newbie struggles....
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Wed Apr 7 13:59:03 UTC 2004
Mark Page <mark at weballistics.com> wrote:
> Hi all,
> I've been trying to set up an authoratitive server for my domain name
> using BIND 9.2.2.P3 on fedora core 1 with the help of the O'reilly book,
> but with no joy.
Ok, i'll answer "interleaved". But first i'm not clears about
your topology. In the nameservers located outside your NAT-device ?
Hiding ip-addresses will interfere with understanding your problem,
just like hiding your real domain.
Another thing, you should implement "split-dns" so your rfc1918
addresses are hidden from Internet(while usable from inside)
> My network set up is like this :-
> Internet <--> firewall <--> DMZ (172.16/16)
> " <--> LAN (192.168.4/24)
> I have a domain name which I've delegated the authority for via the
> domain name registry's web-site, e.g.
> MYDOMAIN.co.uk xx.yy.182.113 ns0.MYDOMAIN.co.uk
> xx.yy.182.114 ns1.MYDOMAIN.co.uk
> I have named running on 172.16.0.20 with the hostname PROD1 and use NAT
> to map to 'real' ip address of xx.yy.182.113.
> my resolv.conf:-
On which machine ? The dns server or a client box ?
> ----------------
> [root at prod1 named]# more /etc/resolv.conf
> domain MYDOMAIN.co.uk
> #nameserver 127.0.0.1
> nameserver 172.16.0.20
> my named.conf:-
> ---------------
> options {
> directory "/var/named";
> // Uncommenting this might help if you have to go through a
> // firewall and things are not working out. But you probably
> // need to talk to your firewall admin.
> query-source address * port 53;
The above is unneeded, remove. ( unless your firewall is really stupid)
> };
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };
> zone "." {
> type hint;
> file "db.cache";
> };
> zone "MYDOMAIN.co.uk" {
> type master;
> file "db.MYDOMAIN.co.uk";
> };
> zone "16.172.in-addr.arpa" {
> type master;
> file "db.172.16";
> };
> zone "4.168.192.in-addr.arpa" {
> type master;
> file "db.192.168.4";
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0";
> };
> include "/etc/rndc.key";
> the reverse DNS for my static block is looked after by my ISPs
> nameservers and the forward addresses do match. The other in-addr.arpa.
> zone files are left out but they look fine.
Yes, you need to resolve rfc1918 addresses if your clients should not
suffer long delays.
> my db.MYDOMAIN.co.uk:-
> -----------------------
> $TTL 3h
> MYDOMAIN.co.uk. IN SOA prod1.MYDOMAIN.co.uk.
> mark.MYDOMAIN.co.uk. (
> 1 ; Serial
> 3h ; Refresh every 3 hours
> 1h ; Retry
> 1w ; Expires 1 week
> 1h ) ; negative chaing ttl
> ;nameservers
> MYDOMAIN.co.uk. IN NS ns0.MYDOMAIN.co.uk.
> MYDOMAIN.co.uk. IN NS ns1.MYDOMAIN.co.uk.
> ;hosts
> localhost.MYDOMAIN.co.uk. IN A 127.0.0.1
> ;
> ; Internet hosts
> ;
> ns0.MYDOMAIN.co.uk. IN A xx.yy.182.113
> ns1.MYDOMAIN.co.uk. IN A xx.yy.182.114
> www.MYDOMAIN.co.uk. IN A xx.yy.182.115
> beta.MYDOMAIN.co.uk. IN A xx.yy.182.116
> router.MYDOMAIN.co.uk. IN A xx.yy.182.118
> gateway.MYDOMAIN.co.uk. IN A xx.yy.182.117
> ;
> ; LAN hosts
> ;
> ;dev.MYDOMAIN.co.uk. IN A 192.168.4.37
> ;windy.MYDOMAIN.co.uk. IN A 192.168.4.10
> ;lan-fw.MYDOMAIN.co.uk. IN A 192.16.4.77
> ;
> ; DMZ hosts
> ;
> prod1.MYDOMAIN.co.uk. IN A 172.16.0.20
> ;dmz-fw.MYDOMAIN.co.uk. IN A 172.16.0.10
> with this configuration I can only do lookups (forward and reverse) for
> ns0.MYDOMAIN.co.uk and ns1.MYDOMAIN.co.uk (and only using the FQDN). e.g. :-
You probably only see delegation data.
> -------
> [root at prod1 named]# dig ns0.MYDOMAIN.co.uk
> ; <<>> DiG 9.2.2-P3 <<>> ns0.MYDOMAIN.co.uk
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1092
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;ns0.MYDOMAIN.co.uk. IN A
> ;; ANSWER SECTION:
> ns0.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.113
> ;; AUTHORITY SECTION:
> MYDOMAIN.co.uk. 172800 IN NS ns0.MYDOMAIN.co.uk.
> MYDOMAIN.co.uk. 172800 IN NS ns1.MYDOMAIN.co.uk.
> ;; ADDITIONAL SECTION:
> ns1.MYDOMAIN.co.uk. 172800 IN A xx.yy.182.114
> ;; Query time: 2 msec
> ;; SERVER: 172.16.0.20#53(172.16.0.20)
> ;; WHEN: Wed Apr 7 13:57:22 2004
> ;; MSG SIZE rcvd: 104
> All lookups for say, www.MYDOMAIN.co.uk is NXDOMAIN. I can't even
> resolve localhost, or the nameservers DMZ hostname PROD1. but I can
> resolve other internet addresses fine.
> I've commented out my LAN and DMZ to keep everything as minimal as
> possible. but when prod1.MYDOMAIN.co.uk. is commented out the above dig
> will time out. I would appreciate any help given.
> Regards, -Mark.
> p.s. this is not how I expect my final config to be, i.e. no security
> etc - I just want to get basic lookups for my domain working first so
> please don't hassle me too much. :)
One key issue is your interaction with firewall/nat device. Start
working on dns-servers and when they work ok, see that other server(s)
and clients do what's intended.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list