Trouble with DNS/Bind Install on Debian
I've noticed quite a bit of chatter regarding DNS/BIND in these forums, so my apologies if I'm beating a dead horse.
I'm attempting to run Bind 8.3.3-REL-NOESW on Linode's Debian distribution. My domain is registered with Network Solutions:
DNS1.SIMCIK.COM 64.5.53.240
DNS2.SIMCIK.COM 64.5.53.241
I installed Bind via Debian 'get-apt install' command, which apparently went smoothly.
I proceeded to configure Bind via O'Reilly's DNS and BIND book and the README included with the install. Here's my forward (db.simcik.com) and /etc/bind/named.conf files:
$TTL 3h
simcik.com. IN SOA dns1.simcik.com. support.simcik.com. {
1 ;Serial
3h ;Refresh after 3 hours
1h ;Retry after 1 hour
1w ;Expire after 1 week
1h) ;Negative respone cahing TTL of 1day
;
;Name servers
;
simcik.com. IN NS dns1.simcik.com.
simcik.com. IN NS dns2.simcik.com.
;
;Host addresses
;
localhost.simcik.com. IN A 127.0.0.1
dns1.simcik.com. IN A 64.5.53.240
dns2.simcik.com. IN A 64.5.53.241
;
;Aliases
;
mail.simcik.com. IN CNAME dns1.simcik.com.
//–----------------------------------------------------------------------------------
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind/README.Debian for information on the
// structure of BIND configuration files in Debian for BIND versions 8.2.1
// and later, BEFORE you customize this configuration file.
//
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
};
****// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
category cname { null; };
};****
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// add entries for other zones below here
zone "simcik.com" in {
type master;
file "/etc/bind/db.simcik.com";
};
/etc/bind/db.local";
I started the service initially by calling /etc/init.d/bind start; I also restarted/reloaded the server several times using the ndc command. I confirmed that the BIND daemon was running via netstat -an and via an Nmap scan of my server from another machine.
The ndc command does in fact work and doesn't appear to tell me anything that I do not already know. The only apparent oddity was that it reported I have 64 zones allocated, which seems a bit high.
I have also used the hostname command to rename the server to dns1.simcik.com. If this is not actually the way to make the hostname permanent please let me know!
I have previously tried installing DNS on RedHat but had nothing but problems there as well. While Debian is different and less popular, my recent experiences with it indicate that it's much less bloated than RedHat, with fewer application interdependencies as well.
I have a few ideas that may be food for thought for solving this, but haven't tried yet pending your advice:
-The "hints" file of domain roots is outdated
-The BIND daemon somehow does not have sufficient rights to run correctly. One of the links in the forum refernced a doc that used a "CHROOT Jail" for Bind.
-Something wacky is going on with my network configuration
The area that I haven't been able to dig ANY information out of are the Bind logs that are supposed to be under /var somwhere. The Debian docs didn't specify anything about logging, and looking at the LARGE section on logging in the DNS and Bind book I have, logging itself is a rather complex setup. If anyone has some quick pointers I'm all ears.
Thanks!
DTS
3 Replies
I noticed that you didn't say if you had set /etc/resolv.conf to 127.0.0.1. If you haven't, then you may not be testing your own server. You can try "dig @127.0.0.1
If you just changed the entry at the registrar, it's worth noting
that it takes a while for it to become active.
Setting your own hostname is irrelevant to DNS.
Logging, you need to define a channel inside your logging stanza, like this:
logging {
channel chrootlog {
file "/logs/named.log" versions 3 size 10m;
print-time yes;
print-category yes;
print-severity yes;
severity info;
};
category lame-servers {null; };
category default {
chrootlog;
};
};
Adjust the "file" line to wherever you need. It's relative to the chroot(), which you may not be running.
Consider that just using zoneedit.com may be a much easier solution, if you are only interested in having DNS, rather than learning how to operate a DNS server.
Learning is really what it's all about. Otherwise, I could have just gotten a Windows-based Web host and been done with it by now.
I did change resolv.conf to use 127.0.0.1. Can anyone tell me how to properly configure my network interfaces (and resolv.conf) to NOT use DHCP, but to rely on a static configuration instead?
I tried to lookup simcik.com using dig; it told me that no servers could be reached.
Alas, my DNS server is still not working correctly.
Cheers,
David
@dts7209:
I did change resolv.conf to use 127.0.0.1. Can anyone tell me how to properly configure my network interfaces (and resolv.conf) to NOT use DHCP, but to rely on a static configuration instead?
I assume you are using Debian, as you mention using apt-get above. I don't know Debian as I have always used RedHat but this was pretty easy to find via a google search (it's from a Debian reference manual at
10.6.1 Configuring an interface with a static IP address
Suppose you want to configure an Ethernet interface such that it has a fixed IP address of 192.168.0.123\. This address begins with 192.168.0 so it must be on a LAN. Suppose further that 192.168.0.1 is the address of the LAN's gateway to the Internet. Edit /etc/network/interfaces so that it includes a stanza like this:
iface eth0 inet static
address 192.168.0.123
netmask 255.255.255.0
gateway 192.168.0.1
If you have resolvconf installed then you can add lines that specify DNS information. For example:
iface eth0 inet static
address 192.168.0.123
netmask 255.255.255.0
gateway 192.168.0.1
dns-search nicedomain.org
dns-nameservers 195.238.2.21 195.238.2.22
After the interface is brought up, the arguments of the dns-search and dns-nameservers options are made available to resolvconf for inclusion in resolv.conf. The argument nicedomain.org of the dns-search option corresponds to the argument of a search option in resolv.conf(5). The arguments 195.238.2.21 and 195.238.2.22 of the dns-nameservers option correspond to the arguments of nameserver options in resolv.conf(5). Other recognized option words are dns-domain and dns-sortlist. See Managing nameserver information – resolvconf, Section 10.4.2.
10.6.2 Configuring an interface using DHCP
To configure an interface using DHCP edit /etc/network/interfaces so that it includes a stanza like this:
iface eth0 inet dhcp
In order for this to work you must have installed one of the DHCP clients mentioned in Configuring network interfaces using DHCP, Section 10.5\.
@dts7209:
I tried to lookup simcik.com using dig; it told me that no servers could be reached.
I also tried to contact the name servers at 64.5.53.{240,241}, and was refused. It looks like bind is not running on your server, or not listening on your public interface if it is running. First question - do you really own two IP addresses? And if so, is bind configured to listen on both of them?
If you want to see what services are being listened for on what ports on your system, run "netstat -anp". Look for lines which end in LISTEN.
Finally, apart from the educational aspect of this, if you really want DNS then I would recommend going with one of the free providers. It's easier, more reliable, and safer (bind has been known to have many security flaws in the past, which is why configurations which put it in a chroot jail even exist). I use zoneedit.com, they are free and they rock.