I set up our custom DNS server in AWS and looks like doing nslookup a dns works fine in forward but if I do nslookup it in reverse like using its IP, it gives me an error as below
** server can't find x.x.x.x.in-addr.arpa: NXDOMAIN
I can do nslookup any other public dns and IP back and forth but can't do nslookup a IP for some reason.
FYI, I used an internal IP to set this up.
Could you please give me any suggestions to resolve this?
Thanks,
Related
/etc/hosts file has an entry in my development server 10.xx.xx.162 server-dev.xxx-intra.net. ping to server-dev.xxx-intra.net is successful.But when I am trying to access from the browser - https://server-dev.xxx-intra.net, it throws server-dev.xxx-intra.net's server IP address could not be found. I understand that it is not able to resolve that name to IP but shouldn't /etc/hosts entry have taken care of this? Please let me know if I am missing something.
I've got a cheap openvz Ubuntu vps and i'm trying to run my own dns server on it for learning purpose.
The dns server works fine in localhost (on the vps through ssh), i can query it using dig google.com #127.0.0.1 and i get the expected result (which is not the IP of google.com but a custom one).
When i try to query the dns server from outside the vps, using the same command, I do get a reply but the IP is not what I expect (it's an actual google.com IP).
After further investigation I found out my dns server is not receiving/sending packets when the query is done from outside the vps. So the answer is sent by something else, it seems like inbound packets with destination port 53 are deviated, they do not even reach my dns server.
I tried to query my dns server, still from outside, but this time while the VPS was SHUTDOWN. Magically i got a reply from god knows who.
Changing port from 53 to 54 everything works perfectly.
The problem is i need it to use port 53.
I don't have iptables rules nor any other firewall doing something related to port 53
I also tried to query some other random vps, from different hosting providers, seems like everyone has a dns server running! Why does everyone reply?
Of course i asked technical support, that's what they said:
Hello,
Sorry but we don't do "software" technical support on VPS.
We deliver the hosting and the operating systems, customers that order VPS are their own admins, and have to know how to manage a linux server.
We don't block any port on our side.
Best regards,
Support
Mybe your dns server is bound to the loopback interface only (so it's only listening on localhost). You can check the current service ports used (udp for DNS) using netstat and filter (grep) udp port used
netstat -an | grep ":53"
Also you can test the same dns query using the nslookup command, and checking the dns server ip that answer your dns query, in the result output:
nslookup google.com [dns_server_ip]
Also test it without dns_server_ip to check if there is a default nameserver when the specified nameserver is not responding.
Problem solved, it's my ISP intercepting and replying to dns queries.
I can do dig google.com #1.2.3.4 and i get a reply :D
Who wants to know more about this:
ISP Intercepting DNS Lookups
I pointed my domain name that I registered through route 53 here: Response returned by Route 53
DNS request sent to Route 53
arcadeidea.com. IN A
EDNS0 client subnet IP
24
DNS response code
NOERROR
Protocol
UDP
Response returned by Route 53
34.214.33.108
And when I try going to the elastic IP (34.214.33.108) I get the hello world html page served by a sample
arcadeidea.com’s server DNS address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN
I think it may be a problem with port forwarding, as I'm forwarding 80 to 8080 which is what the sample node app was setup as a default. Not sure how to debug that though...Any thoughts?
This DNS server is not answering for this domain. Check that you have inserted the correct AWS DNS hosts on your domain registrar.
% nslookup
> server NS-1316.AWSDNS-36.ORG
Default server: NS-1316.AWSDNS-36.ORG
Address: 205.251.197.36#53
> arcadeidea.com
Server: NS-1316.AWSDNS-36.ORG
Address: 205.251.197.36#53
** server can't find arcadeidea.com: REFUSED
So what worked for me was resetting my wireless router...my other computer that was directly plugged into the modem was able to load the site after associating the IP with the domain, but not the computer that was wired to my router. I was able to verify this when I used my phone to check the site, while connected to my wireless router's network...Network admins, I understand a little more of your pain now.
I have configured a set of DNS records at a new DNS provider. The configuration is complex, with load-balancing, SSL, etc, there are things that could go wrong.
I want to test this configuration before changing the namespace records at registrar.
Is there any way to locally provide my machine with the new nameserver for the domain?
Are there any tools that might help with this?
Please note: I don't want to just update the A records (e.g. in /etc/hosts) - I want to specifically check the nameserver is returning the A and CNAME records.
If you're on a *nix system, you should be able to use either nslookup or dig. With both of those commands you can specify what server you would like to query. Simply use your new nameserver as the server. With dig, the query would look something like
dig #<your-nameserver> <hostname-to-look-up>
So, if you wanted to query google's public dns server and ask it about the address www.google.com, you'd use
dig #8.8.8.8 www.google.com
which, amongst other things, would tell you that www.google.com is an alias for www.l.google.com -- and then would give you a bunch of IP address (A records) for that name.
For both Windows and my remote Linux(CentOS) servers I use nslookup tool which works on both platforms:
nslookup new-sub.domain.com 8.8.8.8
// and for more details:
nslookup -debug new-sub.domain.com 8.8.8.8
I installed Virtualmin GPL on CentOS 6.2. The hostname of the machine is srv01.[mydomain.tld] (where [mydomain.td] is an actual registered domain). On the server I have only 1 IP, so I assigned it to both ns1.[mydomain.tld] and ns2.[mydomain.tld]. After this I updated the nameserver details for my domain on the domain registrar and pointed both ns1 and ns2 to the IP of the server.
The first issue I received was BIND-chroot issue, and after searching on the net, I removed BIND from chroot and BIND started. At this stage I was sure that everything will work normal, so I created a virtual server for [mydomain.tld]. At this point, I was sure that I can now access my site using the domain name.
So I opened network-tools.com and tried to perform a tracert for [mydomain.tld] but it failed to resolve the domain name and following are the details from the page:
Retrieving DNS records for [mydomain.tld]...
DNS servers
ns1.[mydomain.tld] [1.2.3.4]
Query for DNS records for [mydomain.tld] failed: Timed out
Whois query for [mydomain.tld]...
I tried to ping srv01.[mydomain.tld] and failed. Then I tried to ping ns1.[mydomain.tld] and it worked. My first guess was that maybe the NS on my server isn’t working, so I SSHed and performed nslookup google.com:
$ nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 173.194.33.39
I think that the NS is working properly on my server. After this, I performed:
$ nslookup [mydomain.tld]
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: [mydomain.tld]
Address: IP
It looks like the server is resolving the name properly locally, but not working on the Internet. I also checked all the Zone records for [mydomain.tld] and it contains the following records:
[mydomain.tld]. -- NS -- ns1.[mydomain.tld].
[mydomain.tld]. -- NS -- ns2.[mydomain.tld].
[mydomain.tld]. -- A -- IP
www.[mydomain.tld]. -- A -- IP
ns1.[mydomain.tld]. -- A -- IP
ns2.[mydomain.tld]. -- A -- IP
plus A records for subdomains ftp.[mydomain.tld], m.[mydomain.tld], localhost.[mydomain.tld], webmail.[mydomain.tld], admin.[mydomain.tld] and mail.[mydomain.tld] pointing to the server’s IP, plus MX and SPF records.
To troubleshoot it from the beginning to the end, do the following
Find address of your TLD nameservers: dig TLD NS
Find how your domain authoritative nameservers configured in the TLD: dig #[one-of-tld-nameservers] [mydomain.tld] NS. You expect to get your authoritative servers: ns1.[mydomain.tld] and ns2.[mydomain.tld] and their IP addresses (which are both pointing to your single IP). If this is NOT what you get, your problem is that you did not register your authoritative servers with your registrar.
Query your server: dig #[your IP] www.[mydomain.tld] if you request times-out, port 53 on your server is unreachable for some reason. Since it IS reachable locally, it could be firewall or NAT issue.
Now to various specifics of your question:
I tried to ping srv01.[mydomain.tld] and failed...
In the zone records in your post I don't see a record for srv01. Ping will not be able to resolve srv01 without appropriate DNS record.
Timed out Whois query for [mydomain.tld]...
Whois have nothing to do with DNS resolution, I presume it's DNS and not Whois. It seems that the nameserver defined as authoritative for mydomain.tld is not accessible.
I tried to ping ns1.[mydomain.tld] and VOLA it worked
I'm not sure, but possibly your DNS resolver knows the address ns1.[mydomain.tld] from TLD nameservers, and NOT from authoritative nameserver (also I'm not sure whether it's correct behavior or not).
Conlusion: my best guess is that port 53 of your server is not accessible from the internet.