Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Rep:
How to make DNS master server?? Problems!!!
Hi,
I am a new member and this is my first time posting here so hello to everyone!
Ok now for my issue; Uptill yesterday I was using my Cisco router as a DNS server for my local network, however it put too much stress on the system as CPU usage went skye high and eventually the whole system started timing out. So I decided to create a DNS master from my main server.
I am running Debian Etch with Bind9 for this and so far passive DNS transferrs work fine, fast and smoothe.
Now I don't claim to be an expert at DNS but after Google'ing around a bit and the use of HowtoForge as refference I managed to create a local zone file.
I've checked the zone files using: named-checkzone and they all come out as ok.
However from the result of other tests my server keeps trying to use the domain servers from my domain provider and ofcourse my router doesn't let me access my internal domain that way. "Connection Refused" Error comes up.
rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256
However it is for BSD and not sure if linux is a bit different even though it did create the correct files. But now I get an error when trying to reload rndc:
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
I am really stuck now as I have no idea what I am doing anymore!!!
I wonder if anyone can help me out at all, I would really apprieciate it. Thanks
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
I don't know if theres any additional information I can provide so that someone can help me with this issue?
Zone files, rndc.conf file?? I can provide it all as long as it helps!
In the mean time I configured my router back to master dns so now I have 2 masters on my network and my machines obviously are getting confused. (
Windows doesn't seem to care (typically) as long as router IP goes as primary DNS and server as secondary.
Linux systems are struggling though since they can either access the internet or the intranet but not both, and this is very bad news since I am running 3 servers.
Also my workstation now is using secondary DNS from the primary in the router and browsing is becoming painfull! Speed is rediculously slow.
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
Thanks MR C. for replying to start with!
ZONE FILES
File 192.168.1.rev
Code:
$TTL 1d ;
$ORIGIN 254.168.192.IN-ADDR.ARPA.
@ IN SOA ns1.optiplex-networks.com. info.optiplex-networks.com. (
2008092003
7200
120
2419200
604800
)
IN NS ns1.optiplex-networks.com.
IN NS ns2.optiplex-networks.com.
IN NS resolver1.systems.pipex.net.
IN NS resolver4.systems.pipex.net.
1 IN PTR ns1.optiplex-networks.com.
2 IN PTR ns2.optiplex-networks.com.
3 IN PTR resolver1.systems.pipex.net.
4 IN PTR resolver4.systems.pipex.net
File optiplex-networks.db
Code:
;
; BIND data file for example.com
;
$TTL 604800
@ IN SOA ns1.optiplex-networks.com. info.optiplex-networks.com. ( 2008092102 ; Serial
7200 ; Refresh
120 ; Retry
2419200 ; Expire
604800) ; Default TTL
;
@ IN NS ns1.optiplex-networks.com.
@ IN NS ns2.optiplex-networks.com.
@ IN NS resolver1.systems.pipex.net.
@ IN NS resolver4.systems.pipex.net.
optiplex-networks.com. IN MX 10 mail.optiplex-networks.com.
optiplex-networks.com. IN A 192.168.1.50
gx110.optiplex-networks.com. IN A 192.168.1.51
www.optiplex-networks.com IN A 192.168.1.50
mail IN A 192.168.1.50
ftp.optiplex-networks.com IN A 192.168.1.51
ferrari3200.optiplex-networks.com IN A 192.168.1.5
optiplex-networks.com. IN TXT "v=spf1 ip4:192.168.1.50 a mx ~all"
mail IN TXT "v=spf1 a -all"
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zone "com" { type delegation-only; };
// zone "net" { type delegation-only; };
// From the release notes:
// Because many of our users are uncomfortable receiving undelegated answers
// from root or top level domains, other than a few for whom that behaviour
// has been trusted and expected for quite some length of time, we have now
// introduced the "root-delegations-only" feature which applies delegation-only// logic to all top level domains, and to the root domain. An exception list
// should be specified, including "MUSEUM" and "DE", and any other top level
// domains from whom undelegated responses are expected and trusted.
// root-delegation-only exclude { "DE"; "MUSEUM"; };
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "BijVPxU2yw3DUWDjgaQFPg==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "optiplex-networks.com" {
type master;
file "/var/named/optiplex-netowrks.db";
};
zone "1.168.192.IN-ADDR.ARPA" {
type master;
file "/var/named/192.168.1.rev";
};
Btw. dig indicating in the AUTHORITY SECTION that all the root servers are authoritative is a clue that your server does not think it is authoritative for a domain.
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
Quote:
Btw. dig indicating in the AUTHORITY SECTION that all the root servers are authoritative is a clue that your server does not think it is authoritative for a domain.
Yeah I figured but why I wonder? I am no expert with bind or DNS but it should be authoritive by default no?
Typo fixed and bind restarted:
Code:
Stopping domain name service...: bindrndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
failed!
Starting domain name service...: bind.
If I am understanding your question... Querying the root server's will be the default until you setup your server to be authoritative for a domain. Then the root servers will not be queried, as bind knows which zones for which it is authoritative.
We'll assume your key is invalid. Until you get bind working, use stop/start and not restart, or start named manually. Then work on the key issues.
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
My question to put it in basic terms is that before I used my Cisco router as a DNS server so any local domain queries were done from there, still with the master DNS servers of my domain vendor providing DNS for WAN.
However I would like to use my main server for this as too much load is being put on the router and CPU usage going high to time the machine out.
With regards to the key I have no idea what or how to do as I've changed permissions to 777 even but still it's coming up with the same thing.
I tried removing the key and rndc complained that there was no key?? However before there was no key and rndc worked fine??????
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
Also if I try to stop bind by running /etc/init.d/bind9 stop
I get the same result:
Code:
Stopping domain name service...: bindrndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
failed!
Again, one step at a time. You're drinking through a fire hose!
Until the name server is functioning properly, it cannot be used for queries. Forget about the Cisco box for now, and other systems using your new DNS.
Are you able to bring up named and run dig successfully, with dig both returning the correct results, and showing your server as authoritative?
Location: Under the bridge where proper engineers walkover
Distribution: Various Linux, Solaris, BSD, Cisco
Posts: 443
Original Poster
Rep:
Quote:
Again, one step at a time. You're drinking through a fire hose!
Until the name server is functioning properly, it cannot be used for queries. Forget about the Cisco box for now, and other systems using your new DNS.
Are you able to bring up named and run dig successfully, with dig both returning the correct results, and showing your server as authoritative?
Hehe sorry I guess I am a bit excited now that you're helping me!!!
Thanks for the link!!!
Right ok started DNS /etc/init.d/bind9 start and no problems at all
So far dig shows:
Code:
; <<>> DiG 9.3.4-P1.1 <<>> @localhost optiplex-networks.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6896
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;optiplex-networks.com. IN A
;; ANSWER SECTION:
optiplex-networks.com. 3600 IN A 81.178.2.118
;; AUTHORITY SECTION:
optiplex-networks.com. 10800 IN NS ns1.active-dns.com.
optiplex-networks.com. 10800 IN NS ns2.active-dns.com.
;; Query time: 473 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Sep 22 02:12:37 2008
;; MSG SIZE rcvd: 102
And that is correct active-dns.com is DNS for WAN side, no problems there.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.