BIND9 - dig server fail

Discussion in 'Linux Networking' started by alike, Jan 15, 2012.

  1. alike

    alike Guest

    I have finally completed the main bind configuration.
    Now when i run the gadmin tool i get status OK.
    The zones are reloaded OK, resolv works but there i one problem.
    When i dig my registered address i get servfail.

    Google:
    SERVFAIL means that the domain does exist and the root name servers have
    information on this domain, but that the authoritative name servers are
    not answering queries for this domain.

    How to solve this ?
     
    alike, Jan 15, 2012
    #1
    1. Advertisements

  2. Hello,

    alike a écrit :
    What do you mean by your "registered address" ?
    Is it supposed to be served authoritatively by your server ?
     
    Pascal Hambourg, Jan 15, 2012
    #2
    1. Advertisements

  3. alike

    Chris Davies Guest

    Provide some detail. For example, tell us what domain are you talking
    about, so we can try it from "out here".

    Chris
     
    Chris Davies, Jan 15, 2012
    #3
  4. alike

    alike Guest

    This are the main ones:

    Named.conf.local
    --------------------------------
    zone "aisnet.com.hr" {
    type master;
    file "/etc/bind/db.aisnet.com.hr";
    };
    controls {
    inet 127.0.0.1 {localhost;} keys {rndc_key;};
    };


    acl internals {
    127.0.0.0/8;
    10.0.0.0/24;
    };
    ---------------------------------
    db.aisnet.com.hr
    ---------------------------------
    ; aisnet.com.hr
    $TTL 604800
    $ORIGIN aisnet.com.hr
    @ IN SOA ns1.aisnet.com.hr. (
    2006020201 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800); Negative Cache TTL
    ;
    @ IN NS ns1
    IN A 192.168.1.110
    ns1 IN A dns1.aisnet.com.hr
    www IN A 192.168.1.110
     
    alike, Jan 16, 2012
    #4
  5. alike

    Chris Davies Guest


    Firstly, there are two errors in this file.

    1. An "A" record cannot resolve to a name, so your ns1 record is
    invalid. Frankly, I'm amazed that bind9 will even run with this error.

    2. Your SOA label should be an email address in dotted notation,
    not what I assume is your NS hostname. So you might have @ IN SOA
    hostmaster.aisnet.com.hr (implying a valid email address hostmaster *at*
    aisnet.com.hr).

    While you're experimenting I'd suggest you reduce the negative cache
    ttl to something like 600 (10 minutes) and the retry down to 3600. Not
    essential but can be helpful while you're changing the domain entries
    around.

    Agreed. I can find that delegation, but there seems to be nothing
    listening on that address.

    * Have you allowed both UDP/53 and TCP/53 through your firewall?
    * Is bind *really* running?

    Chris
     
    Chris Davies, Jan 16, 2012
    #5
  6. alike

    alike Guest

     
    alike, Jan 16, 2012
    #6
  7. Chris Davies a écrit :
    Actually an SOA record contains *both* a hostname and an e-mail addresse
    in dotted notation. Here the address is missing.

    3. The NS record(s) in the zone do not match the delegation in the
    parent zone.

    ;; AUTHORITY SECTION:
    aisnet.com.hr. 14400 IN NS dns2.aisnet.com.hr.
    aisnet.com.hr. 14400 IN NS dns1.aisnet.com.hr.

    ;; ADDITIONAL SECTION:
    dns1.aisnet.com.hr. 14400 IN A 85.114.42.51
    dns2.aisnet.com.hr. 14400 IN A 85.114.42.52

    4. A publicly accessible zone should not advertise private addresses
    (192.168.1.110).
     
    Pascal Hambourg, Jan 16, 2012
    #7
  8. alike

    Chris Davies Guest

    Thank you Pascal. Once again I've leaped too quickly and you've had to
    correct me. (I do know what I'm doing. Really!)

    Cheers
    Chris
     
    Chris Davies, Jan 16, 2012
    #8
  9. alike

    alike Guest

    ---------------------
    $TTL 604800
    $ORIGIN aisnet.com.hr
    @ IN SOA ns1.aisnet.com.hr. (
    2006020201 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800); Negative Cache TTL
    ;

    aisnet.com.hr 14400 IN NS dns2.aisnet.com.hr
    aisnet.com.hr 14400 IN NS dns1.aisnet.com.hr

    dns2.aisnet.com.hr 14400 IN A 85.114.42.51
    dns1.aisnet.com.hr 14400 IN A 85.114.42.52
    ------------------
    Is this correct ?

    When i make bind restart it will load ok but when i look at syslog i get
    error:

    automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
    automatic empty zone: 0.1.1.0.0.2.IP6.ARPA
    command channel listening on 127.0.0.1#953
    command channel listening on ::1#953
    zone 0.in-addr.arpa/IN: loaded serial 1
    zone 127.in-addr.arpa/IN: loaded serial 1
    zone 255.in-addr.arpa/IN: loaded serial 1
    dns_rdata_fromtext: /etc/bind/db.aisnet.com.hr:8: near eol: unexpected
    end of input
    zone aisnet.com.hr/IN: loading from master file
    /etc/bind/db.aisnet.com.hr failed: unexpected end of input
    zone aisnet.com.hr/IN: not loaded due to errors.
    zone localhost/IN: loaded serial 2
    managed-keys-zone ./IN: loading from master file managed-keys.bind
    failed: file not found
    managed-keys-zone ./IN: loaded serial 0
    named[10130]: running
    ---------------------------------------
     
    alike, Jan 17, 2012
    #9
  10. alike a écrit :
    Not yet, but almost.
    The SOA record is still incomplete, see my comment above. Also you need
    to add a final dot at the end of fully qualified domain names, otherwise
    the base domain (origin) is appended.

    dns2.aisnet.com.hr -> dns2.aisnet.com.hr.aisnet.com.hr.
    dns2.aisnet.com.hr. -> ok
     
    Pascal Hambourg, Jan 17, 2012
    #10
  11. alike

    alike Guest

    -----------------------------------------
    zone 0.in-addr.arpa/IN: loaded serial 1
    zone 127.in-addr.arpa/IN: loaded serial 1
    zone 255.in-addr.arpa/IN: loaded serial 1
    /etc/bind/db.aisnet.com.hr:3: SOA record not at top of zone
    (aisnet.com.hr.aisnet.com.hr)
    zone aisnet.com.hr/IN: loading from master file
    /etc/bind/db.aisnet.com.hr failed: not at top of zone

    zone aisnet.com.hr/IN: not loaded due to errors.
    zone localhost/IN: loaded serial 2
    managed-keys-zone ./IN: loading from master file managed-keys.bind
    failed: file not found
    managed-keys-zone ./IN: loaded serial 0
    named[10797]: running
    //---------------------------------------------
    $TTL 604800
    $ORIGIN aisnet.com.hr
    @ IN SOA ns1.aisnet.com.hr. hostmaster.aisnet.com.hr.(
    2006020201 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800); Negative Cache TTL
    ;

    aisnet.com.hr 14400 IN NS dns2.aisnet.com.hr.
    aisnet.com.hr 14400 IN NS dns1.aisnet.com.hr.

    dns2.aisnet.com.hr 14400 IN A 85.114.42.51
    dns1.aisnet.com.hr 14400 IN A 85.114.42.52
    //--------------------------------------------------------------------------
    SOA not at top of zone - how is bind reading this part ?
    The line where SOA is defined should be OK. Do i need to add some
    additional part int db.aisnet.com.hr file ?
     
    alike, Jan 18, 2012
    #11
  12. alike

    alike Guest

    **************************************
    -----------------------------------------
    zone 0.in-addr.arpa/IN: loaded serial 1
    zone 127.in-addr.arpa/IN: loaded serial 1
    zone 255.in-addr.arpa/IN: loaded serial 1
    /etc/bind/db.aisnet.com.hr:3: SOA record not at top of zone
    (aisnet.com.hr.aisnet.com.hr)
    zone aisnet.com.hr/IN: loading from master file
    /etc/bind/db.aisnet.com.hr failed: not at top of zone

    zone aisnet.com.hr/IN: not loaded due to errors.
    zone localhost/IN: loaded serial 2
    managed-keys-zone ./IN: loading from master file managed-keys.bind
    failed: file not found
    managed-keys-zone ./IN: loaded serial 0
    named[10797]: running
    //---------------------------------------------
    $TTL 604800
    $ORIGIN aisnet.com.hr
    @ IN SOA ns1.aisnet.com.hr. hostmaster.aisnet.com.hr.(
    2006020201 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800); Negative Cache TTL
    ;

    aisnet.com.hr 14400 IN NS dns2.aisnet.com.hr.
    aisnet.com.hr 14400 IN NS dns1.aisnet.com.hr.

    dns2.aisnet.com.hr 14400 IN A 85.114.42.51
    dns1.aisnet.com.hr 14400 IN A 85.114.42.52
    //--------------------------------------------------------------------------
    SOA not at top of zone - how is bind reading this part ?
    The line where SOA is defined should be OK. Do i need to add some
    additional part int db.aisnet.com.hr file ?

    Btw. when i run www.intodns.com/aisnet.com.hr i get errors that
    nameservers did not respond. Can this be just because SOA record ?
     
    alike, Jan 18, 2012
    #12
  13. alike

    alike Guest

    ---------------------
    server kernel: [599187.896924] type=1400 audit(1326782359.143:613):
    apparmor="DENIED" operation="mknod" parent=10006
    profile="/usr/sbin/named" name="/etc/bind/etc/named.run" pid=10008
    comm="named" requested_mask="c" denied_mask="c" fsuid=116 ouid=116 ? Can
    this block the respond from nameservers ?
     
    alike, Jan 18, 2012
    #13
  14. alike a écrit :
    As I wrote, you must add a dot at the end of all instances of full domain
    names, including in the $ORIGIN primitive, SOA and NS records. In short,
    after all instances of aisnet.com.hr.
     
    Pascal Hambourg, Jan 18, 2012
    #14
  15. alike

    alike Guest

    Sorry i didnt know i have to put dots after all names.

    Ok, now it has passed this part and this is the log file:

    loading configuration from '/etc/bind/named.conf'
    reading built-in trusted keys from file '/etc/bind/bind.keys'
    using default UDP/IPv4 port range: [1024, 65535]
    using default UDP/IPv6 port range: [1024, 65535]
    listening on IPv6 interfaces, port 53
    listening on IPv4 interface lo, 127.0.0.1#53
    listening on IPv4 interface eth0, 192.168.1.110#53
    generating session key for dynamic DNS
    set up managed keys zone for view _default, file 'managed-keys.bind'
    automatic empty zone: 254.169.IN-ADDR.ARPA
    automatic empty zone: 2.0.192.IN-ADDR.ARPA
    automatic empty zone: 100.51.198.IN-ADDR.ARPA
    automatic empty zone: 113.0.203.IN-ADDR.ARPA
    automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
    automatic empty zone:
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    automatic empty zone:
    1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    automatic empty zone: D.F.IP6.ARPA
    automatic empty zone: 8.E.F.IP6.ARPA
    automatic empty zone: 9.E.F.IP6.ARPA
    automatic empty zone: A.E.F.IP6.ARPA
    automatic empty zone: B.E.F.IP6.ARPA
    automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
    automatic empty zone: 0.1.1.0.0.2.IP6.ARPA
    command channel listening on 127.0.0.1#953
    command channel listening on ::1#953
    zone 0.in-addr.arpa/IN: loaded serial 1
    zone 127.in-addr.arpa/IN: loaded serial 1
    zone 255.in-addr.arpa/IN: loaded serial 1
    zone aisnet.com.hr/IN: loaded serial 2006020201
    zone localhost/IN: loaded serial 2
    managed-keys-zone ./IN: loading from master file managed-keys.bind
    failed: file not found
    managed-keys-zone ./IN: loaded serial 0
    zone aisnet.com.hr/IN: sending notifies (serial 2006020201)
    running
     
    alike, Jan 18, 2012
    #15
  16. alike a écrit :
    The two declared nameserver addresses, 85.114.42.51 and 85.114.42.52,
    are unreachable. No reply to ICMP echo (ping), traceroute, DNS request.
    What are these adresses ? From the above log your DNS server address has
    a private address, 192.168.1.110. How are they related ?
     
    Pascal Hambourg, Jan 18, 2012
    #16
  17. alike

    alike Guest

    ----------------------------------
    The main idea is to set something like dyndns.com because this is
    exactly what i need. I must be able to offer dynamic domain to my user.
    Something like user.aisnet.com.hr.

    Therefore i have registered aisnet.com.hr domain and two nameservers:
    85.114.42.51 and 52. Those nameservers are registered by one domain
    provider.
    ---------------------------------
    192.168.1.110 is the local ip of my computer and
    this computer should act as dns server.
    In my local network i have 5 computers and just one should act like dns
    server.
    --------------------------------
    db.aisnet.com.hr
    ****************
    $TTL 604800
    $ORIGIN aisnet.com.hr.
    @ IN SOA ns1.aisnet.com.hr. hostmaster.aisnet.com.hr.(
    2006020201 ; Serial
    604800 ; Refresh
    86400 ; Retry
    2419200 ; Expire
    604800); Negative Cache TTL
    ;

    aisnet.com.hr. 14400 IN NS dns2.aisnet.com.hr.
    aisnet.com.hr. 14400 IN NS dns1.aisnet.com.hr.

    dns2.aisnet.com.hr. 14400 IN A 85.114.42.51
    dns1.aisnet.com.hr. 14400 IN A 85.114.42.52

    @ IN A 85.114.42.51 --> changed
    --------------------------------------------
    zone aisnet.com.hr/IN: loaded serial 2006020201
    zone localhost/IN: loaded serial 2
    managed-keys-zone ./IN: loading from master file managed-keys.bind
    failed: file not found
    managed-keys-zone ./IN: loaded serial 0
    zone aisnet.com.hr/IN: sending notifies (serial 2006020201)
    running
     
    alike, Jan 19, 2012
    #17
  18. alike a écrit :
    What do you mean by "registered" ?
    Who is operating those two nameservers ?

    How is this nameserver related to the two others above ?
    Private addresses are unreachable from the public internet.
    Did you set up port forwarding from 85.114.42.51 or 85.114.42.52 to
    192.168.1.110 ? Or is 192.168.1.110 used as a master (primary)
    nameserver by 85.114.42.51 and 85.114.42.52 ?
     
    Pascal Hambourg, Jan 19, 2012
    #18
  19. alike

    alike Guest

    -------------------------------------------------------------
    My local network is in range for 1.90 - 1.110.
    The 192.168.1.110 is just local IP of my computer.
    This computer should act as dns server.

    85.114.42.51 and 52 are static IP addresses from my ISP and this
    addresses are registered as dns1.aisnet.com.hr, dns2.aisnet.com.hr

    The "carnet" has put this two IP addresses into they dns server zones.
    The carnet is research network: http://www.carnet.hr/en
    ------------------------------------------
     
    alike, Jan 20, 2012
    #19
  20. alike

    alike Guest

    I have contacted the carnet and my register and they both think that
    there is a problem in configuration. I got answer that
    dns1.aisnet.com.hr is in the NS and that aisnet.com.hr domain is active.

    So, it look like something is blocking the dns1.aisnet.com.hr or we have
    to change the configuration.

    As far as i understand... my computer (dns server) is set to
    192.168.1.110 . In bind configuration we have set the dns1.aisnet.com.hr
    and dns2.aisnet.com.hr as two addresses of the name servers. So now we
    have to find a way how to combine/process local IP and dns ip's .
     
    alike, Jan 20, 2012
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.