DNS Oddity

L

l0rdphi1

Verified User
Joined
Jun 22, 2003
Messages
1,471
Since I've started using DirectAdmin a few months ago it has slowly come to my attention that there is a flaw of some kind in how DA sets up the named files. Simply put: DA needs to register A records for each nameserver on each domain.

The root servers cannot be trusted to return the correct IPs.

I've had over 10 people complain about getting dns timeout errors when trying to connect to my hosted sites, and I believe it to be from the above flaw.

Hopefully this will be the end of my troubles with timeouts. :)

Thanks,

Phi1.
 
I'm having the same issue. I've been working with it for the last day.

Any answers would be apreciated. :)

Aaron
 
l0rdphi1 said:
Here's an example of what I mean (I think): http://www.dnsstuff.com/tools/dnstime.ch?name=tokyolounge.com&type=A

Most likely first try that'll "Couldn't resolve DNS server name", but keep refreshing, and eventually a root server that knows it will reply correctly with 65.60.32.140, my IP.
Click to expand...
The gtld servers should have records for your nameservers. The only way you'll get them is if you or your client registers them with the same registrar that registered the domain name.

That's the only way it can be done, and it cannot be automated by DA because every registrar does it differently.

If you've got more than one or two domains, it can be a lot of work.

Personally I think it's wrong in most circumstances for domains to have their own nameservers, i.e., for example.com to have ns1.example.com and ns2.example.com.

If example.com were hosted with us on our new DA system, we'd tell the client to use ns1.ns-one.net and ns2.ns-one.net (ns-one.net being the generic nameserver domain we set up a bit over four years ago to give some anonymity to our DNS hosting (we use my name and home address and home contact information in the whois record).

(Over the next few days I'll be updating the telephone numbers since we no longer have the two phone numbers in the record, and I'll be pointing ns1 to our new DNS server in Texas, and ns2 to the new DA system.)

This works best because if and when you change DNS servers you only have to change two records with one registrar and in one zone file.

FWIW, anyway. :p .

Jeff
 
What I meant is that each DA hosted domain needs an A record for the server's nameservers.

For example, if I hosted the domain cheese.com, the records should look like:
cheese.com. A IN 7200 65.60.32.140

cheese.com. NS IN 7200 ns1.liquenox.net.
cheese.com. NS IN 7200 ns2.liquenox.net.

ns1.liquenox.net. A IN 7200 65.60.32.140
ns2.liquenox.net. A IN 7200 65.60.32.141
Click to expand...

But unfortunately right now they look like the following.
cheese.com. A IN 14400 65.60.32.140

cheese.com. NS IN 14400 ns1.liquenox.net.
cheese.com. NS IN 14400 ns2.liquenox.net.
Click to expand...

Thanks :)
 
Last edited:
l0rdphi1 said:
What I meant is that each DA hosted domain needs an A record for the server's nameservers.

For example, if I hosted the domain cheese.com, the records should look like:
cheese.com. A IN 7200 65.60.32.140

cheese.com. NS IN 7200 ns1.liquenox.net.
cheese.com. NS IN 7200 ns2.liquenox.net.

ns1.liquenox.net. A IN 7200 65.60.32.140
ns2.liquenox.net. A IN 7200 65.60.32.141
Click to expand...
Click to expand...

No, they shouldn't. The A records for ns1.liquenox.net and for ns2.liquenox.net only belong in the zone file for liquenox.net.

If you're putting them into the zone file for cheese.com, you may end up with problems loading the entire cheese.com zone file.

A records only belong in the proper zone file.

The ns records for cheese.com do belong in the cheese.com zone file and the a records for ns1.liquenox.net and for ns2.liquenox.net belong in the zone file for liquenox.net. And only in that zone file.

Reference: "DNS for Dummies" (hey, it's as good as any :) ).

But unfortunately right now they look like the following.
cheese.com. A IN 14400 65.60.32.140

cheese.com. NS IN 14400 ns1.liquenox.net.
cheese.com. NS IN 14400 ns2.liquenox.net.
Click to expand...
Which is correct.

But what about the a record for www.cheese.com? If that's missing you will have problems with timeouts and failures to connect.

Please show me real domain names you really host, so I can run some tests.

Thanks.

Jeff
Click to expand...
 
When it's done like that you're trusting the root servers to return the correct IPs for your name servers, aren't you? If not, how do they know what your name server IPs are?

I gave an example of a domain I host up above, tokyolounge.com:
Here's an example of what I mean (I think): http://www.dnsstuff.com/tools/dnstime.ch?name=tokyolounge.com&type=A

Most likely first try that'll "Couldn't resolve DNS server name", but keep refreshing, and eventually a root server that knows it will reply correctly with 65.60.32.140, my IP.
Click to expand...
liquefyr.com and liquenox.com are other domains hosted too. Another thing I noticed was that even when all our hosted domains don't work, the person can always access liquenox.net.
 
Last edited:
Since you used an obvious non-owned domain in one of your examples I didn't know if the others were really yours or not, though I guessed they were.

Actually right now you're not doing too bad according to:

http://www.dnsreport.com/tools/dnsreport.ch?domain=tokyolounge.com

Is it possible the server you're using for your tests is having connectivity problems?

It still shows timeout problems, but here's what my dig of your nameserver just returned:


  • [admin admin]$ dig @ns2.liquenox.net tokyolounge.com

    ; <<>> DiG 8.3 <<>> @ns2.liquenox.net tokyolounge.com
    ; (1 server found)
    ;; res options: init recurs defnam dnsrch
    ;; got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
    ;; QUERY SECTION:
    ;; tokyolounge.com, type = A, class = IN

    ;; ANSWER SECTION:
    tokyolounge.com. 4H IN A 65.60.32.140

    ;; AUTHORITY SECTION:
    tokyolounge.com. 4H IN NS ns1.liquenox.net.
    tokyolounge.com. 4H IN NS ns2.liquenox.net.

    ;; Total query time: 17 msec
    ;; FROM: joshua.nobaloney.net to SERVER: ns2.liquenox.net 65.60.32.141
    ;; WHEN: Thu Aug 14 19:30:31 2003
    ;; MSG SIZE sent: 33 rcvd: 97

    [admin admin]$

I just ran the dig about 30 times; I got several total times of 3 ms, and one of 57 ms; the rest were all between 16 ms and 22 ms. Which is good.

You didn't answer my point about www.tokyolounge.com but yes, you do have records for it.

I don't think it can be an issue with DA; all DA does is create the records. And based on what you told me, the only real problem you have is incorrect A records (for nameservers from different top level domains) in your zone files.

So, again, if you really have A records for your nameserver domain (ns?.liquenox.net) in all your domain zone files, I believe you should take them out; they don't belong there and they can cause problems.

You can find some additional great tests at:

http://www.dnsstuff.com/

This is my favorite portal for DNS tests :) .

Jeff
 
My point was that DA is not creating the proper records to make domains resolve flawlessly. I am not to my knowledge having connectivity problems, as other people, including myself, have no trouble what so ever accessing my hosted domains.

As far as I understand, and according to a friend of mine, under the "ADDITIONAL SECTION" of dig for every hosted domain there should be two A records for the server's nameservers. It appear cPanel works in the fashion too.

I'm just trying to fix the timeout problems, nothing more.
 
You're right; they're not there; I'm sorry I missed them previously, but I've got a lot on my plate today (still working 10:18 pm) and I just missed that :( .

Can you shell into your system and either show us the zone file here or send it to me in an email?

It should be at /etc/named/tokyolounge.com.

But...
the records, though returned by dig, are NOT in the zone file.

For example, here's the "dig" of my own domain:


  • [admin admin]$ dig @ns1.ns-one.net nobaloney.net

    ; <<>> DiG 8.3 <<>> @ns1.ns-one.net nobaloney.net
    ; (1 server found)
    ;; res options: init recurs defnam dnsrch
    ;; got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
    ;; QUERY SECTION:
    ;; nobaloney.net, type = A, class = IN

    ;; ANSWER SECTION:
    nobaloney.net. 10M IN A 65.58.240.153

    ;; AUTHORITY SECTION:
    nobaloney.net. 10M IN NS ns1.ns-one.net.
    nobaloney.net. 10M IN NS ns2.ns-one.net.

    ;; ADDITIONAL SECTION:
    ns1.ns-one.net. 10M IN A 65.58.240.153
    ns2.ns-one.net. 10M IN A 63.246.10.128

    ;; Total query time: 8 msec
    ;; FROM: joshua.nobaloney.net to SERVER: ns1.ns-one.net 65.58.240.153
    ;; WHEN: Thu Aug 14 22:22:48 2003
    ;; MSG SIZE sent: 31 rcvd: 122

and here's a copy of the zone file (spaced incorrectly because the "list" vbCode command doesn't work for leading spaces :( ):


  • [admin joshua]$ cat db.nobaloney.net
    ; db.nobaloney.net
    @ 600 IN SOA ns1.ns-one.net. hostmaster.ns-one.net. (
    2003081101 10800 1800 172800 600 )
    600 IN NS ns1.ns-one.net.
    600 IN NS ns2.ns-one.net.

    600 IN A 65.58.240.153
    www 600 IN A 65.58.240.153
    ftp 600 IN CNAME www

    @ 600 IN MX 10 mail

(Note I removed some unnecessary lines to make it easy to read, but I didn't remove any A records for the nameservers.)

When I get your zone file I'll study it, and if necessary pass it on to the gurus who wrote bind (they manage a support list for it, frequented by none other than Cricket Liu; he's the co-author of the "DNS and Bind" book).

If I can't see the problem myself and have to pass it on, I'll need your permission, since they'll only help if we post real information.

But if you'd like, I'll be happy to study it for you and see what I can see.

Jeff
 
Here's the zone file for liquefyr.com (all the domains have this problem) as generated by DA:
[root@server1 named]# cat liquefyr.com.db

$TTL 0
@ IN SOA ns1.liquenox.net. root.ns1.liquenox.net. (
1060837504
7200
3600
1209600
86400 )

liquefyr.com. 14400 IN NS ns1.liquenox.net.
liquefyr.com. 14400 IN NS ns2.liquenox.net.

beta 14400 IN A 65.60.32.140
coranto 14400 IN A 65.60.32.140
dcleague 14400 IN A 65.60.32.140
dev 14400 IN A 65.60.32.140
dsd 14400 IN A 65.60.32.140
forums 14400 IN A 65.60.32.140
ftp 14400 IN A 65.60.32.140
ideal 14400 IN A 65.60.32.140
kelsplace 14400 IN A 65.60.32.140
liquefyr.com. 14400 IN A 65.60.32.140
localhost.liquefyr.com. 14400 IN A 127.0.0.1
mail 14400 IN A 65.60.32.140
thegoodies 14400 IN A 65.60.32.140
www 14400 IN A 65.60.32.140

liquefyr.com. 14400 IN MX 0 liquefyr.com.
Click to expand...

I thought this would be a simple DA fix.. but is it only for me DA is not generating the A records?
 
Phil,

Which records do you feel are missing.

If you still feel you're missing A records for your nameservers in your domain zones, I urge you to read relevant RFCs, and to either get one of the DNS books or read the relevant chapters on line (I believe you can read "DNS and BIND" online).

A records for your DNS servers do NOT belong in your zone unless the nameserver names are in the same domain name space.

Here's a copy of example.com.db, as prepared by my test system, datest.nobaloney.net:


  • $TTL 0
    @ IN SOA ns1.ns-one.net. root.ns1.ns-one.net. (
    1058473741
    43200
    3600
    3600000
    86400 )

    example.com. 14400 IN NS ns1.ns-one.net.
    example.com. 14400 IN NS ns2.ns-one.net.

    example.com. 14400 IN A 67.112.189.218
    ftp 14400 IN A 67.112.189.218
    localhost.example.com. 14400 IN A 127.0.0.1
    mail 14400 IN A 67.112.189.218
    www 14400 IN A 67.112.189.218

    example.com. 14400 IN MX 0 example.com.

Note that there are no A records for the nameservers because the nameservers are NOT in the same domain.

Note also the zone-file I posted yesterday for nobaloney.net; that file has been in use for at least four years (with minor changes) and has always worked. We host DNS for thousands of domains, and none of our domains has ever had A records for the DNS servers unless the servers were in the same domain.

Which is as it should be; when I wrote the first zone file for nobaloney.net I used the "DNS and Bind" book as a reference.

As to why you're having the problem, I can't say. I highly suggest you join the bind-users list or the bind newsgroup, and ask questions there. The real experts, including as I mentioned, the gent who cowrote the book, all hang out there.

I could post your problem for you, but these days I'm too busy to keep up with it on an hourly (or even daily :( ) basis, so I could neither reply to their questions nor get back to you, in a timely manner :( .

Jeff
 
It's fixed!

DA never added the A records for my nameservers to the liquenox.net zone file, and I didn't know by adding them their you'd get the A records on the "ADDITIONAL SECTION" of dig for all hosted domains.

Thanks a lot, you've been a wonderful help :)
 
Glad to hear things have been working.

I don't have my testbed running at the moment (I needed the machine for an emergency restore of a Plesk system :eek: ) so I can't check, but I don't see how DA would know you had nameservers at a specific domain; I'd think you'd have to put them in manually.

Sorry I didn't think of asking that directly.

Glad I could be of some small help, though.

Jeff
 
You must log in or register to reply here.
Back
Top