Master/Slave DNS issues

E

EFW

Verified User
Joined
Feb 12, 2013
Messages
13
Hi folks,

I have installed DA on my VPS. I set ns1/ns2 to the same IP when DA was installed. I have just got a second small VPS, where I intend to run the ns2/slave DNS server on. I have installed Centos on the ns2 server and installed bind. I have tried to setup the slave to copy from the master. But I not 100% its working. When I check using intodns , I get a few errors. My domain is viperstorm.net.

What files/logs do you need to view to see if I have set things up right?

Thanks

Kevin
 
You should fix the one about the glue record. It means that ns2 ip is not matching the glue record with what you have for your A record. You should go to your domain registrar and update the ip you have setup for ns2. What exactly isnt working and do you have a copy of directadmin running on your vps. If not how are you propagating the domain list. Dns errors will be in /var/log/messages unless you setup special logging clause in named.conf
 
Hi,

I've rechecked the A-records. They seem ok to me. I've pasted my named conf files to see if there is anything wrong
named.conf from my VPS running DA.

Code: 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        //listen-on port 53 { 127.0.0.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        #recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        version none;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        notify explicit;
        also-notify { 198.23.245.222; };
        allow-notify { 198.23.245.222; };
        allow-transfer { 198.23.245.222/32; };

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type master;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "equinox.viperstorm.net" { type master; file "/var/named/equinox.viperstorm.net.db"; };
zone "viperstorm.net" { type master; file "/var/named/viperstorm.net.db"; };

Zones from DA DNS

$TTL 14400
@ IN SOA ns1.viperstorm.net. hostmaster.viperstorm.net. (
2013022126
14400
3600
1209600
86400 )

viperstorm.net. 14400 IN NS ns1.viperstorm.net.
viperstorm.net. 14400 IN NS ns2.viperstorm.net.

ftp 14400 IN A 185.12.12.139
localhost 14400 IN A 127.0.0.1
mail 14400 IN A 185.12.12.139
ns1.viperstorm.net. 14400 IN A 185.12.12.139
ns2.viperstorm.net. 14400 IN A 198.23.245.222
pandora 14400 IN A 198.23.245.222
pop 14400 IN A 185.12.12.139
smtp 14400 IN A 185.12.12.139
viperstorm.net. 14400 IN A 185.12.12.139
www 14400 IN A 185.12.12.139

viperstorm.net. 14400 IN MX 10 mail



viperstorm.net. 14400 IN TXT "v=spf1 a mx ip4:185.12.12.139 ~all"

localhost 14400 IN AAAA ::1

$TTL 14400
@ IN SOA ns1.viperstorm.net. hostmaster.equinox.viperstorm.net. (
2013022104
14400
3600
1209600
86400 )

equinox.viperstorm.net. 14400 IN NS ns1.viperstorm.net.
equinox.viperstorm.net. 14400 IN NS ns2.viperstorm.net.

equinox.viperstorm.net. 14400 IN A 185.12.12.139
ftp 14400 IN A 185.12.12.139
localhost 14400 IN A 127.0.0.1
mail 14400 IN A 185.12.12.139
pandora 14400 IN A 198.23.245.222
pop 14400 IN A 185.12.12.139
smtp 14400 IN A 185.12.12.139
test 14400 IN A 185.12.12.139
www 14400 IN A 185.12.12.139

equinox.viperstorm.net. 14400 IN MX 10 mail



equinox.viperstorm.net. 14400 IN TXT "v=spf1 a mx ip4:185.12.12.139 ~all"

localhost 14400 IN AAAA ::1
Click to expand...

named.conf from my dns vps

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

include "/etc/rndc.key";

options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

allow-transfer {185.12.12.139/32;};

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc.key; };
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "viperstorm.net" IN {
type slave;
file "/var/named/viperstorm.net.db";
// allow-update { none; };
allow-transfer { 185.12.12.139/32; };
masters { 185.12.12.139; };
};

zone "12.12.185.in-addr.arpa" IN {
type slave;
file "/var/named/12.12.185.rev";
// allow-update { none; };
allow-transfer { 185.12.12.139/32; };
masters { 185.12.12.139; };
};
Click to expand...

The error I get is this

root@pandora ~]# service named start
Starting named:
Error in named configuration:
/etc/named.conf:44: unknown key 'rndc.key'
[FAILED]
[root@pandora ~]#
Click to expand...

Thanks

Kevin
 
Look in /etc/rndc.key and match the key name to what you have in this code block

Code: 
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc.key; };
};

My guess is the key name is different.

Here is my control key code block for example. I changed the secret line a little for security reasons:

Code: 
key "rndc-key" {
       algorithm hmac-md5;
       secret "dadfadf234243avzzczv==";
};
 
controls {
  inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { "rndc-key"; };
};
 
Last edited:
Perfect! Thankyou. That fixed that error, but gave me a new one, lol.

[root@pandora ~]# service named start
Starting named:
Error in named configuration:
zone localhost/IN: loading from master file localhost.zone failed: file not found
zone localhost/IN: not loaded due to errors.
_default/localhost/IN: file not found
[FAILED]
[root@pandora ~]#


Any ideas?

Kevin
 
You can either remove the section for localhost in named.conf or create a file in /var/named called localhost.zone

In that file should be:
Code: 
$TTL    86400
$ORIGIN localhost.
@                       1D IN SOA       @ root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum

                        1D IN NS        @
                        1D IN A         127.0.0.1

If you want to remove it just delete from named.conf. I dont see how its useful at all. Its just a default zone that ships with the OS.

Code: 
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
 
Last edited:
morning,

That worked great! named started. I checked the logs and saw one little error.

[root@pandora ~]# tail /var/log/messages
Feb 22 11:13:07 pandora named[1878]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb 22 11:13:07 pandora named[1878]: command channel listening on 127.0.0.1#953
Feb 22 11:13:07 pandora named[1878]: managed-keys-zone ./IN: loaded serial 3
Feb 22 11:13:07 pandora named[1878]: running
Feb 22 11:13:08 pandora named[1878]: zone 12.12.185.in-addr.arpa/IN: refresh: unexpected rcode (SERVFAIL) from master 185.12.12.139#53 (source 0.0.0.0#0)
Feb 22 11:13:08 pandora named[1878]: zone viperstorm.net/IN: Transfer started.
Feb 22 11:13:08 pandora named[1878]: transfer of 'viperstorm.net/IN' from 185.12.12.139#53: connected using 198.23.245.222#45412
Feb 22 11:13:09 pandora named[1878]: zone viperstorm.net/IN: transferred serial 2013022126
Feb 22 11:13:09 pandora named[1878]: transfer of 'viperstorm.net/IN' from 185.12.12.139#53: Transfer completed: 1 messages, 17 records, 442 bytes, 0.620 secs (712 bytes/sec)
Feb 22 11:13:09 pandora named[1878]: zone viperstorm.net/IN: sending notifies (serial 2013022126)
[root@pandora ~]#

On the master I checked the logs

[root@equinox pharox]# tail /var/log/messages
Feb 22 10:30:20 equinox named[23118]: managed-keys-zone ./IN: Failed to create fetch for DNSKEY update
Feb 22 10:50:50 equinox lfd[26721]: SYSLOG check [DiDT60lZMHwrMT70Db7yhDd6QD]
Feb 22 11:13:09 equinox named[23118]: client 198.23.245.222#45412: transfer of 'viperstorm.net/IN': AXFR started
Feb 22 11:13:09 equinox named[23118]: client 198.23.245.222#45412: transfer of 'viperstorm.net/IN': AXFR ended

Any ideas

Thanks

Kevin
 
I had another look, and now getting this error from the slave

Code: 
[root@pandora ~]# tail /var/log/messages
Feb 22 12:38:00 pandora named[3026]: command channel listening on 127.0.0.1#953
Feb 22 12:38:00 pandora named[3026]: zone viperstorm.net/IN: loaded serial 2013022126
Feb 22 12:38:00 pandora named[3026]: managed-keys-zone ./IN: loaded serial 6
Feb 22 12:38:00 pandora named[3026]: zone viperstorm.net/IN: sending notifies (serial 2013022126)
Feb 22 12:38:00 pandora named[3026]: running
Feb 22 12:38:01 pandora named[3026]: zone 12.12.185.in-addr.arpa/IN: refresh: unexpected rcode (REFUSED) from master 185.12.12.139#53 (source 0.0.0.0#0)
Feb 22 12:38:01 pandora named[3026]: zone 12.12.185.in-addr.arpa/IN: Transfer started.
Feb 22 12:38:01 pandora named[3026]: transfer of '12.12.185.in-addr.arpa/IN' from 185.12.12.139#53: connected using 198.23.245.222#44650
Feb 22 12:38:01 pandora named[3026]: transfer of '12.12.185.in-addr.arpa/IN' from 185.12.12.139#53: failed while receiving responses: NOTAUTH
Feb 22 12:38:01 pandora named[3026]: transfer of '12.12.185.in-addr.arpa/IN' from 185.12.12.139#53: Transfer completed: 0 messages, 0 records, 0 bytes, 0.221 secs (0 bytes/sec)
[root@pandora ~]#

I turned the firewall off on the master server, but still got that error

Any ideas

Kevin
 
Its not a firewall issue. Is the zone 12.12.185.in-addr.arpa on your master server as well or is that something only on your slave server.

You might want to remove the following from your slave named.conf

Code: 
zone "12.12.185.in-addr.arpa" IN {
type slave;
file "/var/named/12.12.185.rev";
// allow-update { none; };
allow-transfer { 185.12.12.139/32; };
masters { 185.12.12.139; };
};

If you do use it then you have to check your master named.conf and make sure you have a line for the reverse zone in there like your forward zones:

Code: 
zone "12.12.185.in-addr.arpa" { type master; file "/var/named/REVERSE-ZONE-FILE"; };
 
Hi again,

Yes, I was looking at. ns2 was trying to get/copy that zone, but ns1 did not have it, so it was not allowing it. Anyway, I think its all working ok now I think.

From the master server, I get

Code: 
[root@equinox pharox]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]
[root@equinox pharox]# tail /var/log/messages
Feb 22 18:28:11 equinox named[10543]: zone equinox.viperstorm.net/IN: loaded serial 2013022104
Feb 22 18:28:11 equinox named[10543]: managed-keys-zone ./IN: loaded serial 207
Feb 22 18:28:11 equinox named[10543]: zone 0.in-addr.arpa/IN: sending notifies (serial 0)
Feb 22 18:28:11 equinox named[10543]: zone equinox.viperstorm.net/IN: sending notifies (serial 2013022104)
Feb 22 18:28:11 equinox named[10543]: zone 1.0.0.127.in-addr.arpa/IN: sending notifies (serial 0)
Feb 22 18:28:11 equinox named[10543]: zone viperstorm.net/IN: sending notifies (serial 2013022126)
Feb 22 18:28:11 equinox named[10543]: zone localhost/IN: sending notifies (serial 0)
Feb 22 18:28:11 equinox named[10543]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: sending notifies (serial 0)
Feb 22 18:28:11 equinox named[10543]: zone localhost.localdomain/IN: sending notifies (serial 0)
Feb 22 18:28:11 equinox named[10543]: running
[root@equinox pharox]#

From the slave server, I get

Code: 
[root@pandora ~]# tail /var/log/messages
Feb 22 18:28:33 pandora named[19863]: automatic empty zone: A.E.F.IP6.ARPA
Feb 22 18:28:33 pandora named[19863]: automatic empty zone: B.E.F.IP6.ARPA
Feb 22 18:28:33 pandora named[19863]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb 22 18:28:33 pandora named[19863]: command channel listening on 127.0.0.1#953
Feb 22 18:28:33 pandora named[19863]: zone viperstorm.net/IN: loaded serial 2013022126
Feb 22 18:28:33 pandora named[19863]: zone equinox.viperstorm.net/IN: loaded serial 2013022104
Feb 22 18:28:33 pandora named[19863]: managed-keys-zone ./IN: loaded serial 12
Feb 22 18:28:33 pandora named[19863]: zone viperstorm.net/IN: sending notifies (serial 2013022126)
Feb 22 18:28:33 pandora named[19863]: zone equinox.viperstorm.net/IN: sending notifies (serial 2013022104)
Feb 22 18:28:33 pandora named[19863]: running
[root@pandora ~]#

When I use intodns to see if everything is working, I get ns2 does no respond. From the tail messages and I get

Code: 
[root@pandora ~]# tail /var/log/messages
Feb 22 18:28:33 pandora named[19863]: running
Feb 22 18:37:01 pandora named[19863]: client 93.113.174.225#24212: query 'viperstorm.net/NS/IN' denied
Feb 22 18:37:01 pandora named[19863]: client 93.113.174.225#10298: query 'viperstorm.net/MX/IN' denied
Feb 22 18:37:01 pandora named[19863]: client 93.113.174.225#58244: query 'viperstorm.net/SOA/IN' denied
Feb 22 18:37:01 pandora named[19863]: client 93.113.174.225#34219: query (cache) 'adobe.com/A/IN' denied
Feb 22 18:37:01 pandora named[19863]: client 74.125.17.216#64823: query 'www.viperstorm.net/A/IN' denied
Feb 22 18:37:05 pandora named[19863]: client 93.113.174.225#41745: query 'viperstorm.net/NS/IN' denied
Feb 22 18:37:05 pandora named[19863]: client 93.113.174.225#23258: query 'viperstorm.net/MX/IN' denied
Feb 22 18:37:05 pandora named[19863]: client 93.113.174.225#16986: query 'viperstorm.net/SOA/IN' denied
Feb 22 18:37:05 pandora named[19863]: client 93.113.174.225#34779: query (cache) 'adobe.com/A/IN' denied
[root@pandora ~]#

Something is wrong?

Regards
 
You have allow-query { localhost; }; meaning only localhost can lookup hosts.

You should change it to allow-query { any; };
 
Hiya,

That's perfect! Everything seems to be working real good. Still getting the no response from ns2 on intodns, but that's ok, could be propagation or something. I really appreciate your help, its been a great learning curve for me, as my goal is to set up something like 'Automated Secondary DNS' which is posted on the DA forums.

Thanks again

Kev
 
I'm not sure about allow-query (I don't have it in my configs at all), but right now you've got your 2nd nameserver to allow recursive queries, which means you can query them for all domains on the internet

e.g. dig @198.23.245.222 google.com is giving response.

Be sure to have this

allow-recursion { 127.0.0.1; };

You can test it with that dig command, or intodns is reporting this as well.
 
Hi thanks,

Just added that to the named.conf and restarted. Hope that should fix that.

Thankyou
 
I'm not sure about allow-query (I don't have it in my configs at all)
Click to expand...
Correct, it's better not use that option combined with "any" because you will give everyone access to your nameserver to do lookups.
We don't have that in our slave config (or any other server) either. In fact, you only need a couple of lines in the options section.
 
Richard G said:
Correct, it's better not use that option combined with "any" because you will give everyone access to your nameserver to do lookups.
We don't have that in our slave config (or any other server) either. In fact, you only need a couple of lines in the options section.
Click to expand...

I looked it up as it was allow-recursion which was the issue:

allow-query — Specifies which hosts are allowed to query this nameserver. By default, all hosts are allowed to query. An access control list or collection of IP addresses or networks may be used here to only allow particular hosts to query the nameserver.

allow-recursion — Similar to allow-query, except it applies to recursive queries. By default, all hosts are allowed to perform recursive queries on the nameserver.
Click to expand...

So default it's any I guess -- which is needed for it to work.
 
You're correct, I mixed them up too... it's allow-recursion. Query is "any". That's default indeed, so it doesn't need to be in named.conf.
 
You must log in or register to reply here.
Back
Top