Is this named.conf correctly configured?

[samuelmf]

Hi guys i'm trying to configure my own custom nameservers on my DA server but i dont know if i'm configuring it good

The lines on the named.conf file are ok?
named.conf

My server have Centos 7
Thanks in advance

 

[Richard G]

Just to be sure. You do not configure custom nameservers by editting the named.conf file, Directadmin will do that for you. So I hope you did not edit the named.conf file yourself. If you did, restore the original one and use Directadmin to add your nameservers.

If you want to run your own nameservers, it's not working, the domain is still using cloudflare's nameservers. If you want that, then that is good.

Also:

"82.32.95.184.in-addr.arpa"

you don't use rDNS in Directadmin because that has totally no use. An rDNS record must be set in the datacenter of with the hoster you got the ip from.

The line:
allow-transfer {"none";};
is missing (security issue).

I just checked a bit more. If you want to use mail with this domain, the MX record is missing.

 

[samuelmf]

Hi friend, thanks for take time to review my named file
I have fixed the things you say
"82.32.95.184.in-addr.arpa" removed
allow-transfer {"none";}; added

The main domain is pointing to cloudflare because a friend said me to do that for troubleshot and find the cause of the custom ns1 and ns2 not work.

I made this steps
my main domain is scefrapcore.net (currently pointing to cloudflare nameservers)
and my hostname is core.scefrapcore.net
I have setup this on my main domain zone
scefrapcore.net. NS ns1.
scefrapcore.net. NS ns2.

ns1 3600 A 184.95.32.85
ns2 3600 A 184.95.32.86

And on my hostname zone i have this 2 records that i have not added

core.scefrapcore.net. NS ns1.scefrapcore.net.
core.scefrapcore.net. NS ns2.scefrapcore.net.
This is ok? when i try to delete them, they dont delete

I forget to say that i have already setup the glue records on Godaddy

 

[Richard G]

Looks good to me. Your hostname zone should contain these records. So that is a good thing.

ns1 3600 A 184.95.32.85
ns2 3600 A 184.95.32.86

Did you just create those as A records yourself?

Because it's best to enter them using reseller lever and add nameservers there.
They might work like they are now, but if you add them via reseller level, they are setup via DA and they will also be used for new domains.

You should be able to remove them from cloudflare so you can use your own nameservers now. It can take some hours for them to sync over the world.

Don't forget what I wrote about the MX record and rDNS for that.

 

[samuelmf]

I already asked to my bare metal provider to add rdns for the hostname and ip
Ok , I will set MX records at the end, when ns are working well
I dont know why when i ping ns1.scefrapcore.net and ns2 it not responds

 

[ikkeben]

I already asked to my bare metal provider to add rdns for the hostname and ip
Ok , I will set MX records at the end, when ns are working well
I dont know why when i ping ns1.scefrapcore.net and ns2 it not responds

Ping is not a good test while some blocking pings.

 

[Richard G]

Might indeed be an icmp block. You also should have port 52 open UDP incoming and outgoing.
As long as one can connect to the ip, it's no problem that you can't ping it.

 

[samuelmf]

Well, definitely something is missconfigured on my bare metal, im not able to make my custom nameservers work

 

[samuelmf]

If i ping the ip it responds if i ping the ns1/ns2.scefrapcore.net it not responds

 

[ikkeben]

Don't know cloudflare can't help but this is realted found and yes your ns1 and ns2 are not found!

If using cloudflare and godaddy think you have to ask there...

We found these machines for scefrapcore.net

www.scefrapcore.net

184.95.32.82

These machines are also used by scefrapcore.net. They seem to be managed by a third party:

	kimora.ns.cloudflare.com	108.162.194.243
	kimora.ns.cloudflare.com	162.159.38.243
	kimora.ns.cloudflare.com	172.64.34.243
	kimora.ns.cloudflare.com	2606:4700:50::a29f:26f3
	kimora.ns.cloudflare.com	2803:f800:50::6ca2:c2f3
	kimora.ns.cloudflare.com	2a06:98c1:50::ac40:22f3
	yahir.ns.cloudflare.com	108.162.195.34
	yahir.ns.cloudflare.com	162.159.44.34
	yahir.ns.cloudflare.com	172.64.35.34
	yahir.ns.cloudflare.com	2606:4700:58::a29f:2c22
	yahir.ns.cloudflare.com	2803:f800:50::6ca2:c322
	yahir.ns.cloudflare.com	2a06:98c1:50::ac40:2322

 

[samuelmf]

I have changed the nameservers, i wait until propagation completes

 

[Richard G]

I have setup this on my main domain zone
scefrapcore.net. NS ns1.
scefrapcore.net. NS ns2.

I missed that in the last reply. You better use the full name there.
So like this:
scefrapcore.net. NS ns1.scefrapcore.net.
scefrapcore.net. NS ns2.scefrapcore.net.
mind the trailing dot, that is required.

 

[samuelmf]

@Richard G thanks for reply
Like this?

 

[samuelmf]

Hey guys i have found the problem
In the named.conf file i commented this line //listen-on port 53 { 127.0.0.1; };
and changed the line allow-query { localhost; };
to allow-query { any; };
And now i'm able to ping my ips and my domain names.

 

[Richard G]

In the named.conf file i commented this line //listen-on port 53 { 127.0.0.1; };

You mean you put # in front of it? You shouldn't do that indeed.

All my named.conf are like this:

options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        //allow-query     { localhost; };
        allow-recursion { localnets; };
        allow-transfer {"none";};
        version "my version";
        minimal-responses yes;
        empty-zones-enable no;

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        //recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

So if anyone looks for how a default (and a bit secured) named.conf should look, you can use this example.

 

[samuelmf]

Thanks for reply @Richard G i'm using your named.conf on my server now.
Now i'm trying to install ssl cert for hostname and for a domain, i hope not be difficult

You mean you put # in front of it? You shouldn't do that indeed.

No, that file uses // for comments

Edit: I'm following this steps https://help.directadmin.com/item.php?id=629 for hostname
an this for domain https://help.directadmin.com/item.php?id=646, but on the step 3 and 4 of this tutorial when i execute the command

3.- To manually test things, create a file like this:
echo "test" >> /var/www/html/.well-known/acme-challenge/test.txt
I think the path /var/www/html is not correct

and then test it via:

http://scfrapcore.net/.well-known/acme-challenge/test.txt

And if i check if on the home user the .well-known folder exists, it not exists

 

[ikkeben]

@samuelmf
Some to check test letsencrypt

Staging Environment

We highly recommend testing against our staging environment before using our production environment. This will allow you to get things right before issuing trusted certificates and reduce the chance of your running up against rate limits. The ACME URL for our ACME v2 staging environment is...

letsencrypt.org

crt.sh | Certificate Search

Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)

crt.sh

​ https://crt.sh/?a=1

https://help.directadmin.com/item.php?id=646

 

[Richard G]

an this for domain https://help.directadmin.com/item.php?id=646, but on the step 3 and 4 of this tutorial when i execute the command

For the hostname, you are good. But for the domain, I wouldn't use that old documentation anymore.
Just login to the account and create the certificate from there. Makes life a lot easier.

No, that file uses // for comments
As you could see from my named.conf, mine does too and they are still in there.

 

[samuelmf]

Thank you all guys for reply, now i will configure MX records to start using email.
By the way, any good tuto about how to configure Apache + Nginx as reverse proxy and load balancer?
Thanks in advance

 

[ikkeben]

I think DA is not OK for load balancers?