has me guessing is the "Queued for forced reload". Maybe I need to explicitly force the reload. Just to make sure, I just force reloaded all of my domains.

I hope things will get resolved once the names propagate through the Internet. Will they?

(3) Install a ubiquitous DNS server, for example, NSD for authoritative DNS, on your Linode, and edit the configuration files.

In Monarch's method using bind, ~~[http://www-loadbal3.linode.com/forums/viewtopic.php?p=9715&sid=d7e336cd417c6c71dd72842723e2aec5" target="_blank">](http://www-loadbal3.linode.com/forums/v … 2723e2aec5">http://www-loadbal3.linode.com/forums/viewtopic.php?p=9715&sid=d7e336cd417c6c71dd72842723e2aec5](, he edited /etc/bind/named.conf.local, which is equivalent to NSD's /etc/nsd3/nsd.conf file.

Excerpt: BIND's named.conf.file

  zone "example.com" {
      type master;
      file "/etc/bind/db.com.example";
      allow-transfer {
          202.157.185.115; // ns1.twisted4life.com
      };
  }; 

Excerpt: My NSD's nsd.conf file

zone:
        name: "feldmand.com"
        zonefile: "feldmand.com.zone"

        # also provide xfr to operator's network - ns1.twisted4life.com.
        provide-xfr: 202.157.182.142/32 NOKEY

        # set the number of retries for notify.
        notify-retry: 5

He then created a file called /etc/find/db.com.example, which is equivalent to the /etc/nsd3/example.com.zone.

Excerpt: db.com.example

; Zone file for example.com
  ;
  ; The full zone file
  ;
  $TTL    86400
  @       IN      SOA     ns.example.com. hostmaster.example.com. (
                          2006020601      ; Serial
  ; how often slave nameservers check with the master for changes
                           7200         ; Refresh
  ; how often slave nameservers would contact the master
  ; nameserver if the previous XFER failed
                           1200         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
  ;
                  NS      ns                    ; inet of our nameserver

                  NS      ns1.twisted4life.com. ; secondary dns

  ns              A       1.2.3.4 ; my linode service ip address
  www             CNAME   ns 

Excerpt: My feldmand.com.zone file

$ORIGIN feldmand.com.
$TTL 86400

@       IN      SOA     ns1.feldmand.com.      web-admin.feldmand.com. (
                                2009011803      ; serial number
                                28800           ; Refresh
                                7200            ; Retry
                                864000          ; Expire
                                86400           ; Min TTL
                                )

                NS      ns1.feldmand.com.
                NS      ns1.twisted4life.com.

                MX      10 mail.feldmand.com.

$ORIGIN feldmand.com.

feldmand.com.   IN      A       [Linode IP address]
feldmand.com.   IN      TXT     "Testing feldmand...1...2...3"

ns1               IN      A       74.207.241.5
ns2               IN      A       202.157.182.142
www             IN      A       [Linode IP address]
blog              IN      A       [Linode IP address]
photos          IN      A       [Linode IP address]
videos           IN      A       [Linode IP address]

I am not sure I have configured NSD correctly. Of recent have found the nomenclature and syntax of the /etc/nsd3/nsd.conf to be somewhat intimidating. Something seems wrong about how I have configured the nameservers in feldmand.com.zone. Also I should probably be using CNAMEs as opposed to As in the latter half of the file.

Any suggestions on where my problem lies and/or how I should clean up this file?

(4) Transfer the secondary DNS server from the Linode server. Add a secondary server for your domains at your Linode server IP address.

I am not sure I did this correctly, but my reference to ns1.twisted4life.com and its corresponding IP address 202.157.182.142 in the zone file and configuration file was my attempt to do this.

Twisted4Life.com recommended the following: Your zone file should contain the following:

yourdomain.com.  IN NS ns1.twisted4life.com

Twisted4Life continued:
> You must allow the Primary DNS to transfer to twisted4life's server. If you do not do this all transfers will fail. To allow transfers, you must add 202.157.182.142 to the 'Allow' settings of the primary server. This will require administration access.

Finally, at the domain registrar, enter the twisted4life as one of your secondaries: ns1.twisted4life.com.

(5) Restart the daemon of NSD on the Linode.

Rebuild the NSD database with this command:

nsdc rebuild

After rebuilding, restart NSD.

/etc/init.d/nsd3 restart

Test to see that your DNS server is properly serving records.

dig @localhost www.feldmand.com

These are the current results of the dig command (note that this is after setting up the nameservers on the GoDaddy account):

; <<>> DiG 9.7.0-P1 <<>> @localhost www.feldmand.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12676
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.feldmand.com.        IN  A

;; ANSWER SECTION:
www.feldmand.com.    86400   IN  A   [Linode IP address]

;; AUTHORITY SECTION:
feldmand.com.        86400   IN  NS  ns1.feldmand.com.
feldmand.com.        86400   IN  NS  ns1.twisted4life.com.

;; ADDITIONAL SECTION:
ns1.feldmand.com.    86400   IN  A   74.207.241.5

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 24 07:28:39 2010
;; MSG SIZE  rcvd: 131

(6) Verify in the logs that a zone transfer occurs to ns1.twisted4life.com.

Checking /var/log/syslog as well as all the other files in the /var/log directory yielded no matches for 'twisted4life'! Either my setup at twisted4life or more likely in my NSD zone and config files is faulty.

Does anyone have any suggestions on how to verify zone transfers and how to resolve them if I indeed do have a problem?

(7) Log into your GoDaddy account. You will add domain(s) with the name "ns.example.com" with your Linode IP address. You will also make "ns.example.com" your first nameserver, and ns1.twisted4life.com your second nameserver.

Go to the domain manager. Select all domains. Select the "Manage Locking" Icon. Deselect the "Lock domains" selector.

Add domains with the name of each of the local nameservers. From the Domain Manager, enter the name of your domain. Search for "Host Summary" on the same page. Click the "Add" next to it. Add "ns1.example.com". Click OK.

Click set nameservers. Set the nameservers to ns1.example.com and ns1.twisted4life.com. Click OK.

Repeat for its domain name.

Return to the domain manager. Select all domains. Select the "Manage Locking" Icon. This time select the "Lock domains" selector.

(8) Wait between 24 and 48 hours for the name(s) to propagate through the Internet. Theoretically my name(s) should complete propagation within just over 24 hours.

(9) Use http://www.dnsreport.com/ to diagnose the state of your DNS and its configuration. Type the name of your domain. You may find that the URL redirects to www.dnsstuff.com.

–----------

If you can offer any pointers I would be most appreciative.

I am not sure how related this is, but here Jed, Linode.com staff, suggests a method on how to configure Linode to be a slave to your own DNS server:~~[http://www.linode.com/forums/viewtopic.php?t=5403&start=0" target="_blank">](http://www.linode.com/forums/viewtopic. … 03&start=0">http://www.linode.com/forums/viewtopic.php?t=5403&start=0](

Would this be a better way for me to do what I want to do?

Thanks again.

3 Replies

In the course of reviewing the to-be-verified tutorial above, I recognized that I had not precisely followed the recommendation from Twisted4Life.com, the provider of secondary nameservers.

Twisted4Life.com recommends that your zone file should contain the following:

yourdomain.com.  IN NS  ns1.twisted4life.com.

After adding the above recommendation, I also added the following line just to be sure.

yourdomain.com.  IN NS  ns1.yourdomain.com.

My zone file now looks like this:

Excerpt: feldmand.com.zone

$ORIGIN feldmand.com.
$TTL 86400

@       IN      SOA     ns1.feldmand.com.      web-admin.feldmand.com. (
                                2009011803      ; serial number
                                28800           ; Refresh
                                7200            ; Retry
                                864000          ; Expire
                                86400           ; Min TTL
                                )

                NS      ns1.feldmand.com.
                NS      ns1.twisted4life.com.

                MX      10 mail.feldmand.com.

$ORIGIN feldmand.com.

feldmand.com.   IN      A       [Linode IP address]
feldmand.com.   IN      TXT     "Testing feldmand...1...2...3"
feldmand.com.   IN      NS      ns1.twisted4life.com.
feldmand.com.   IN      NS      ns1.feldmand.com.

ns1             IN      A       74.207.241.5
ns2             IN      A       202.157.182.142
www             IN      A       [Linode IP address]
blog            IN      A       [Linode IP address]
photos          IN      A       [Linode IP address]
videos          IN      A       [Linode IP address]

Note it is important for the domain names to be followed by a full-stop ".", otherwise the dig command will show the domain name repeated.

Going back to Twisted4Life to check my configuration, I did not find anything suspicious, except I wonder what they mean by "Primary DNS IP" exactly.

Do they mean the Linode IP address, or the IP address of my local DNS nameserver, which is ns1.linode.com? I listed the IP address of ns.linode.com, not my Linode IP address. Which one should it be?

@feldmand:

Do they mean the Linode IP address, or the IP address of my local DNS nameserver, which is ns1.linode.com? I listed the IP address of ns.linode.com, not my Linode IP address. Which one should it be?
I believe you already got the answer you were looking for in IRC, but I'll answer for the benefit of others.

The "Primary DNS IP" would be the IP address of the "Master" name server for the zone (feldmand.com). In your case, it was your Linode's IP address since you were running NSD.

NOTE: The "Master" IP address does not have to be the true Master for the zone, but in order for the secondaries (slaves) name servers to provide authoritative DNS answers for the zone, the "Primary DNS IP" must allow AXFR (DNS zone transfers) to the secondary.

Also, you mistakenly have referred to ns1.linode.com as 74.207.241.5, which is incorrect. That IP address is a resolver (resolver1.fremont.linode.com), not an authoritative name server. ns1.linode.com [69.93.127.10] is 1 of 5 of Linode's authoritative name servers.

Travis

Thank you for following up, Travis. You have highlighted the two serious errors I made in my DNS set-up above.

Yes, the folks on IRC were most helpful in guiding me to a better solution. Special thanks in no particular order to Daevien, rb, swaj, HoopyCat, dcraig.

@Travis:

NOTE: The "Master" IP address does not have to be the true Master for the zone, but in order for the secondaries (slaves) name servers to provide authoritative DNS answers for the zone, the "Primary DNS IP" must allow AXFR (DNS zone transfers) to the secondary.

Unless I am missing something, I believe this more or less accords with the following citations.

@HoopyCat:

In a traditional AXFR-based authoritative DNS configuration, you have one master/primary nameserver and one or more slave/secondary nameservers, when the serial number in the zone's SOA is incremented on the master it will (usually) send a NOTIFY to the slaves it knows about, and then the slaves will request an AXFR from the master.

@swaj:

You only set your domain to use Linode (or a free DNS hosting service) as its nameservers, and then tell those servers to AXFR from your box

The IRC participants more or less outlined 4 different DNS configurations for a basic web hosting platform. Here is a transcript of the discussion: http://thegrebs.com/irc/linode/2010/08/24 * 1. Model 1 - Run LAMP stack, just use Linode DNS Manager. - do not run your own DNS server, do not worry about slave and secondary, do not install ISPConfig.

2\. ****Model 2**** - Run LAMP stack, run NSD Linode as primary, use free DNS hosting (i.e. twisted4life, dynDNS, etc.) as secondary.

3\. ****Model 3**** - Run LAMP stack, run NSD on Linode as primary, use Linode nameservers as slaves, rather than using free DNS hosting.

4\. ****Model 4**** - Run LAMP stack, run NSD on Linode as "hidden primary", use Linode nameservers as slaves, install ISPConfig.</list> My set-up above reflects an example of ****Model 2****. The folks on the IRC discussion, however, persuaded me to implement ****Model 4****, due to its greater robustness, sophistication and flexibility.

The following links should help those who wish to set-up their DNS. * 1. A Brief Hidden Primary Tutorial - ~~[http://www.dyndns.com/support/kb/runningahiddenprimary.html" target="blank">](http://www.dyndns.com/support/kb/runnin … imary.html">http://www.dyndns.com/support/kb/runningahidden_primary.html](

2\. Authoritative name server - a definition - <url url="https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server">~~[https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server<e>" target="_blank"></e>](</s><LINK_TEXT text=)~~[<link_text text="https://secure.wikimedia.org/wikipedia/ … ame_server">https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server</link_text>](</s><LINK_TEXT text=)</url>

3\. Tutorial - Configuring DNS with the Linode Manager - <url url="http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager">~~[http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager<e>" target="_blank"></e>](</s><LINK_TEXT text=)~~[<link_text text="http://library.linode.com/linode-manage … de-manager">http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager</link_text>](</s><LINK_TEXT text=)</url>

4\. Transcript of IRC discussion on DNS Set-up - <url url="http://thegrebs.com/irc/linode/2010/08/24">~~[](</s>http://thegrebs.com/irc/linode/2010/08/24<e>)~~[http://thegrebs.com/irc/linode/2010/08/24](</s>http://thegrebs.com/irc/linode/2010/08/24<e>)</url></list></r>

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct