Troubleshooting BIND configuration
My nameservers appear to whois:
whois yyrrll.net
Domain servers in listed order:
NS1.YYRRLL.NET
NS1.LINODE.COM
But ns1.yyrrll.net isn't available:
host ns1.yyrrll.net
Host ns1.yyrrll.net not found: 3(NXDOMAIN)
ns1.linode.com complains the transfer failed:
dig yyrrll.net @69.93.127.10 axfr
; <<>> DiG 9.5.1-P2 <<>> yyrrll.net @69.93.127.10 axfr
;; global options: printcmd
; Transfer failed.
I don't have errors in syslog, named-checkzone is OK for yyrrll.net, named-checkconf doesn't complain. The yyrrll.net zone is in the output of << rndc dumpdb -all >>, though this does have complaints about 'bad cache'.
How do I go about troubleshooting this?
13 Replies
Use your registrar's web interface to set the name servers for your domain to your linode and to linode's nameservers.
dig +trace is a helpful tool.
1. If you're going to use Linode's nameservers, you really should have all of them in the nameserver list set in your registrar.
2. It doesn't look like you have a host entry for ns1.yyrrll.net set in the delegation, which creates a circular dependency. IIRC, GoDaddy has an "Add Host" link in their control panel. You'll want to set the IPv4 and IPv6 (if any) addresses for your Linode.
3. The "Bad Cache" thing in the dump file produced is a section heading; provided there's nothing under it, it's completely innocuous.
4. You won't be able to AXFR from Linode's nameservers unless you explicitly turned that on (and you probably shouldn't, as AXFRs create increased load on the servers)
5. Paste your yyrrll.net zone file so we can be sure it's set up right.(named-checkzone does syntax checking, and will warning when you do stuff that isn't allowed, but that's it.) Don't redact or change anything in it.
6. Paste your named.conf file so that we can check that it's configured properly. For this one, redact any rndc or other keys you have in there, but nothing else.
db.yyrrll.net:
$TTL 3600
yyrrll.net. IN SOA ns1.yyrrll.net. webmaster.yyrrll.net. (
201202221254 ; Serial
3600 ; Refresh [1h]
600 ; Retry [10m]
86400 ; Expire [1d]
600 ) ; Negative Cache TTL [1h]
;
; Name servers
yyrrll.net. IN NS ns1.yyrrll.net.
yyrrll.net. IN NS ns1.linode.com.
; Glue records for name servers
ns1.yyrrll.net. IN A 66.228.58.59
; Mail records
yyrrll.net. IN MX 10 mail.yyrrll.net.
yyrrll.net. IN TXT "v=spf1 +a:mail.yyrrll.net -all"
; Loopback
localhost.yyrrll.net. IN A 127.0.0.1
; Host records
yyrrll.net. IN A 66.228.58.59
cheshire.yyrrll.net. IN A 66.228.58.59
mail.yyrrll.net. IN A 66.228.58.59
; Aliases
www IN CNAME yyrrll.net.
named.conf:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
// From wiki.debian.org/Bind9
// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };
// Load options
include "/etc/bind/named.conf.options";
// TSIG key used for the dynamic update
include "/etc/bind/ns-yyrrll-net_rndc-key";
// Configure the communication channel for Administrative BIND9 with rndc
// By default, they key is in the rndc.key file and is used by rndc and bind9
// on the localhost
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
// Not in Debian example configuration but was present in .initial:
//-include "/etc/bind/named.conf.default-zones";
named.conf.local::
// Manage the file logs
include "/etc/bind/named.conf.log";
// Domain Management example.com
// ------------------------------
// - The server is defined as the master on the domain.
// - There are no forwarders for this domain.
// - Entries in the domain can be added dynamically
// with the key ns-example-com_rndc-key
// Configuration for yyrrll.net
zone "yyrrll.net" {
type master;
file "/etc/bind/db.yyrrll.net";
//-err?-file "/var/cache/bind/db.yyrrll.net";
//forwarders {};
// If we do not comment the ''forwarders'' "empty" clients of the local subnet in my case don't have access to the upstream DNS ?
//allow-update { key ns-yyrrll-net_rndc-key; };
allow-update { key rndc-key; };
//confusion between the file name to import (ns-example-com_rndc-key) and the key label (rndc-key) ?
};
zone "59.58.228.66.in-addr.arpa" {
type master;
file "/etc/bind/db.59.58.228.66";
//-err?-file "/var/cache/bind/db.59.58.228.66";
//see comment below (zone "example.com")
//forwarders {};
//allow-update { key ns-yyrrll-net_rndc-key; };
allow-update { key rndc-key; };
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";
Thank you for looking at this.
EDIT: possibly relevant detail:
the linode has hostname 'cheshire', which is not in the GoDaddy host designation at this writing (I'm going to add it after this)
bind9 is running under chroot; /etc/default/bind9 includes << OPTIONS="-u bind -t /var/bind/chroot" >>
1. Paste /etc/bind/named.conf.options
2. Check that BIND is actually running and allowing connections on port 53. Because this is a public authoritative server, allow-query needs to be set to all.
# ps aux | grep bind
bind 3450 0.0 1.5 66240 7916 ? Ssl Feb20 0:00 /usr/sbin/named -u bind -t /var/bind9/chroot
bind 8353 0.0 1.6 66532 8176 ? Ssl 18:00 0:00 /usr/sbin/named -u bind -t /var/bind9/chroot
root 8373 0.0 0.1 3916 736 pts/2 S+ 18:10 0:00 grep bind
Not sure how to check for allowing connections on port 53, will post …options and research
// from wiki.debian.org/Bind9
options {
directory "/var/cache/bind";
// Exchange port between DNS servers
query-source address * port *;
// Transmit requests to 192.168.1.1 if
// this server doesn't know how to resolve them
forward only;
forwarders { 192.168.1.1; };
auth-nxdomain no; # conform to RFC1035
// Listen on local interfaces only(IPV4)
listen-on-v6 { none; };
listen-on { 127.0.0.1; 192.168.0.1; };
// Do not transfer the zone information to the secondary DNS
allow-transfer { none; };
// Accept requests for internal network only
allow-query { internals; };
// Allow recursive queries to the local hosts
allow-recursion { internals; };
// Do not make public version of BIND
version none;
};
Looking at this, the entries "Listen on local interfaces only" and "Accept requests for internal network only" seem a little strange.
root@cheshire:/etc/bind# nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-22 18:17 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@cheshire:/etc/bind# nmap localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2012-02-22 18:17 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
netstat -tunap
It looks like BIND isn't listening on the the public address of your Linode, and so nothing works.
root@cheshire:~# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:54094 0.0.0.0:* LISTEN 1365/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1353/portmap
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 8353/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1678/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 8353/named
tcp 0 0 66.228.58.59:22 12.195.10.99:45510 ESTABLISHED 7733/1
tcp 0 0 66.228.58.59:22 12.195.10.99:36166 ESTABLISHED 7714/0
tcp 0 240 66.228.58.59:22 12.195.10.99:32690 ESTABLISHED 8448/2
tcp6 0 0 :::22 :::* LISTEN 1678/sshd
udp 0 0 127.0.0.1:53 0.0.0.0:* 8353/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 3450/named
udp 0 0 0.0.0.0:68 0.0.0.0:* 1647/dhclient
udp 0 0 0.0.0.0:111 0.0.0.0:* 1353/portmap
udp 0 0 66.228.58.59:123 0.0.0.0:* 1598/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 1598/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 1598/ntpd
udp 0 0 0.0.0.0:43167 0.0.0.0:* 1365/rpc.statd
udp 0 0 0.0.0.0:693 0.0.0.0:* 1365/rpc.statd
udp6 0 0 fe80::f03c:91ff:fed:123 :::* 1598/ntpd
udp6 0 0 2600:3c02::f03c:91f:123 :::* 1598/ntpd
udp6 0 0 ::1:123 :::* 1598/ntpd
udp6 0 0 :::123 :::* 1598/ntpd
root@cheshire:~#
acl slaves {
69.93.127.10;
65.19.178.10;
75.127.96.10;
207.192.70.10;
109.74.194.10;
localhost; // just in case
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "rndc-key" { // having the key here means you'll need to copy this block into /etc/bind/rndc.conf
algorithm hmac-md5;
secret "big shiny secret here";
};
include "/etc/bind/master.key";
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid"; // Depending on Debian, this may or may not be needed
key-directory "keys";
provide-ixfr yes;
allow-query {
any;
};
allow-query-cache {
none;
};
allow-recursion {
none;
};
allow-transfer {
none;
};
listen-on-v6 {
any;
};
};
zone "hotellite.net." {
type master;
auto-dnssec maintain; // These domains have DNSSEC; this tells BIND to do the signing automatically, always
update-policy { grant "master." zonesub any ANY; };
allow-transfer {
slaves;
};
file "external/hotellite.net.zone";
};
zone "dnsseczombo.com." {
type master;
auto-dnssec maintain;
update-policy { grant "master." zonesub any ANY; };
allow-transfer {
slaves;
};
file "external/dnsseczombo.com.zone";
};
Big help, spared me a wild goose chase, thanks.
@dwfreed:
1. If you're going to use Linode's nameservers, you really should have all of them in the nameserver list set in your registrar.
Besides what dwfreed mentioned, it looks like you still have some work to do, as queries to ns{1.5].linode.com are being refused for your domain. Make sure you have 'allow-transfer' set appropriately.
–
Travis