Ok, so here i have one box
Windows Host (Debian Linux 8 VM - Oracle) -Set up. A Live Working Machine, DNS apache php...etc..
IP is **A.A.A.A**
second machine, fresh install, second vm, php apache all running. DNS is not.
IP is **A.A.A.B**
The External IPV40. ISP Router.
IP is **X.X.X.X**
So the Goal is simple:
On thisdomain.com it has a localIP of **A.A.A.A**
but on the Second Server it has the IP **A.A.A.B**
IP A.A.A.A Serves the domain and the website for www.thisdomain.com and thisdomain.com.`
I wish to have ls.thisdomain.comserve IP **A.A.A.B**
TheDNSRecords `are like so:
$TTL 38400
thisdomain.com. IN SOA ls.thisdomain.com. webmaster.thisdomain.com. (
5 ; Serial
1d ; Refresh
60m ; Retry
7d ; Expire
6h ) ; Negative Cache TTL
; ### this is the forward zone of IP 2 A.A.A.B (ls.thisdomain.com)
thisdomain.com. IN A X.X.X.X
thisdomain.com. IN NS ls.thisdomain.com.
ls.thisdomain.com. IN A X.X.X.X
ls.thisdomain.com. IN A A.A.A.B
;
www IN CNAME thisdomain.com.
;
on the main server that serves domain IP 2 = **A.A.A.A**:
$TTL 38400
thisdomain.com. IN SOA ns1.thisdomain.com. webmaster.thisdomain.com. (
5 ; Serial
1d ; Refresh
60m ; Retry
7d ; Expire
6h ) ; Negative Cache TTL
;
thisdomain.com. IN A X.X.X.X
ns1.thisdomain.com. IN A X.X.X.X
ns2.thisdomain.com. IN A X.X.X.X
ls.thisdomain.com. IN A X.X.X.X
thisdomain.com. IN NS ls.thisdomain.com.
ls.thisdomain.com. IN A A.A.A.B
thisdomain.com. IN NS ns1.thisdomain.com.
thisdomain.com. IN NS ns2.thisdomain.com.
;
www IN CNAME thisdomain.com.
;
and whats this issue? well, it seems that even though i
think there good to go, the ls.
Subdomain still only shows the first servers
Apache website **A.A.A.A**
instead of the second servers
**A.A.A.B** Apache Website.
What i want is it to be like this
ls.thisdomain.com
hits
public ip X.X.X.X
then searches
NS1 on
IP A.A.A.A
then send user to webpage on server
LS which is A.A.A.B.
How would one Achieve this to be so that it does happen?
Well, there are several apparent errors above. First, the whole idea of having two different zones for the same name is meaningless because it requires an unnecessary level of DNS recursion - you should serve a single consolidated DNS zone, and if you need two servers for redundancy, then make one of them master and the other one slave (a verbatim copy of the master).
Second, the second zone lists adds two additional NS records compared to the first zone, but all of those in turn point to the same IP address. This is also meaningless.
Third, the name ls.thisdomain.com is defined as a round-robin DNS entry, meaning 50% of the clients will resolve it to X.X.X.X, while another 50% will resolve it to A.A.A.B. Each of those clients will then cache that result for 38400 seconds and then repeat the query, after which point they again have a 50:50 chance of getting either result.
It's unclear from the question whether A.A.A.* is perhaps a private IP network. If the intent is to allow external users to access A.A.A.B which is in a private network, then DNS is simply not the solution. DNS is a Layer 7 protocol which doesn't care which kind of IPs its results will contain, but the external users can't route via Layer 3 to external private networks. HTTP traffic can only arrive at the public X.X.X.X IP, typically at port 80, and then the router can pass it on (NAT it) to an HTTP server. This HTTP server in turn can pass the results on to two separate virtual hosts or even two separate machines (proxying).
Related
I am working on Backup server (failover) for my websites.
example.com is my domain, Host on IP 1.1.1.1
Copy of example.com, Host on IP 2.2.2.2
I want to use IP2 as backup only when IP 1 is down,
so i set both IPS in my DNS A record.
As per rule of DNS: if i set 2 IPs in A record, then it will work like round robin.
First visitor redirect on IP 1.1.1.1
Second Visitor redirect on IP 2.2.2.2
But i set "A record" Priority in DNS, So its always redirect all users to IP 1.1.1.1, and no users redirect on IP2 hosting.
Now, When IP 1.1.1.1 is down, then its browser or DNS nature, it will try again to other A record if IP2 available. (Its working perfect, and i want this thing)
Problem is that,
DNS keep trying to IP 1 for 30-60 seconds, after its fail, then DNS try on IP 2.
I want to reduce that DNS lookup time to 5 Seconds. I have Centos VPS with WHM.
Round-robin DNS does not work like you appear to think it works.
Most DNS nameservers will indeed rotate a list of multiple A RRs for a given name with each response, but remember the requestor will be an intermediate recursive resolver, often shared by many end clients, and those intermediate resolvers will cache each record for a minimum of 300 seconds or the maximum of the TTL given in the record. The intermediate resolver may or may not rotate the A RRs in the responses it sends to its individual clients. However ultimately the choice of address to try first between multiple A RRs for the same name is up to the client and some clients work differently.
The timeout for trying another address when multiple A RRs are given is mandated by the client through it's TCP connection attempt, not by anything supplied in a DNS response.
When I do an nslookup on the net. zone, I get the following output:
nslookup -type=soa net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
net
origin = a.gtld-servers.net
mail addr = nstld.verisign-grs.com
serial = 1542217316
refresh = 1800
retry = 900
expire = 604800
minimum = 86400
Authoritative answers can be found from:
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net. However, the IP Address of a.gtld-servers.net is not given. This results in a catch-22, because in order to get the IP address of any subzone in the net. zone, one should query a.gtld-servers.net.
So my question is, how to get out of this catch-22? How can I get the IP address of a.gtld-servers.net without having to do another DNS request?
The root server addresses can be found in a file downloaded from iana
This means that in order to get DNS records for the net. zone, one should query the DNS Server a.gtld-servers.net
You could, and at least initially, probably would, but the root servers don't move around frequently, so once you got the ip address for .net server, for example, you would use the cached value.
Hopefully someone can help clarify this.
I have a domain ie example.com registered with Go Daddy. I host the website with TSOHost so in my domain configuration, I have set the following NS records.
Nameserver 1: ns1.tsohost.co.uk
Nameserver 2: ns2.tsohost.co.uk
I am now able to serve the website both www and non www from this hosting package. I simply have an A record for example.com and a CNAME for www.example.com to point to example.com (this is being configured in the cpanel Advanced DNS Zone Editor). So now we have the website showing as expected and required.
I would also like to setup a kind of DDNS service using a different server entirely, (this will hold DNS records that I will create on the fly using a Radius database).
So I want to use the subdomain ddns.example.com for this DDNS service, ie bob.ddns.example.com for Bob (so that when I ping bob.ddn.example.com, I can alter the IP to 8.8.8. say). In Cpanel I have an A record for ddns.example.com and an A record for *.ddns.example.com to point to my server that will manage this, for example 85.214.214.214.
I have installed Bind on the server (currently using a digital ocean server for this, to which I have added ddns.exmaple.com as an A record to the droplet and *.ddns.example.com also), I have created a zone for ddns.example.com, within this I have set the ns record as the digital ocean details.
I have then added the following to my file /var/named/ddns.example.com.hosts
$ttl 38400
ddns.example.com. IN SOA ns1.digitalocean.com. jon#example.com. (
1414575123
10800
3600
604800
38400 )
ddns.example.com. IN NS ns1.digitalocean.com.
bob.ddns.example.com. IN A 8.8.8.8
When I ping bob.ddns.example.com on the server with bind installed I get 8.8.8.8, but when pinging for anywhere else I get the bind server IP.
Can I ask if what I am doing is possible ie, going from godaddy to tso, to another server and if so what NS records should I specify for bind? or is there something in the named config I need to change, I have set the following options in named.conf in an attempt to solve this issue.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
recursion yes;
I am aware that recursion may leave me open to DOS attacks and I intend to turn this to no eventually, but for the moment during testing I have left this to yes.
Any help or information would be greatly appreciated, I have been trying different variations of zone files etc without success, I am really though unsure as to if I am going in the right direction.
Hopefully I have made sense, but any further info I can provide, please let me know.
My first question would be - Are you sure you've updated the Registrar with this server as the DNS nameserver for this domain?
Use nslookup to find out:
# nslookup
> set querytype=NS
> server 4.2.2.1 (a DNS server on the Internet)
> ddns.example.com. (a closing dot helps avoid lookups using preferred search domains.)
and confirm that the Internet knows who to communicate with, and that your NS host is authoritative for the domain.
Next would be - Do you have any other nameservers up to "answer" for that subdomain, causing other problems?
BTW - glad to hear you fixed this issue!
There's tutorials galore out there, but I'm having a hard time getting BIND to provide local network DNS lookup.
Aims:
Requests can be made from anywhere on the local network. (I haven't included any listen on statements, so this should be covered - I think!)
*.demo requests should go to 192.168.0.64
Anything else should be forwarded to google's 8.8.8.8 and 8.8.4.4
Here's my config:
# /etc/named.conf
options {
directory "/var/named";
# Hide version string for security
version "not currently available";
# Forward all unknown DNS queries to the Google Public DNS. (Does it?)
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
zone "demo." IN {
type master;
file "zone.demo";
};
And the zone file:
; /var/named/zone.demo
$ORIGIN demo.
$TTL 1D
# IN SOA demo. hostmaster (
201312041 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ) ; minimum
*. IN A 192.168.0.64
I then run named-checkconf (no output) and named -f (which blocks - all looks well!)
To check that the server is doing what I expect, I run dig:
$ dig #127.0.0.1 A test.demo
; <<>> DiG 9.8.3-P1 <<>> #127.0.0.1 test.demo
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Any ideas as to what I'm doing wrong here?
First thing you'll need is an NS record:
# IN NS ns.demo.
This needs an associated A record as it is essentially a CNAME which in this case would be in your zone. So you'll need:
ns.demo. IN A <Your DNS server IP here>
Then, as you're wildcard has a dot at the end you are specifying one 'level' of DNS record (e.g. com, net, or demo) and not including your zone's origin. You need to either ditch the dot:
* IN A 192.168.0.64
or do:
*.demo. IN A 192.168.0.64
This is because the final dot in a bind zone file denotes the end of the field. If you don't put the dot on the end of the field then bind will add the origin. This does not apply to IP addresses.
As for the forwarding, that should work, but you'll probably want to have multiple nameservers set up on your clients, in case this one is down for any reason, etc. In this case you won't need the forwarding.
If you want to secure the server to only respond to clients on the local network you can use the allow-query statement to limit it to certain IP ranges. But if your server is not accessible on the internet you should be fine. One thing to check is that the server isn't listening on the loopback interface, meaning that you will only be able to reach it from the machine named is running on and not other machines on your network.
Hope this helps. Let me know if anything isn't clear.
So, the IT department decided to change a bunch of domain names and it broke a bunch of stuff in my lab network. I have a suse linux dns server (which I didn't setup and don't know much about). I was wondering if there was a way I could make it manually resolve ip addresses to the old domain names.
Simply modifying the software in my lab to point to the new domain names wont work (because there are other labs at other sites that will still be using the old domain names).
here are some relevant quotes from this tutorial:
Examples Corporation has been assigned the network 192.0.2.0/24 and internally we are using 10.0.0.0/24.
Let's start serving the external names and IPs, we edit /etc/bind/named.conf.local4 and add:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
and then we create /etc/bind/db.example.com with the following contents:
; example.com
$TTL 604800
# IN SOA ns1.example.com. root.example.com. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
# IN NS ns1
IN MX 10 mail
IN A 192.0.2.1
ns1 IN A 192.0.2.1
mail IN A 192.0.2.128 ; We have our mail server somewhere else.
www IN A 192.0.2.1
client1 IN A 192.0.2.201 ; We connect to client1 very often.
So what you want to do is replace "example.com" with whatever domain your programs access, replace "192.0.2.whatever" with your destination ip and remove the "ns1", "mail", "www", "clien1" lines and replace it with
*.yourdomain.com. IN A your.ip.address.255