Problems with nameservers

stefanfr

Verified User
Joined
Oct 6, 2017
Messages
6
Hello,

I'm trying to setup 2 nameservers for directadmin but the second one is constantly refusing according to intodns
https://intodns.com/aquariummanager.nl

I've setup my second dns without directadmin just and the transfer from directadmin to the slave is working correctly.
Also when I test the connection with "dig ns1.hostplus.nl aquariummanager.nl A" and "dig ns2.hostplus.nl aquariummanager.nl A" I get the same results "NOERROR":
Code:
[B]NS1 (Directadmin):[/B]

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> ns1.hostplus.nl aquariummanager.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8782
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.hostplus.nl.               IN      A

;; ANSWER SECTION:
ns1.hostplus.nl.        283     IN      A       37.97.142.3

;; Query time: 0 msec
;; SERVER: 2a01:7c8:a::c53#53(2a01:7c8:a::c53)
;; WHEN: Mon Oct 09 21:27:33 CEST 2017
;; MSG SIZE  rcvd: 60

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2044
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aquariummanager.nl.            IN      A

;; ANSWER SECTION:
aquariummanager.nl.     285     IN      A       37.97.142.3

;; AUTHORITY SECTION:
aquariummanager.nl.     285     IN      NS      ns1.hostplus.nl.
aquariummanager.nl.     285     IN      NS      ns2.hostplus.nl.

;; Query time: 0 msec
;; SERVER: 2a01:7c8:a::c53#53(2a01:7c8:a::c53)
;; WHEN: Mon Oct 09 21:27:33 CEST 2017
;; MSG SIZE  rcvd: 108

[B]NS2:[/B]
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> ns2.hostplus.nl aquariummanager.nl
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58039
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.hostplus.nl.               IN      A

;; ANSWER SECTION:
ns2.hostplus.nl.        300     IN      A       136.144.154.17

;; Query time: 1 msec
;; SERVER: 2a01:7c8:a::c53#53(2a01:7c8:a::c53)
;; WHEN: Mon Oct 09 21:28:21 CEST 2017
;; MSG SIZE  rcvd: 60

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54066
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;aquariummanager.nl.            IN      A

;; ANSWER SECTION:
aquariummanager.nl.     237     IN      A       37.97.142.3

;; AUTHORITY SECTION:
aquariummanager.nl.     237     IN      NS      ns1.hostplus.nl.
aquariummanager.nl.     237     IN      NS      ns2.hostplus.nl.

;; Query time: 0 msec
;; SERVER: 2a01:7c8:a::c53#53(2a01:7c8:a::c53)
;; WHEN: Mon Oct 09 21:28:21 CEST 2017
;; MSG SIZE  rcvd: 108


And because of the dig results I assume my named.conf is also correctly setup:
Code:
[B]NS1 (Directadmin):[/B]

options {                                                            
        //listen-on port 53 { 127.0.0.1; };                          
                                                                     
        //listen-on-v6 port 53 { ::1; 2a01:7c8:fff7:3 };             
        directory       "/var/named";                                
        dump-file       "/var/named/data/cache_dump.db";             
        statistics-file "/var/named/data/named_stats.txt";           
        memstatistics-file "/var/named/data/named_mem_stats.txt";    
        recursion no;                                                
                                                                     
        //allow-query     { localhost; 37.97.142.0/24; };            
                                                                     
        dnssec-enable yes;                                           
        dnssec-validation yes;                                       
        dnssec-lookaside auto;                                       
                                                                     
        /* Path to ISC DLV key */                                    
        bindkeys-file "/etc/named.iscdlv.key";                       
                                                                     
        managed-keys-directory "/var/named/dynamic";                 
};                                                                   
                                                                     
logging {                                                            
        channel default_debug {                                      
        file "data/named.run";                                       
                severity dynamic;                                    
        };                                                           
};                                                                   
                                                                     
zone "." IN {                                                        
        type hint;                                                   
        file "named.ca";                                             
};                                                                   
                                                                     
include "/etc/named.rfc1912.zones";                                  
include "/etc/named.root.key";       
zone "aquariummanager.nl" { type master; file "/var/named/aquariummanager.nl.db"; };

[B]NS2: [/B]                        
options {
        listen-on port 53 { 127.0.0.1; 136.144.154.17; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; 37.97.142.3; };

        allow-recursion { 127.0.0.1; 37.97.142.3; 136.144.154.17; };
        //recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "aquariummanager.nl" { type slave; file "/var/named/slaves/aquariummanager.nl.db"; masters { 37.97.142.3; }; };

Is there something I missed or is there some other problem?
And yes my ports are open 53 udp and tcp.
 
Hello,

Also when I test the connection with "dig ns1.hostplus.nl aquariummanager.nl A" and "dig ns2.hostplus.nl aquariummanager.nl A" I get the same results "NOERROR":


When you're running dig you do it not correct... you're missing @ sing if you want to send your query to a specific NS.

The second NS does not respond:

Code:
$ dig SOA aquariummanager.nl @136.144.154.17

; <<>> DiG 9.11.0-P2 <<>> SOA aquariummanager.nl @136.144.154.17
;; global options: +cmd
;; connection timed out; no servers could be reached

telnet goes fine:

Code:
$ telnet ns2.hostplus.nl 53
Trying 136.144.154.17...
Connected to ns2.hostplus.nl.
Escape character is '^]'.

You should check named logs, and made sure /var/named/slaves/aquariummanager.nl.db exists. And what about allow-transfer http://www.zytrax.com/books/dns/ch7/xfer.html#allow-transfer ?
 
Thanks for your reply.

That explains a lot why I couldn't find out what te problem was.
The documentation is very helpful and will look into it.

The file /var/named/slaves/aquariummanager.nl.db does exist with the correct values.

I'll try to fix my problem later today following the documentation.
Hopefully without any more problems
 
Setting up master/slave is a lot of work and good looking into the configuration.

You might consider running Directslave on your non-DA server. Makes life lots easier, does not need the allow-transfer line because it can work with DA's own multiserver setup, just as if you had 2 DA servers. There is a thread on the forums here about it.
 
I've tried direct slave.
But had the same results.

Turns out that it isn't a setting problem...
It had something to do with my firewall.
Turned it of ans it was working.
Disabled it, installed iptables and set the rules.
Now al is working.
I'm considering changing back to directslave now.
Now I'm using a ssh method shown elsewhere on this forum.

Any suggestions which is better?
 
You should choose on your own depending on your knowledge, skills and free time. The both are fine. The both have their fans.
 
I see my last post isn't posted...

I tried to disable the firewall and at that point everything was working properly.
I was using centos 7 with its standerd firewall but somehow it wouldn't let me open port 53 so I disabled it and am using iptables now instead.

Almost like plug and play just adding some rules and everything is working accordingly.

@Richard: I've tried setting up Directslave but it didn't work for me (stupid me it was the firewall).

I'm now using a ssh method:
Adding rule on Directadmin -> handle with a custom script ssh transport of dns file

I'm not sure what the best method is for transferring DNS record.
DirectSlave uses http (API) to send the DNS Records, is this a safe method?
Current method, my master has ssh root access to the second server.

Or is there a other magical method to transfer DNS Records where i currently not aware of?
 
Back
Top