Two DNS Servers inside a firewall

Kevin Darcy kcd at chrysler.com
Thu Sep 4 23:09:48 UTC 2008 

OK, so is the *real* problem here that your authoritative zones can't be 
resolved from anywhere except the authoritative servers themselves?

Turn on query logging to see if the queries are even getting to the 
correct servers, and, if so, what view is being matched.

You mentioned "translation" in an earlier message, so I'm thinking you 
might have some NAT and/or PAT going on, in which case you might also 
want to capture or trace packets "to or from UDP port 53". There might 
be some surprising discoveries to be made there.

                                                                         
                           -Kevin

P.S. wizart1.com resolves for me, by the way, although it took over 3 
seconds on the first attempt.

ListAcc wrote:
> Chris,
>
> I have added 127.0.0.1 to the recursion list on both server nothing. 
> Also if you nslookup from remote client computers you can not resolve 
> the domains either it says DNS timeout....
>
> Chris Buxton wrote:
>   
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> In the header of the response to the second 'dig' command, note the 
>> 'flags' section. The 'ra' flag is not present.
>>
>> In your named.conf, in the 'options' statement block, check your 
>> 'allow-recursion' statement. This is most likely the culprit. Your 
>> query is coming from 127.0.0.1, and that address is probably not 
>> listed in the allow-recursion ACL.
>>
>> Chris Buxton
>> Professional Services
>> Men & Mice
>>
>> On Sep 4, 2008, at 2:16 PM, ListAcc wrote:
>>
>>     
>>> Hello,
>>>
>>> For the life of me I can not find the details of the problem:  I have
>>> two servers in question, both are authoritative/cache servers.  One
>>> server is auth for a  few zones and the other one for a few zones due to
>>> a split hosting environment.  Running Bind 9.3.5-P2 and Bind 9.3.4-P1 on
>>> CentOS.  For this example I will identify them as server 1 and server
>>> 2.  Also I have checked the logs nothing.
>>>
>>> Server 1 can not resolve domains at Server 2 and vice versa.  It worked
>>> before I am not sure what happed.  I thought it was the root hints so I
>>> updated and not the culprit. When I issue a dig here is the output
>>>
>>>
>>> [root at server2 ~]# dig company.com
>>>
>>> ; <<>> DiG 9.3.4-P1 <<>> company.com
>>> ;; global options:  printcmd
>>> ;; connection timed out; no servers could be reached
>>>
>>>
>>> [root at server1 ~]# dig company2.com
>>>
>>> ; <<>> DiG 9.3.5-P2 <<>> company2.com
>>> ;; global options:  printcmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6067
>>> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 2
>>>
>>> ;; QUESTION SECTION:
>>> ;wizart1.com.                   IN      A
>>>
>>> ;; AUTHORITY SECTION:
>>> com.                    140357  IN      NS      j.gtld-servers.net.
>>> com.                    140357  IN      NS      k.gtld-servers.net.
>>> com.                    140357  IN      NS      l.gtld-servers.net.
>>> com.                    140357  IN      NS      m.gtld-servers.net.
>>> com.                    140357  IN      NS      a.gtld-servers.net.
>>> com.                    140357  IN      NS      b.gtld-servers.net.
>>> com.                    140357  IN      NS      c.gtld-servers.net.
>>> com.                    140357  IN      NS      d.gtld-servers.net.
>>> com.                    140357  IN      NS      e.gtld-servers.net.
>>> com.                    140357  IN      NS      f.gtld-servers.net.
>>> com.                    140357  IN      NS      g.gtld-servers.net.
>>> com.                    140357  IN      NS      h.gtld-servers.net.
>>> com.                    140357  IN      NS      i.gtld-servers.net.
>>>
>>> ;; ADDITIONAL SECTION:
>>> h.gtld-servers.net.     52569   IN      A       192.54.112.30
>>> m.gtld-servers.net.     108692  IN      A       192.55.83.30
>>>
>>> ;; Query time: 1 msec
>>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>>> ;; WHEN: Thu Sep  4 14:39:35 2008
>>> ;; MSG SIZE  rcvd: 285
>>>
>>>
>>> The zones have public IP addresses so the translation should work and
>>> resolve if using either server as a resolver.  Both servers will resolve
>>> the domains they are auth for any other domain not hosted on the server
>>> except the ones on each others server if this makes sense.
>>>
>>> Thanks in advanced.
>>>
>>> Otis
>>>
>>>
>>>       
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.8 (Darwin)
>>
>> iEYEARECAAYFAkjAVkAACgkQ0p/8Jp6Boi38VACfacM3feAJN/x3cmsF3dgRowhi
>> V4gAoJv9sz723/ZK2Z7HSY6KC5jfZEY/
>> =DT5y
>> -----END PGP SIGNATURE-----
>>     
>
>
>
>
>

More information about the bind-users mailing list