Re: newbie struggles....
This is a discussion on Re: newbie struggles.... within the Bind Users forums, part of the DNS and Related Forums category; Mark Page <mark@weballistics.com> wrote: > Hi all, > I've been trying to set up an ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-07-2004
|
|||
|
|||
Re: newbie struggles....
Mark Page <mark@weballistics.com> wrote:
> Hi all, > I've been trying to set up an authoratitive server for my domain name > using BIND 9.2.2.P3 on fedora core 1 with the help of the O'reilly book, > but with no joy. Ok, i'll answer "interleaved". But first i'm not clears about your topology. In the nameservers located outside your NAT-device ? Hiding ip-addresses will interfere with understanding your problem, just like hiding your real domain. Another thing, you should implement "split-dns" so your rfc1918 addresses are hidden from Internet(while usable from inside) > My network set up is like this :- > Internet <--> firewall <--> DMZ (172.16/16) > " <--> LAN (192.168.4/24) > I have a domain name which I've delegated the authority for via the > domain name registry's web-site, e.g. > MYDOMAIN.co.uk xx.yy.182.113 ns0.MYDOMAIN.co.uk > xx.yy.182.114 ns1.MYDOMAIN.co.uk > I have named running on 172.16.0.20 with the hostname PROD1 and use NAT > to map to 'real' ip address of xx.yy.182.113. > my resolv.conf:- On which machine ? The dns server or a client box ? > ---------------- > [root@prod1 named]# more /etc/resolv.conf > domain MYDOMAIN.co.uk > #nameserver 127.0.0.1 > nameserver 172.16.0.20 > my named.conf:- > --------------- > options { > directory "/var/named"; > // Uncommenting this might help if you have to go through a > // firewall and things are not working out. But you probably > // need to talk to your firewall admin. > query-source address * port 53; The above is unneeded, remove. ( unless your firewall is really stupid) > }; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndckey; }; > }; > zone "." { > type hint; > file "db.cache"; > }; > zone "MYDOMAIN.co.uk" { > type master; > file "db.MYDOMAIN.co.uk"; > }; > zone "16.172.in-addr.arpa" { > type master; > file "db.172.16"; > }; > zone "4.168.192.in-addr.arpa" { > type master; > file "db.192.168.4"; > }; > zone "0.0.127.in-addr.arpa" { > type master; > file "db.127.0.0"; > }; > include "/etc/rndc.key"; > the reverse DNS for my static block is looked after by my ISPs > nameservers and the forward addresses do match. The other in-addr.arpa. > zone files are left out but they look fine. Yes, you need to resolve rfc1918 addresses if your clients should not suffer long delays. > my db.MYDOMAIN.co.uk:- > ----------------------- > $TTL 3h > MYDOMAIN.co.uk. IN SOA prod1.MYDOMAIN.co.uk. > mark.MYDOMAIN.co.uk. ( > 1 ; Serial > 3h ; Refresh every 3 hours > 1h ; Retry > 1w ; Expires 1 week > 1h ) ; negative chaing ttl > ;nameservers > MYDOMAIN.co.uk. IN NS ns0.MYDOMAIN.co.uk. > MYDOMAIN.co.uk. IN NS ns1.MYDOMAIN.co.uk. > ;hosts > localhost.MYDOMAIN.co.uk. IN A 127.0.0.1 > ; > ; Internet hosts > ; > ns0.MYDOMAIN.co.uk. IN A xx.yy.182.113 > ns1.MYDOMAIN.co.uk. IN A xx.yy.182.114 > www.MYDOMAIN.co.uk. IN A xx.yy.182.115 > beta.MYDOMAIN.co.uk. IN A xx.yy.182.116 > router.MYDOMAIN.co.uk. IN A xx.yy.182.118 > gateway.MYDOMAIN.co.uk. IN A xx.yy.182.117 > ; > ; LAN hosts > ; > ;dev.MYDOMAIN.co.uk. IN A 192.168.4.37 > ;windy.MYDOMAIN.co.uk. IN A 192.168.4.10 > ;lan-fw.MYDOMAIN.co.uk. IN A 192.16.4.77 > ; > ; DMZ hosts > ; > prod1.MYDOMAIN.co.uk. IN A 172.16.0.20 > ;dmz-fw.MYDOMAIN.co.uk. IN A 172.16.0.10 > with this configuration I can only do lookups (forward and reverse) for > ns0.MYDOMAIN.co.uk and ns1.MYDOMAIN.co.uk (and only using the FQDN). e.g. :- You probably only see delegation data. > ------- > [root@prod1 named]# dig ns0.MYDOMAIN.co.uk > ; <<>> DiG 9.2.2-P3 <<>> ns0.MYDOMAIN.co.uk > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 > ;; QUESTION SECTION: > ;ns0.MYDOMAIN.co.uk. IN A > ;; ANSWER SECTION: > ns0.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.113 > ;; AUTHORITY SECTION: > MYDOMAIN.co.uk. 172800 IN NS ns0.MYDOMAIN.co.uk. > MYDOMAIN.co.uk. 172800 IN NS ns1.MYDOMAIN.co.uk. > ;; ADDITIONAL SECTION: > ns1.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.114 > ;; Query time: 2 msec > ;; SERVER: 172.16.0.20#53(172.16.0.20) > ;; WHEN: Wed Apr 7 13:57:22 2004 > ;; MSG SIZE rcvd: 104 > All lookups for say, www.MYDOMAIN.co.uk is NXDOMAIN. I can't even > resolve localhost, or the nameservers DMZ hostname PROD1. but I can > resolve other internet addresses fine. > I've commented out my LAN and DMZ to keep everything as minimal as > possible. but when prod1.MYDOMAIN.co.uk. is commented out the above dig > will time out. I would appreciate any help given. > Regards, -Mark. > p.s. this is not how I expect my final config to be, i.e. no security > etc - I just want to get basic lookups for my domain working first so > please don't hassle me too much. :) One key issue is your interaction with firewall/nat device. Start working on dns-servers and when they work ok, see that other server(s) and clients do what's intended. -- Peter Håkanson IPSec Sverige ( At Gothenburg Riverside ) Sorry about my e-mail address, but i'm trying to keep spam out, remove "icke-reklam" if you feel for mailing me. Thanx. 
|
Linear Mode
