-2

Guys I am hoping I can find help here.

I am having trouble setting up Authoritative-Only DNS Servers.

One server is a Cloud Virtual Server XL (master server and web server - has Plesk) the other one is Cloud Virtual Server S (slave server).

Please note that servers have different IPS and aren't in the same range but they are something like this: The XL Virtual Server(8X.1XX.1XX.2XX) and the S Virtual Server (9X.9X.2XX.9X).

I am aware that there are more types of DNS, but with some light reading and googling I figured Authoritative-Only are best for my use.

The current problem I am having is that my domains aren't getting through to my nameservers. I'm getting a server not found on all of them, the main domain however is pointed correctly and resolves to the main machine.

The guide I used: https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-an-authoritative-only-dns-server-on-ubuntu-14-04.

I followed it from word to word, only part that I left out is Reverse Zones (in-addr.arpa) I am not sure on how to proceed on those. However, I did set my hostnames and Reverse DNS in their Control panel (1and1 Control Panel) to vps1.xxx.space and vps2.xxx.space (Hopefully my hunch was on point on this one and that should be solved? - again I am probably wrong).

My db.xxx.space file looks like this:

root@vps1:~# sudo nano /etc/bind/zones/db.xxx.xxx
  GNU nano 2.5.3                    File: /etc/bind/zones/db.xxx.space

; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     ns1.xxx.space. admin.xxx.space. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
; Name Servers
xxx.space.  IN      NS      ns1.xxx.space.
xxx.space.  IN      NS      ns2.xxx.space.

; A records for name servers
ns1     IN      NS      8X.1XX.1XX.2XX
ns2     IN      NS      9X.9X.2XX.9X

; other A records
@       IN      A       8X.1XX.1XX.2XX
www     IN      A       8X.1XX.1XX.2XX
vps1.xxx.space.     IN      A       8X.1XX.1XX.2XX
vps2.xxx.space.     IN      A       9X.9X.2XX.9X
xxx.space.  IN      MX      10      mail.xxx.space.
mail.xxx.space.     IN      A       8X.1XX.1XX.2XX
ns1.xxx.space.      IN      A       8X.1XX.1XX.2XX
ns2.xxx.space.      IN      A       9X.9X.2XX.9X
www.xxx.space.      IN      CNAME   xxx.space.

My /etc/bind/named.conf.local file (master):

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "xxx.space" {
        type master;
        file "/etc/bind/zones/db.xxx.space";
        allow-transfer { 9X.9X.2XX.9X; };
};

My /etc/bind/named.conf.options file:

options {
        directory "/var/cache/bind";

        recursion no;
        allow-transfer { none; };

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

My /etc/bind/named.conf file:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

My /etc/bind/named/conf.local (slave) file:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "xxx.space" {
        type slave;
        file "slaves/db.xxx.space";
        masters { 8X.1XX.1XX.2XX; }; #ns1 private IP
};

My advanced DNS settings for the main domain (xxx.space) that is supposed to have nameservers.Advanced Panel at namecheap.com

Rest of the domains have their custom name servers option set and point to the ns1.xxx.space and ns2.xxx.space nameservers.

I registered the name servers with namecheap.com as well, through the advanced DNS panel!

My Plesk DNS configuration: Plesk Screenshot

If you have any more questions feel free to ask.

Misc information:

  • All domains are hosted (except a few - not working as well) at namecheap.com
  • Servers are hosted at 1and1.com - Germany
  • Everything on the servers is up to date. (BIND etc.)
  • Servers are running Ubuntu 16.04

My questions:

  • What could be causing these issues for me?
  • Could there be an issue because I am using IPs that aren't in the same range?
  • How should I address Reverse Zones for two single IPs in the files?

I appreciate any help, suggestions or pointers!

steviss
  • 1
  • 1
  • 1
    This is way too long. Please clearly and succinctly state your question, and put it in the title too. – Andrew Schulman Apr 03 '18 at 15:21
  • Thanks for the tip. Reduced the unescessary information. Hopefully its more clearer now. – steviss Apr 03 '18 at 15:31
  • You show an image from NameCheap where you have configured various DNS RRs. Are you trying to use NameCheap to host your DNS, or are you trying to have your Ubuntu servers host the DNS? Also, you should post your `bind` configuration, like `named.conf`, `named.conf.options`, etc. – Andrew Apr 03 '18 at 15:38
  • Thanks for commenting, the configuration is same as per the guide for named.conf and named.conf.options. But I will add them as soon as I am home. Only the main domain is hosted on namecheap and thats the picture i posted. The configuration for it. To clarify I am trying to make my ubuntu servers host everything, but as per my understanding of the guide the main domain should be hosted at namecheap? Or am I wrong? – steviss Apr 03 '18 at 15:44
  • I've added the files you mentioned. If some more are needed feel free to tell me, I'll add them. – steviss Apr 03 '18 at 16:28
  • 3
    Another DNS question that has omitted or obfuscated the domain name. How do you think we're going to help you? The problem COULD LITERALLY BE ANYTHING. Do yourself and us a favor and provide the domain name so that we can actually, you know, check DNS for ourselves. – joeqwerty Apr 03 '18 at 18:06
  • 1
    Please avoid useless obfuscation and if you absolutely need to use it do not obfuscate like you did but use data from RFC2606 and 5737/3849. But as @joeqwerty said, if you want relevant and quick help, you need to provide all data without obfuscation, specifically with a post so long as yours (I was unable to read it to its end because of the obfuscation). – Patrick Mevzek Apr 05 '18 at 02:50
  • 1
    Also you have online testing tools: https://zonemaster.net/ and https://dnsviz.net/ – Patrick Mevzek Apr 05 '18 at 02:53

2 Answers2

0

Troubleshoot the problem properly. Start at the bottom, for your NS servers to serve records for your domain, the domain in question needs to list them.

Perform a whois on example.com, what NS servers are listed? If they're correct, move to the next step.

Are your NS servers' hostnames at example.com as well (the domain you're trying to be authoritative for)? Then you need glue records. Are your those working? Test them.

If it's a .com domain, for example

$ dig +short com. NS
a.gtld-servers.net.
i.gtld-servers.net.
m.gtld-servers.net.
k.gtld-servers.net.
l.gtld-servers.net.
g.gtld-servers.net.
e.gtld-servers.net.
h.gtld-servers.net.
j.gtld-servers.net.
c.gtld-servers.net.
d.gtld-servers.net.
f.gtld-servers.net.
b.gtld-servers.net.

$ dig +norec @h.gtld-servers.net. example.com NS
...
;; QUESTION SECTION:
;example.com.            IN  NS

;; AUTHORITY SECTION:
example.com.     172800  IN  NS  ns1.example.com.
example.com.     172800  IN  NS  ns2.example.com.

;; ADDITIONAL SECTION:
ns1.example.com. 172800  IN  A   10.10.10.1
ns2.example.com. 172800  IN  A   10.10.10.2

If the hostname of your NS servers is not on the same domain you're being authoritative for, then test those records and see that they resolve.

If your glue exists, or your NS hostnames resolve correctly, then can the outside world actually talk to your NS servers? Query them directly from an outside host you haven't made special accommodations for.

dig @ns1.example.net example.com

By this point I'm going to assume you've encountered a problem because judging by the content of your db file, unless you've left information out - it looks incorrect as it's missing an SOA.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
brent
  • 3,521
  • 3
  • 26
  • 37
  • Thanks for you reply man.The domain I'm using as the main domain is xxx.space so its a .space domain. The xxx.space is now finally directing towards the VPS. In regards to the test you mentioned using the dig +norec @h.gtld-servers.net. yourdomain.com NS I get this [response](https://pastebin.com/VM6uvFWx) as for the dig@ns1.yourotherdomain.com yourdomain.com I get a `dig: couldn't get address for 'ns1.myotherdomain.com': failure` Sorry, I did leave out the SOA accidentally. I've added it now as well as some of the files @Andrew mentioned I should add. – steviss Apr 03 '18 at 16:38
  • Read the commands I wrote - you should be replacing information with ones relevant to yourself where applicable. I wouldn't recommend running a publicly accessible NS server yourself if you're having this kind of trouble. Badly configured nameservers are the bane of many service providers who have to suffer through DoS attacks originating from them. Play with things on private networks. – brent Apr 03 '18 at 17:34
  • I understand your concern, I did replace everything where its applicable. Therefore I am not willing to post any of my information publicly exactly because I am having this kind of trouble. (hance I am removing most of it and placing dummy content instead of it). I am just telling you the results of queries I am having, hoping that you can give me the right pointers in order to solve the problem. – steviss Apr 03 '18 at 17:52
  • whois is not a tool to test DNS issues, never start from there – Patrick Mevzek Apr 05 '18 at 02:49
  • Not all domain names use glues, in fact it is a minority – Patrick Mevzek Apr 05 '18 at 02:53
  • @steviss If you did provide the domain name, people would be able to give you relevant information. **Of course** `dig +norec @h.gtld-servers.net.` will not work for your `.space` domain since these nameservers are authoritative for `.COM` and `.NET` TLD and **NOT** for `.SPACE`. `dig NS space.` will show you the ones authoritative for .SPACE. – Patrick Mevzek Apr 05 '18 at 02:55
  • "Therefore I am not willing to post any of my information publicly exactly because I am having this kind of trouble. (hance I am removing most of it and placing dummy content instead of it)." this is a bad idea and very selfish too. Bad idea for you since you will not get correct help and you obviously do not understand the basics of DNS so people can not help you in the blind. Selfish because this website is not there just to answer your problem but to build a Q&A database that can be useful in the future for other people having the same problem... – Patrick Mevzek Apr 05 '18 at 02:57
  • whois is a tool that gives you an easy way to determine a domain's nameservers. It's simpler than explaining how someone can query the root NS for a TLD, and simpler still than figuring out just who the registrar for a domain is and how to check the configuration in their management panel. I recommended it as the first step since it will immediatley point to an issue (e.g., their domain still uses their registrar's NS), before going on to explain more involved troubleshooting steps. – brent Apr 05 '18 at 17:01
  • I thought I was clear as well about the situation when glue is involved - when the authoritative NS for a domain is on the same domain. e.g., example.com's authoritative NS is ns1.example.com. It's a loop, thus needs glue. – brent Apr 05 '18 at 17:02
0

So, guys, I solved the problem myself (a couple of days after posting here).

1and1 started offering a hardware-based firewall with its Cloud-Based servers. My configurations were correct and everything was set-up correctly server-side but no ports were allowed through.

After allowing them manually the server started working flawlessly.

You can set this up by going into your 1and1 control panel, selecting your server (under "Contract and Product Overview"), then "Select Product", then "Servers & Cloud" and select the server you want to edit.

When the other panel opens up select "Networking" and "Firewall Policies" afterward, there you can modify/create your Firewall policies. When you enter the configurations you also have predefined values there as well. So you won't have to google ports etc.

This fixed all my server issues and the DNS issues.

Also, thank you for all the help, some of the comments helped a lot.

steviss
  • 1
  • 1