I have two mirrored forward DNS server(for simplifying, named f1, f2) which forward some domain request to my authoritative DNS server(also named a1, a2), I added some new domain to my authoritative DNS server, but when I nslookup the new domain from f1 or f2, I got Non-existent domain error like the following. If I nslookup from a1 or a2, it worked.
C:\Users\Liu.D.H>nslookup www.yqsbfiles.ynu.edu.cn
Server: ynu-public-dns-a.ynu.edu.cn
Address: 113.55.13.51
*** ynu-public-dns-a.ynu.edu.cn can't find www.yqsbfiles.ynu.edu.cn: Non-existent domain
C:\Users\Liu.D.H>
I also used dig to get more debug info.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.52
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.52
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 28130
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; AUTHORITY SECTION:
ynu.edu.cn. 9936 IN SOA pridns.ynu.edu.cn. root.pridns.ynu.edu.cn. 2016062301 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 113.55.13.52#53(113.55.13.52)
;; WHEN: Fri Jun 08 10:44:35 China Standard Time 2018
;; MSG SIZE rcvd: 101
C:\Users\Liu.D.H>
But the strange thing was that if I did rndc flush on one of f1 or f2, then I can request successfully.
C:\Users\Liu.D.H>dig www.yqsbfiles.ynu.edu.cn #113.55.13.51
; <<>> DiG 9.10.6 <<>> www.yqsbfiles.ynu.edu.cn #113.55.13.51
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4168
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yqsbfiles.ynu.edu.cn. IN A
;; ANSWER SECTION:
www.yqsbfiles.ynu.edu.cn. 86400 IN CNAME lb-http.ynu.edu.cn.
lb-http.ynu.edu.cn. 86393 IN A 202.203.208.41
;; AUTHORITY SECTION:
ynu.edu.cn. 86391 IN NS secdns.ynu.edu.cn.
ynu.edu.cn. 86391 IN NS pridns.ynu.edu.cn.
;; ADDITIONAL SECTION:
pridns.ynu.edu.cn. 86396 IN A 202.203.208.33
pridns.ynu.edu.cn. 86396 IN AAAA 2001:250:2800:2::33
secdns.ynu.edu.cn. 86391 IN A 202.203.208.34
secdns.ynu.edu.cn. 86391 IN AAAA 2001:250:2800:2::34
;; Query time: 2 msec
;; SERVER: 113.55.13.51#53(113.55.13.51)
;; WHEN: Fri Jun 08 10:43:02 China Standard Time 2018
;; MSG SIZE rcvd: 221
C:\Users\Liu.D.H>
I noticed that this two dig output had something different in AUTHORITY SECTION.
Any help would be appreciated. Thanks in advance.
You need to register the Authoritative Domain name server with the domain registrar for your new domain pointing to a1 and a2. After that it will work fine.
Related
I'm trying to parse a DIG request and I'm not quite sure what all the sections mean. My guess is that 151.101.53.164 is the authoritative name server's IP.
User-Desktop:Desktop user$ dig www.nytimes.com
; <<>> DiG 9.8.3-P1 <<>> www.nytimes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1148
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;www.nytimes.com. IN A
;; ANSWER SECTION:
www.nytimes.com. 63 IN CNAME nytimes.map.fastly.net.
nytimes.map.fastly.net. 24 IN A 151.101.53.164
;; AUTHORITY SECTION:
fastly.net. 2204 IN NS ns3.fastly.net.
fastly.net. 2204 IN NS ns1.fastly.net.
fastly.net. 2204 IN NS ns2.fastly.net.
fastly.net. 2204 IN NS ns4.fastly.net.
;; ADDITIONAL SECTION:
ns1.fastly.net. 2344 IN A 23.235.32.32
ns2.fastly.net. 2344 IN A 104.156.80.32
ns3.fastly.net. 171545 IN A 23.235.36.32
ns4.fastly.net. 2345 IN A 104.156.84.32
;; Query time: 48 msec
;; SERVER: 131.252.120.128#53(131.252.120.128)
;; WHEN: Tue May 9 12:41:15 2017
;; MSG SIZE rcvd: 221
I want to point my subdomain (w.example.com) to (ns1.w.example.com)
NS w.example.com directs to ns1.w.example.com.
A ns1.w.example.com directs to 192.0.2.139
>> dig w.example.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> w.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20571
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;w.example.com. IN A
;; Query time: 195 msec
;; SERVER: 67.207.67.3#53(67.207.67.3)
;; WHEN: Thu Feb 14 12:10:13 UTC 2019
;; MSG SIZE rcvd: 43
Why is it breaking DNS resolution & let me know the proper way to point my subdomain (w.example.com) to (ns1.w.example.com)
And what it is the proper way to do this?
At the zone of domain.com you need the delegation AND a glue record. Respectively the forlast and last record here:
$ORIGIN example.com.
# NS auth.dns.example
# NS auth.dns.example
# NS auth.dns.example
...
w NS ns1.w
ns1.w A 192.0.2.139
The glue record is "out-of-zone" data, needed to pre-indicate the address of that nameserver - as without that info a resolver can't guess it.
At the zone of w.example.com you need to have
$ORIGIN w.example.com.
# NS ns1
ns1 A 192.0.2.139
After upgrading from bind 9.11 to 9.12, Windows (but not Linux) clients on the network started barfing "server not found" error messages for some sites. after a thorough investigation, the problem seems to be that bind 9.12 doesn't send additional data in DNS replies for out of zone cnames and Windows just doesn't do the recursion.
reply from 9.12:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #europa.podgorny.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23207
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d5fa7daebf3a1ffe1805060a5a9d352ffebb15250033a69e (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 2463 IN CNAME admiral.podgorny.cz.
;; Query time: 2 msec
;; SERVER: 2002:2e24:2741:9900::1#53(2002:2e24:2741:9900::1)
;; WHEN: Mon Mar 05 13:16:47 CET 2018
;; MSG SIZE rcvd: 105
reply from 9.11:
; <<>> DiG 9.12.0 <<>> imap.asterix.cz #taurus.asterix.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50822
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 618a6ee9520f91081b7089bf5a9d356ab7eca595939a467c (good)
;; QUESTION SECTION:
;imap.asterix.cz. IN A
;; ANSWER SECTION:
imap.asterix.cz. 3600 IN CNAME admiral.podgorny.cz.
admiral.podgorny.cz. 3235 IN A 46.36.39.65
;; AUTHORITY SECTION:
podgorny.cz. 1256 IN NS ns3.podgorny.cz.
podgorny.cz. 1256 IN NS ns2.podgorny.cz.
podgorny.cz. 1256 IN NS ns1.podgorny.cz.
;; Query time: 52 msec
;; SERVER: 2002:2e24:2741:8800::1#53(2002:2e24:2741:8800::1)
;; WHEN: Mon Mar 05 13:17:46 CET 2018
;; MSG SIZE rcvd: 173
so, it seems like there's more questions to ask:
How do I make bind 9.12 return full replies? (it seems they removed the additional-from-cache and additional-from-auth configuration settings)
How do I make Windows resolver do the recursion?
What is the "correct" way of solving this? is it Windows' fault? or is bind's default setting bad? is there a rfc for this?
This is a bug in 9.12.0 that was fixed now 9.12.1.
https://kb.isc.org/article/AA-01598/0/BIND-9.12.1-Release-Notes.html
I have the domain icebuddha.com that I am trying to associate with a static Github Page (https://github.com/0xdabbad00/icebuddha). When I ping or dig this address I get no IP see here. I've configured this domain in Route53 as follows:
Name servers match NS record. I don't know what the SOA record is.
Other name server view:
dig records (normal, notice it has no A records):
$ dig icebuddha.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> icebuddha.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;icebuddha.com. IN A
;; Query time: 273 msec
;; SERVER: 192.168.106.2#53(192.168.106.2)
;; WHEN: Sat Jun 18 13:11:26 2016
;; MSG SIZE rcvd: 31
dig records when I specify the name server to use (notice it does have A records, which is good):
$ dig icebuddha.com #ns-10.awsdns-01.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> icebuddha.com #ns-10.awsdns-01.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18793
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;icebuddha.com. IN A
;; ANSWER SECTION:
icebuddha.com. 300 IN A 192.30.252.154
icebuddha.com. 300 IN A 192.30.252.153
;; AUTHORITY SECTION:
icebuddha.com. 172800 IN NS ns-10.awsdns-01.com.
icebuddha.com. 172800 IN NS ns-1447.awsdns-52.org.
icebuddha.com. 172800 IN NS ns-1607.awsdns-08.co.uk.
icebuddha.com. 172800 IN NS ns-737.awsdns-28.net.
;; Query time: 69 msec
;; SERVER: 205.251.192.10#53(205.251.192.10)
;; WHEN: Sat Jun 18 13:11:43 2016
;; MSG SIZE rcvd: 199
The solution was to ensure all three mentions of Name Servers and NS records are the same. By using that last image as the authoritive answer, and setting the middle image to those values, this worked.
Background: I've setup a site on Squarespace, got a domain on domain.com, used domain.com's DNS manager to create CNAME for squarespace (like they recommend).
I changed the nameservers yesterday to slicehost (a failed experiment) and back to domain.com's tonight. Now when I run a dig, I get the following:
; <<>> DiG 9.6.0-APPLE-P2 <<>> veganhopeworkshop.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54930
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;veganhopeworkshop.com. IN A
;; Query time: 300 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jun 15 23:23:02 2010
;; MSG SIZE rcvd: 39
Does the "status: SERVFAIL" indicate anything wrong about my configuration?
At the time of writing (09:30 GMT on 16th June) none of the three name servers at domain.com (ns1, ns2 and ns3.domain.com) are correctly serving your zone.
% dig +norec #ns3.domain.com. veganhopeworkshop.com ns
; <<>> DiG 9.6.0-APPLE-P2 <<>> +norec #ns3.domain.com. veganhopeworkshop.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52861
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; QUESTION SECTION:
;veganhopeworkshop.com. IN NS
...
So, in the first instance, you need to talk to them to find out why not.