Troubleshooting BIND configuration

i'm trying to set up a Linode as a primary name server, using Linode DNS as a secondary.

My nameservers appear to whois:

whois yyrrll.net

   Domain servers in listed order:
      NS1.YYRRLL.NET
      NS1.LINODE.COM

But ns1.yyrrll.net isn't available:

host ns1.yyrrll.net

Host ns1.yyrrll.net not found: 3(NXDOMAIN)

ns1.linode.com complains the transfer failed:

dig yyrrll.net @69.93.127.10 axfr

; <<>> DiG 9.5.1-P2 <<>> yyrrll.net @69.93.127.10 axfr
;; global options:  printcmd
; Transfer failed.

I don't have errors in syslog, named-checkzone is OK for yyrrll.net, named-checkconf doesn't complain. The yyrrll.net zone is in the output of << rndc dumpdb -all >>, though this does have complaints about 'bad cache'.

How do I go about troubleshooting this?

13 Replies

Your domain name registrar has NS1.YYRRLL.NET set as one of your nameservers.

Use your registrar's web interface to set the name servers for your domain to your linode and to linode's nameservers.

dig +trace is a helpful tool.

I have a few things:

1. If you're going to use Linode's nameservers, you really should have all of them in the nameserver list set in your registrar.

2. It doesn't look like you have a host entry for ns1.yyrrll.net set in the delegation, which creates a circular dependency. IIRC, GoDaddy has an "Add Host" link in their control panel. You'll want to set the IPv4 and IPv6 (if any) addresses for your Linode.

3. The "Bad Cache" thing in the dump file produced is a section heading; provided there's nothing under it, it's completely innocuous.

4. You won't be able to AXFR from Linode's nameservers unless you explicitly turned that on (and you probably shouldn't, as AXFRs create increased load on the servers)

5. Paste your yyrrll.net zone file so we can be sure it's set up right.(named-checkzone does syntax checking, and will warning when you do stuff that isn't allowed, but that's it.) Don't redact or change anything in it.

6. Paste your named.conf file so that we can check that it's configured properly. For this one, redact any rndc or other keys you have in there, but nothing else.

re 2 – I believe I have set the host entry for ns1.yyrrll.net in the GoDaddy host panel, for that name and the linode IP address. Do you mean to set the hostname and IP address for the linode serving as host for ns1.yyrrll.net?

db.yyrrll.net:

$TTL    3600
yyrrll.net.             IN      SOA     ns1.yyrrll.net. webmaster.yyrrll.net. (
              201202221254              ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;

; Name servers
yyrrll.net.             IN      NS      ns1.yyrrll.net.
yyrrll.net.             IN      NS      ns1.linode.com.

; Glue records for name servers
ns1.yyrrll.net.         IN      A       66.228.58.59

; Mail records
yyrrll.net.             IN      MX      10      mail.yyrrll.net.
yyrrll.net.             IN      TXT "v=spf1 +a:mail.yyrrll.net -all"

; Loopback
localhost.yyrrll.net.   IN      A       127.0.0.1

; Host records
yyrrll.net.             IN      A       66.228.58.59
cheshire.yyrrll.net.    IN      A       66.228.58.59
mail.yyrrll.net.        IN      A       66.228.58.59

; Aliases
www                     IN      CNAME   yyrrll.net.

named.conf:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

// From wiki.debian.org/Bind9

// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };

// Load options
include "/etc/bind/named.conf.options";

// TSIG key used for the dynamic update
include "/etc/bind/ns-yyrrll-net_rndc-key";

// Configure the communication channel for Administrative BIND9 with rndc
// By default, they key is in the rndc.key file and is used by rndc and bind9
// on the localhost
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

// Not in Debian example configuration but was present in .initial:
//-include "/etc/bind/named.conf.default-zones";

named.conf.local::

// Manage the file logs
include "/etc/bind/named.conf.log";

// Domain Management example.com
// ------------------------------
//  - The server is defined as the master on the domain.
//  - There are no forwarders for this domain.
//  - Entries in the domain can be added dynamically
//    with the key ns-example-com_rndc-key

// Configuration for yyrrll.net
zone "yyrrll.net" {
        type master;
        file "/etc/bind/db.yyrrll.net";
        //-err?-file "/var/cache/bind/db.yyrrll.net";
        //forwarders {};
        // If we do not comment the ''forwarders'' "empty" clients of the local subnet in my case don't have access to the upstream DNS ?
        //allow-update { key ns-yyrrll-net_rndc-key; };
        allow-update { key rndc-key; };
        //confusion between the file name to import (ns-example-com_rndc-key) and the key label (rndc-key) ?
};
zone "59.58.228.66.in-addr.arpa" {
        type master;
        file "/etc/bind/db.59.58.228.66";
        //-err?-file "/var/cache/bind/db.59.58.228.66";
        //see comment below (zone "example.com")
        //forwarders {};
        //allow-update { key ns-yyrrll-net_rndc-key; };
        allow-update { key rndc-key; };
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";

Thank you for looking at this.

EDIT: possibly relevant detail:

  • the linode has hostname 'cheshire', which is not in the GoDaddy host designation at this writing (I'm going to add it after this)

  • bind9 is running under chroot; /etc/default/bind9 includes << OPTIONS="-u bind -t /var/bind/chroot" >>

Okay, two more things:

1. Paste /etc/bind/named.conf.options

2. Check that BIND is actually running and allowing connections on port 53. Because this is a public authoritative server, allow-query needs to be set to all.

Checking for bind:

# ps aux | grep bind 
bind      3450  0.0  1.5  66240  7916 ?        Ssl  Feb20   0:00 /usr/sbin/named -u bind -t /var/bind9/chroot
bind      8353  0.0  1.6  66532  8176 ?        Ssl  18:00   0:00 /usr/sbin/named -u bind -t /var/bind9/chroot
root      8373  0.0  0.1   3916   736 pts/2    S+   18:10   0:00 grep bind

Not sure how to check for allowing connections on port 53, will post …options and research

named.conf.options

// from wiki.debian.org/Bind9
options {
        directory "/var/cache/bind";

        // Exchange port between DNS servers
        query-source address * port *;

        // Transmit requests to 192.168.1.1 if
        // this server doesn't know how to resolve them
        forward only;
        forwarders { 192.168.1.1; };

        auth-nxdomain no;    # conform to RFC1035

        // Listen on local interfaces only(IPV4)
        listen-on-v6 { none; };
        listen-on { 127.0.0.1; 192.168.0.1; };

        // Do not transfer the zone information to the secondary DNS
        allow-transfer { none; };

        // Accept requests for internal network only
        allow-query { internals; };

        // Allow recursive queries to the local hosts
        allow-recursion { internals; };

        // Do not make public version of BIND
        version none;
};

Looking at this, the entries "Listen on local interfaces only" and "Accept requests for internal network only" seem a little strange.

On port 53:

root@cheshire:/etc/bind# nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-22 18:17 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

On port 53:

root@cheshire:/etc/bind# nmap localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-22 18:17 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

Okay, paste the output of netstat -tunap It looks like BIND isn't listening on the the public address of your Linode, and so nothing works.

How can you tell BIND isn't listening?

root@cheshire:~# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:54094           0.0.0.0:*               LISTEN      1365/rpc.statd  
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1353/portmap    
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      8353/named      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1678/sshd       
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      8353/named      
tcp        0      0 66.228.58.59:22         12.195.10.99:45510      ESTABLISHED 7733/1          
tcp        0      0 66.228.58.59:22         12.195.10.99:36166      ESTABLISHED 7714/0          
tcp        0    240 66.228.58.59:22         12.195.10.99:32690      ESTABLISHED 8448/2          
tcp6       0      0 :::22                   :::*                    LISTEN      1678/sshd       
udp        0      0 127.0.0.1:53            0.0.0.0:*                           8353/named      
udp        0      0 127.0.0.1:53            0.0.0.0:*                           3450/named      
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1647/dhclient   
udp        0      0 0.0.0.0:111             0.0.0.0:*                           1353/portmap    
udp        0      0 66.228.58.59:123        0.0.0.0:*                           1598/ntpd       
udp        0      0 127.0.0.1:123           0.0.0.0:*                           1598/ntpd       
udp        0      0 0.0.0.0:123             0.0.0.0:*                           1598/ntpd       
udp        0      0 0.0.0.0:43167           0.0.0.0:*                           1365/rpc.statd  
udp        0      0 0.0.0.0:693             0.0.0.0:*                           1365/rpc.statd  
udp6       0      0 fe80::f03c:91ff:fed:123 :::*                                1598/ntpd       
udp6       0      0 2600:3c02::f03c:91f:123 :::*                                1598/ntpd       
udp6       0      0 ::1:123                 :::*                                1598/ntpd       
udp6       0      0 :::123                  :::*                                1598/ntpd       
root@cheshire:~# 

Because of the settings in named.conf.options. Debian's default layout for BIND's settings is messy and dumb. The following is most of my named.conf that I use for providing authoritative DNS from my Linode.

acl slaves {
        69.93.127.10;
        65.19.178.10;
        75.127.96.10;
        207.192.70.10;
        109.74.194.10;
        localhost; // just in case
};
controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "rndc-key" { // having the key here means you'll need to copy this block into /etc/bind/rndc.conf
        algorithm hmac-md5;
        secret "big shiny secret here";
};
include "/etc/bind/master.key";
options {
        directory "/var/bind";
        pid-file "/var/run/named/named.pid"; // Depending on Debian, this may or may not be needed
        key-directory "keys";
        provide-ixfr yes;
        allow-query {
                any;
        };
        allow-query-cache {
                none;
        };
        allow-recursion {
                none;
        };
        allow-transfer {
                none;
        };
        listen-on-v6 {
                any;
        };
};
zone "hotellite.net." {
        type master;
        auto-dnssec maintain; // These domains have DNSSEC; this tells BIND to do the signing automatically, always
        update-policy { grant "master." zonesub any ANY; };
        allow-transfer {
                slaves;
        };
        file "external/hotellite.net.zone";
};
zone "dnsseczombo.com." {
        type master;
        auto-dnssec maintain;
        update-policy { grant "master." zonesub any ANY; };
        allow-transfer {
                slaves;
        };
        file "external/dnsseczombo.com.zone";
};

Thanks! I cribbed from that (basically took most of the options) and now have it working.

Big help, spared me a wild goose chase, thanks.

@dwfreed:

1. If you're going to use Linode's nameservers, you really should have all of them in the nameserver list set in your registrar.
Besides what dwfreed mentioned, it looks like you still have some work to do, as queries to ns{1.5].linode.com are being refused for your domain. Make sure you have 'allow-transfer' set appropriately.

Travis

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct