DNS Set-up: Ubuntu 10.4, NSD, GoDaddy, twisted4life.com
As a template I followed Monarch's method, which outlined a method of setting up DNS with bind9, twisted4life and GoDaddy. Through a recommendation from a member of Linode staff, who believes NSD to be a world easier than bind, I installed NSD instead.
Here is the link to Monarch's method:
(1) Register name(s) with GoDaddy.com. I registered FELDMAND.COM along with some other names.
(2) Sign up for an account at twisted4life.com. They provide secondary DNS. You will need 3 things: your own domain of which you have control of the DNS settings, an existing primary DNS server, a working email account.
Here is an example edited domain. Note that 74.207.241.5 is ns1.linode.com.
> Domain name feldmand.com
IP of primary DNS 74.207.241.5 (ns1.linode.com)
Active Yes
Queued for forced reload No
[ Save ] [ Cancel ]
Make any changes to this domain you wish, then click Save. By default new domains are queued for a forced reload prior to the regular refresh of the whole DNS server. You can un-queue the domain from the forced list using this form, and it will be transferred along with the normal process provided it is marked as Active.
The system also provided the secondary DNS nameserver we seek.
> Add the following to your list of NS records and registrar delegation for your domains: ns1.twisted4life.com
Here are the properties for feldmand.com.
> Primary DNS IP
74.207.241.5
Last try (UTC)
2010-08-24 06:02:22
Last transfer (UTC)
none yet
Zone serial number
none yet
Here are the current results from the twisted4life.com supplied DNS config checker.
> DNS Configuration Checker
…..
Domain to check:
DNS diagnosis for feldmand.com
Test being performed Results and explanation Status
Listed in Root servers Is your domain feldmand.com listed at the Root servers?
This is bad. There was no response for that entry from the Root servers
Root server that was queried: a.gtld-servers.net.
Responding nameservers Checking each of your individual authoritative nameservers:
Gee, looks like you have no nameservers. Perhaps this domain has not been registered yet?
Missing/Stealth nameserver
You don't have any valid nameservers
Nameservers have identical SOA serial Aha! You don't even have any valid DNS servers
Nameserver response times No responding nameservers
Nameservers on different networks No
We recommend that you locate your servers on seperate networks to give you better resilience against failures
SOA Refresh value Your SOA refresh value was reported to be:
This value is too low. The RFC 1912 recommends that this value be between 1200 to 43200. This value determines how often slave nameservers check with the master for changes
SOA Retry value Your SOA retry value was reported to be:
This value is too low. The RCC 1912 specification recommends a value between 120 to 7200. This value determines how often slave nameservers would contact the master nameserver if the previous XFER failed
SOA Expire value Your SOA expire value was reported to be:
This value is too low. The RFC 1912 specification recommends a value between 1209600 to 2419200. This value determines how long a slave nameserver will wait before considering its DNS data stale if it can't reach your primary nameserver
SOA TTL value Your SOA minimum TTL value was reported to be:
This value is too low. The RFC 1912 specification recommends a value between 60 to 86400. This value determines how long nameservers should cache the value before attempting to fetch the latest value from an authoritative nameserver. Setting this value too low would cause uncessary traffic to your DNS server.
Mail Exchangers You have 0 mail exchangers. Checking also if mail exchangers accept mail for your domain
This is not good. You do not have any MX records defined
I believe everything is configured correctly at twisted4life.com. The only aspect that has me guessing is the "Queued for forced reload". Maybe I need to explicitly force the reload. Just to make sure, I just force reloaded all of my domains.
I hope things will get resolved once the names propagate through the Internet. Will they?
(3) Install a ubiquitous DNS server, for example, NSD for authoritative DNS, on your Linode, and edit the configuration files.
In Monarch's method using bind,
Excerpt: BIND's named.conf.file
zone "example.com" {
type master;
file "/etc/bind/db.com.example";
allow-transfer {
202.157.185.115; // ns1.twisted4life.com
};
};
Excerpt: My NSD's nsd.conf file
zone:
name: "feldmand.com"
zonefile: "feldmand.com.zone"
# also provide xfr to operator's network - ns1.twisted4life.com.
provide-xfr: 202.157.182.142/32 NOKEY
# set the number of retries for notify.
notify-retry: 5
He then created a file called /etc/find/db.com.example, which is equivalent to the /etc/nsd3/example.com.zone.
Excerpt: db.com.example
; Zone file for example.com
;
; The full zone file
;
$TTL 86400
@ IN SOA ns.example.com. hostmaster.example.com. (
2006020601 ; Serial
; how often slave nameservers check with the master for changes
7200 ; Refresh
; how often slave nameservers would contact the master
; nameserver if the previous XFER failed
1200 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
NS ns ; inet of our nameserver
NS ns1.twisted4life.com. ; secondary dns
ns A 1.2.3.4 ; my linode service ip address
www CNAME ns
Excerpt: My feldmand.com.zone file
$ORIGIN feldmand.com.
$TTL 86400
@ IN SOA ns1.feldmand.com. web-admin.feldmand.com. (
2009011803 ; serial number
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
NS ns1.feldmand.com.
NS ns1.twisted4life.com.
MX 10 mail.feldmand.com.
$ORIGIN feldmand.com.
feldmand.com. IN A [Linode IP address]
feldmand.com. IN TXT "Testing feldmand...1...2...3"
ns1 IN A 74.207.241.5
ns2 IN A 202.157.182.142
www IN A [Linode IP address]
blog IN A [Linode IP address]
photos IN A [Linode IP address]
videos IN A [Linode IP address]
I am not sure I have configured NSD correctly. Of recent have found the nomenclature and syntax of the /etc/nsd3/nsd.conf to be somewhat intimidating. Something seems wrong about how I have configured the nameservers in feldmand.com.zone. Also I should probably be using CNAMEs as opposed to As in the latter half of the file.
Any suggestions on where my problem lies and/or how I should clean up this file?
(4) Transfer the secondary DNS server from the Linode server. Add a secondary server for your domains at your Linode server IP address.
I am not sure I did this correctly, but my reference to ns1.twisted4life.com and its corresponding IP address 202.157.182.142 in the zone file and configuration file was my attempt to do this.
Twisted4Life.com recommended the following: Your zone file should contain the following:
yourdomain.com. IN NS ns1.twisted4life.com
Twisted4Life continued:
> You must allow the Primary DNS to transfer to twisted4life's server. If you do not do this all transfers will fail. To allow transfers, you must add 202.157.182.142 to the 'Allow' settings of the primary server. This will require administration access.
Finally, at the domain registrar, enter the twisted4life as one of your secondaries: ns1.twisted4life.com.
(5) Restart the daemon of NSD on the Linode.
Rebuild the NSD database with this command:
nsdc rebuild
After rebuilding, restart NSD.
/etc/init.d/nsd3 restart
Test to see that your DNS server is properly serving records.
dig @localhost www.feldmand.com
These are the current results of the dig command (note that this is after setting up the nameservers on the GoDaddy account):
; <<>> DiG 9.7.0-P1 <<>> @localhost www.feldmand.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12676
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.feldmand.com. IN A
;; ANSWER SECTION:
www.feldmand.com. 86400 IN A [Linode IP address]
;; AUTHORITY SECTION:
feldmand.com. 86400 IN NS ns1.feldmand.com.
feldmand.com. 86400 IN NS ns1.twisted4life.com.
;; ADDITIONAL SECTION:
ns1.feldmand.com. 86400 IN A 74.207.241.5
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug 24 07:28:39 2010
;; MSG SIZE rcvd: 131
(6) Verify in the logs that a zone transfer occurs to ns1.twisted4life.com.
Checking /var/log/syslog as well as all the other files in the /var/log directory yielded no matches for 'twisted4life'! Either my setup at twisted4life or more likely in my NSD zone and config files is faulty.
Does anyone have any suggestions on how to verify zone transfers and how to resolve them if I indeed do have a problem?
(7) Log into your GoDaddy account. You will add domain(s) with the name "ns.example.com" with your Linode IP address. You will also make "ns.example.com" your first nameserver, and ns1.twisted4life.com your second nameserver.
Go to the domain manager. Select all domains. Select the "Manage Locking" Icon. Deselect the "Lock domains" selector.
Add domains with the name of each of the local nameservers. From the Domain Manager, enter the name of your domain. Search for "Host Summary" on the same page. Click the "Add" next to it. Add "ns1.example.com". Click OK.
Click set nameservers. Set the nameservers to ns1.example.com and ns1.twisted4life.com. Click OK.
Repeat for its domain name.
Return to the domain manager. Select all domains. Select the "Manage Locking" Icon. This time select the "Lock domains" selector.
(8) Wait between 24 and 48 hours for the name(s) to propagate through the Internet. Theoretically my name(s) should complete propagation within just over 24 hours.
(9) Use
–----------
If you can offer any pointers I would be most appreciative.
I am not sure how related this is, but here Jed, Linode.com staff, suggests a method on how to configure Linode to be a slave to your own DNS server:
Would this be a better way for me to do what I want to do?
Thanks again.
3 Replies
Twisted4Life.com recommends that your zone file should contain the following:
yourdomain.com. IN NS ns1.twisted4life.com.
After adding the above recommendation, I also added the following line just to be sure.
yourdomain.com. IN NS ns1.yourdomain.com.
My zone file now looks like this:
Excerpt: feldmand.com.zone
$ORIGIN feldmand.com.
$TTL 86400
@ IN SOA ns1.feldmand.com. web-admin.feldmand.com. (
2009011803 ; serial number
28800 ; Refresh
7200 ; Retry
864000 ; Expire
86400 ; Min TTL
)
NS ns1.feldmand.com.
NS ns1.twisted4life.com.
MX 10 mail.feldmand.com.
$ORIGIN feldmand.com.
feldmand.com. IN A [Linode IP address]
feldmand.com. IN TXT "Testing feldmand...1...2...3"
feldmand.com. IN NS ns1.twisted4life.com.
feldmand.com. IN NS ns1.feldmand.com.
ns1 IN A 74.207.241.5
ns2 IN A 202.157.182.142
www IN A [Linode IP address]
blog IN A [Linode IP address]
photos IN A [Linode IP address]
videos IN A [Linode IP address]
Note it is important for the domain names to be followed by a full-stop ".", otherwise the dig command will show the domain name repeated.
Going back to Twisted4Life to check my configuration, I did not find anything suspicious, except I wonder what they mean by "Primary DNS IP" exactly.
Do they mean the Linode IP address, or the IP address of my local DNS nameserver, which is ns1.linode.com? I listed the IP address of ns.linode.com, not my Linode IP address. Which one should it be?
@feldmand:
Do they mean the Linode IP address, or the IP address of my local DNS nameserver, which is ns1.linode.com? I listed the IP address of ns.linode.com, not my Linode IP address. Which one should it be?
I believe you already got the answer you were looking for in IRC, but I'll answer for the benefit of others.
The "Primary DNS IP" would be the IP address of the "Master" name server for the zone (feldmand.com). In your case, it was your Linode's IP address since you were running NSD.
NOTE: The "Master" IP address does not have to be the true Master for the zone, but in order for the secondaries (slaves) name servers to provide authoritative DNS answers for the zone, the "Primary DNS IP" must allow AXFR (DNS zone transfers) to the secondary.
Also, you mistakenly have referred to ns1.linode.com as 74.207.241.5, which is incorrect. That IP address is a resolver (resolver1.fremont.linode.com), not an authoritative name server. ns1.linode.com [69.93.127.10] is 1 of 5 of Linode's authoritative name servers.
–
Travis
Yes, the folks on IRC were most helpful in guiding me to a better solution. Special thanks in no particular order to Daevien, rb, swaj, HoopyCat, dcraig.
@Travis:
NOTE: The "Master" IP address does not have to be the true Master for the zone, but in order for the secondaries (slaves) name servers to provide authoritative DNS answers for the zone, the "Primary DNS IP" must allow AXFR (DNS zone transfers) to the secondary.
Unless I am missing something, I believe this more or less accords with the following citations.
@HoopyCat:
In a traditional AXFR-based authoritative DNS configuration, you have one master/primary nameserver and one or more slave/secondary nameservers, when the serial number in the zone's SOA is incremented on the master it will (usually) send a NOTIFY to the slaves it knows about, and then the slaves will request an AXFR from the master.
@swaj:
You only set your domain to use Linode (or a free DNS hosting service) as its nameservers, and then tell those servers to AXFR from your box
The IRC participants more or less outlined 4 different DNS configurations for a basic web hosting platform. Here is a transcript of the discussion: http://thegrebs.com/irc/linode/2010/08/24* 1. Model 1 - Run LAMP stack, just use Linode DNS Manager. - do not run your own DNS server, do not worry about slave and secondary, do not install ISPConfig.
2\. ****Model 2**** - Run LAMP stack, run NSD Linode as primary, use free DNS hosting (i.e. twisted4life, dynDNS, etc.) as secondary.
3\. ****Model 3**** - Run LAMP stack, run NSD on Linode as primary, use Linode nameservers as slaves, rather than using free DNS hosting.
4\. ****Model 4**** - Run LAMP stack, run NSD on Linode as "hidden primary", use Linode nameservers as slaves, install ISPConfig.</list> My set-up above reflects an example of ****Model 2****. The folks on the IRC discussion, however, persuaded me to implement ****Model 4****, due to its greater robustness, sophistication and flexibility.
The following links should help those who wish to set-up their DNS. * 1. A Brief Hidden Primary Tutorial -
2\. Authoritative name server - a definition - <url url="https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server">~~[https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server<e>" target="_blank"></e>](</s><LINK_TEXT text=)~~[<link_text text="https://secure.wikimedia.org/wikipedia/ … ame_server">https://secure.wikimedia.org/wikipedia/en/wiki/Authoritative_name_server#Authoritative_name_server</link_text>](</s><LINK_TEXT text=)</url>
3\. Tutorial - Configuring DNS with the Linode Manager - <url url="http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager">~~[http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager<e>" target="_blank"></e>](</s><LINK_TEXT text=)~~[<link_text text="http://library.linode.com/linode-manage … de-manager">http://library.linode.com/linode-manager/configuring-dns-with-the-linode-manager</link_text>](</s><LINK_TEXT text=)</url>
4\. Transcript of IRC discussion on DNS Set-up - <url url="http://thegrebs.com/irc/linode/2010/08/24">~~[](</s>http://thegrebs.com/irc/linode/2010/08/24<e>)~~[http://thegrebs.com/irc/linode/2010/08/24](</s>http://thegrebs.com/irc/linode/2010/08/24<e>)</url></list></r>