BIND setup log
cat /etc/named.conf
cat sr2.co.zone
Part 1 complete, issues;
Apparently parts of BIND require spaces to work properly (seriously?), "insecure" symbols enabled (like @), and some settings to enable the usage of subdomains with "_". Also added reverse ip so there is less complications.
7 Replies
@sednet:
Start comments in zone files with a semicolon ';' not double slash.
That was fixed awhile ago, I ran a export from my old DNS Server. But DIG is not working when I explicitly try to query the dns server.````
dig @37.247.53.215 sr2.co
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @37.247.53.215 sr2.co
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Not sure what I did wrong. So I double checked my iptables firewall?
iptables -vnL --line-numbers
Chain INPUT (policy ACCEPT 308 packets, 24802 bytes)
num pkts bytes target prot opt in out source destination
1 6115 399K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:53 dpts:1024:65535 state ESTABLISHED
3 1 474 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535 state ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 243 packets, 26061 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
2 9 461 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53 state NEW,ESTABLISHED
Chain fail2ban-SSH (1 references)
num pkts bytes target prot opt in out source destination
1 6115 399K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Update 2: Yes, it's being blocked: (remote test)
telnet 37.247.53.215 53
Connecting To 37.247.53.215…Could not open connection to the host, on port 53: Connect failed
I think my server is listening on the wrong port…````
netstat -tulpn | grep :53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 23714/named
tcp 0 0 ::1:53 :::* LISTEN 23714/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 23714/named
udp 0 0 ::1:53 :::* 23714/named
Fixed by changing listening ipv4 address. It looks like it's working flawlessly locally, and remotely the port seems open. The next issue I'm running into is when I query dns remotely, it gives a error.
dig @37.247.53.215 sr2.co
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> @37.247.53.215 sr2.co
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 62154
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;sr2.co. IN A
;; Query time: 167 msec
;; SERVER: 37.247.53.215#53(37.247.53.215)
;; WHEN: Sat Apr 6 01:10:58 2013
;; MSG SIZE rcvd: 24
Update 3: Added/Modified the following in named.conf: (Server was set up to only accept queries from localhost for anything, changed it now to accept only for domain's managed by the name server.)
allow-recursion { localhost; };
allow-query { any; };
allow-query-cache { localhost; };
Seems to be working just fine. I did have to rewrite the name server whois entries.
@hoopycat:
Seems like it is answering for me… but since you're posting here and thus obviously have a Linode, in addition to whatever 37.247.53.215 is, why not set it up as a slave? Having only one nameserver for a zone is not a valid configuration. You can also use Linode's DNS Manager instead/in addition to your own nameserver(s).
It looks like a virtual server from prometeus.net. They have some pretty good deals actually.
I did want to keep some of the info public in case anyone else has to go through the process of setting up their own name server with the latest version of bind. I might use bluevm for slave dns servers. (They have a deal for 12 usd yearly for 128mb of ram vm's between three locations; texas, illnois, and california)
@superfastcars:
Your correct, prometheus doesnt offer name servers like linode does. So I had to learn BIND (nsd, or that other one, I forget). I have several domains to transfer. But things seem to be transitioning just fine.
I did want to keep some of the info public in case anyone else has to go through the process of setting up their own name server with the latest version of bind. I might use bluevm for slave dns servers. (They have a deal for 12 usd yearly for 128mb of ram vm's between three locations; texas, illnois, and california)
I've always run bind myself. I used to use everydns as a free slave before they got sold to dyn.
There are deals for $2.50 a month on bluevm's site but I don't see $12 a year. I'm not sure I'd trust anywhere that cheap, they can't be doing it right on that budget.
@sednet:
I've always run bind myself. I used to use everydns as a free slave before they got sold to dyn.
There are deals for $2.50 a month on bluevm's site but I don't see $12 a year. I'm not sure I'd trust anywhere that cheap, they can't be doing it right on that budget. At $12 yearly you could scarcely complain if it didnt work properly. The deals are from a link on their BlueVM chat page;
The "catch" is that they refill it over time. (In this case you can't buy any of the plans right now because they are all used up.)