There's tutorials galore out there, but I'm having a hard time getting BIND to provide local network DNS lookup.
Aims:
Requests can be made from anywhere on the local network. (I haven't included any listen on statements, so this should be covered - I think!)
*.demo requests should go to 192.168.0.64
Anything else should be forwarded to google's 8.8.8.8 and 8.8.4.4
Here's my config:
# /etc/named.conf
options {
directory "/var/named";
# Hide version string for security
version "not currently available";
# Forward all unknown DNS queries to the Google Public DNS. (Does it?)
forwarders { 8.8.8.8; 8.8.4.4; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
zone "demo." IN {
type master;
file "zone.demo";
};
And the zone file:
; /var/named/zone.demo
$ORIGIN demo.
$TTL 1D
# IN SOA demo. hostmaster (
201312041 ; serial
8H ; refresh
4H ; retry
4W ; expire
1D ) ; minimum
*. IN A 192.168.0.64
I then run named-checkconf (no output) and named -f (which blocks - all looks well!)
To check that the server is doing what I expect, I run dig:
$ dig #127.0.0.1 A test.demo
; <<>> DiG 9.8.3-P1 <<>> #127.0.0.1 test.demo
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Any ideas as to what I'm doing wrong here?
First thing you'll need is an NS record:
# IN NS ns.demo.
This needs an associated A record as it is essentially a CNAME which in this case would be in your zone. So you'll need:
ns.demo. IN A <Your DNS server IP here>
Then, as you're wildcard has a dot at the end you are specifying one 'level' of DNS record (e.g. com, net, or demo) and not including your zone's origin. You need to either ditch the dot:
* IN A 192.168.0.64
or do:
*.demo. IN A 192.168.0.64
This is because the final dot in a bind zone file denotes the end of the field. If you don't put the dot on the end of the field then bind will add the origin. This does not apply to IP addresses.
As for the forwarding, that should work, but you'll probably want to have multiple nameservers set up on your clients, in case this one is down for any reason, etc. In this case you won't need the forwarding.
If you want to secure the server to only respond to clients on the local network you can use the allow-query statement to limit it to certain IP ranges. But if your server is not accessible on the internet you should be fine. One thing to check is that the server isn't listening on the loopback interface, meaning that you will only be able to reach it from the machine named is running on and not other machines on your network.
Hope this helps. Let me know if anything isn't clear.
Related
I am trying to set up a basic public DNS server in Azure using Ubuntu and Bind9.
I want it to be accessible over the internet and forward all requests to Cloudflare or Google except one custom zone.
I have two problems currently:
I can get it to work on the local network, setting up a client on the same subnet and doing nslookup to public sites the forwarding works perfectly, but when pointing internet client to the DNS server it times out.
The custom zones don't work, even on the local network. I try to set up not existing domain to point to an IP and set up the separate zone file, but nothing happens. Even on the dns server itself I can't get it to work.
I don't think issue 1 is a firewall issue, for testing I have allowed all ports and IPs to be open and also opened port 53 on the DNS server firewall.
I think both issues are related to the Bind9 configuration and I have little understanding of it. Perhaps you guys can help out.
Here's the config files:
/etc/bind/named.conf.local:
zone "fakehostname.com" {
type master;
file "/etc/bind/zone.fakehostname.com";
};
/etc/bind/named.conf.options:
options {
directory "/var/cache/bind";
forwarders {
1.1.1.1; // Cloudflare
8.8.8.8; // Google
};
allow-query { any; };
dnssec-validation auto;
auth-nxdomain no;
listen-on-v6 { any; };
recursion yes;
querylog yes;
version "not available";
};
/etc/bind/zone.fakehostname.com:
$TTL 604800
# IN SOA fakehostname.com. admin.fakehostname.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
# IN NS localhost.
# IN A 10.10.10.10
mail IN A 10.10.10.10
# IN MX 10 mail.fakehostname.com.
# IN TXT "hello"
Sorry this was a mistake, the config was correct and issue was in Azure NSG firewall config. I thought I had allowed all ports for testing but UDP 53 was not open. After opening it everything works.
Ok, so here i have one box
Windows Host (Debian Linux 8 VM - Oracle) -Set up. A Live Working Machine, DNS apache php...etc..
IP is **A.A.A.A**
second machine, fresh install, second vm, php apache all running. DNS is not.
IP is **A.A.A.B**
The External IPV40. ISP Router.
IP is **X.X.X.X**
So the Goal is simple:
On thisdomain.com it has a localIP of **A.A.A.A**
but on the Second Server it has the IP **A.A.A.B**
IP A.A.A.A Serves the domain and the website for www.thisdomain.com and thisdomain.com.`
I wish to have ls.thisdomain.comserve IP **A.A.A.B**
TheDNSRecords `are like so:
$TTL 38400
thisdomain.com. IN SOA ls.thisdomain.com. webmaster.thisdomain.com. (
5 ; Serial
1d ; Refresh
60m ; Retry
7d ; Expire
6h ) ; Negative Cache TTL
; ### this is the forward zone of IP 2 A.A.A.B (ls.thisdomain.com)
thisdomain.com. IN A X.X.X.X
thisdomain.com. IN NS ls.thisdomain.com.
ls.thisdomain.com. IN A X.X.X.X
ls.thisdomain.com. IN A A.A.A.B
;
www IN CNAME thisdomain.com.
;
on the main server that serves domain IP 2 = **A.A.A.A**:
$TTL 38400
thisdomain.com. IN SOA ns1.thisdomain.com. webmaster.thisdomain.com. (
5 ; Serial
1d ; Refresh
60m ; Retry
7d ; Expire
6h ) ; Negative Cache TTL
;
thisdomain.com. IN A X.X.X.X
ns1.thisdomain.com. IN A X.X.X.X
ns2.thisdomain.com. IN A X.X.X.X
ls.thisdomain.com. IN A X.X.X.X
thisdomain.com. IN NS ls.thisdomain.com.
ls.thisdomain.com. IN A A.A.A.B
thisdomain.com. IN NS ns1.thisdomain.com.
thisdomain.com. IN NS ns2.thisdomain.com.
;
www IN CNAME thisdomain.com.
;
and whats this issue? well, it seems that even though i
think there good to go, the ls.
Subdomain still only shows the first servers
Apache website **A.A.A.A**
instead of the second servers
**A.A.A.B** Apache Website.
What i want is it to be like this
ls.thisdomain.com
hits
public ip X.X.X.X
then searches
NS1 on
IP A.A.A.A
then send user to webpage on server
LS which is A.A.A.B.
How would one Achieve this to be so that it does happen?
Well, there are several apparent errors above. First, the whole idea of having two different zones for the same name is meaningless because it requires an unnecessary level of DNS recursion - you should serve a single consolidated DNS zone, and if you need two servers for redundancy, then make one of them master and the other one slave (a verbatim copy of the master).
Second, the second zone lists adds two additional NS records compared to the first zone, but all of those in turn point to the same IP address. This is also meaningless.
Third, the name ls.thisdomain.com is defined as a round-robin DNS entry, meaning 50% of the clients will resolve it to X.X.X.X, while another 50% will resolve it to A.A.A.B. Each of those clients will then cache that result for 38400 seconds and then repeat the query, after which point they again have a 50:50 chance of getting either result.
It's unclear from the question whether A.A.A.* is perhaps a private IP network. If the intent is to allow external users to access A.A.A.B which is in a private network, then DNS is simply not the solution. DNS is a Layer 7 protocol which doesn't care which kind of IPs its results will contain, but the external users can't route via Layer 3 to external private networks. HTTP traffic can only arrive at the public X.X.X.X IP, typically at port 80, and then the router can pass it on (NAT it) to an HTTP server. This HTTP server in turn can pass the results on to two separate virtual hosts or even two separate machines (proxying).
Hopefully someone can help clarify this.
I have a domain ie example.com registered with Go Daddy. I host the website with TSOHost so in my domain configuration, I have set the following NS records.
Nameserver 1: ns1.tsohost.co.uk
Nameserver 2: ns2.tsohost.co.uk
I am now able to serve the website both www and non www from this hosting package. I simply have an A record for example.com and a CNAME for www.example.com to point to example.com (this is being configured in the cpanel Advanced DNS Zone Editor). So now we have the website showing as expected and required.
I would also like to setup a kind of DDNS service using a different server entirely, (this will hold DNS records that I will create on the fly using a Radius database).
So I want to use the subdomain ddns.example.com for this DDNS service, ie bob.ddns.example.com for Bob (so that when I ping bob.ddn.example.com, I can alter the IP to 8.8.8. say). In Cpanel I have an A record for ddns.example.com and an A record for *.ddns.example.com to point to my server that will manage this, for example 85.214.214.214.
I have installed Bind on the server (currently using a digital ocean server for this, to which I have added ddns.exmaple.com as an A record to the droplet and *.ddns.example.com also), I have created a zone for ddns.example.com, within this I have set the ns record as the digital ocean details.
I have then added the following to my file /var/named/ddns.example.com.hosts
$ttl 38400
ddns.example.com. IN SOA ns1.digitalocean.com. jon#example.com. (
1414575123
10800
3600
604800
38400 )
ddns.example.com. IN NS ns1.digitalocean.com.
bob.ddns.example.com. IN A 8.8.8.8
When I ping bob.ddns.example.com on the server with bind installed I get 8.8.8.8, but when pinging for anywhere else I get the bind server IP.
Can I ask if what I am doing is possible ie, going from godaddy to tso, to another server and if so what NS records should I specify for bind? or is there something in the named config I need to change, I have set the following options in named.conf in an attempt to solve this issue.
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
recursion yes;
I am aware that recursion may leave me open to DOS attacks and I intend to turn this to no eventually, but for the moment during testing I have left this to yes.
Any help or information would be greatly appreciated, I have been trying different variations of zone files etc without success, I am really though unsure as to if I am going in the right direction.
Hopefully I have made sense, but any further info I can provide, please let me know.
My first question would be - Are you sure you've updated the Registrar with this server as the DNS nameserver for this domain?
Use nslookup to find out:
# nslookup
> set querytype=NS
> server 4.2.2.1 (a DNS server on the Internet)
> ddns.example.com. (a closing dot helps avoid lookups using preferred search domains.)
and confirm that the Internet knows who to communicate with, and that your NS host is authoritative for the domain.
Next would be - Do you have any other nameservers up to "answer" for that subdomain, causing other problems?
BTW - glad to hear you fixed this issue!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
So I've delved into the world of running a server without a control panel for the first time, doing everything through the terminal and occasionally logging into the desktop gui if I need to.
I've got nearly everything working as far as I can tell, the firewall was a hassle but I think i've got it now.
The last thing I can't quite work out is how to get the domain name I purchased pointing correctly to my server (I've always done this through a control panel before which automated most of it).
These are the steps I've taken so far (These may be wrong, I've been googling the thing like mad but everywhere tells me to do something different, so please let me know if something is wrong).
Purchased name name, for sake of example "mydomain.com"
Have server running Ubuntu 64 bit. IP address for sake of example "1.2.3.4"
The host has provided me with 3 "DNS Resolvers", for sake of example: "1.1.1.1", "1.1.1.2", "1.1.1.3"
I've set the hostname on my server
Running "hostname" in the terminal outputs: mydomain
Checking /etc/hostname outputs: mydomain.com
I've added those 3 DNS resolvers to my /etc/resolv.conf file like so:
domain mydomain.com
search mydomain.com
nameserver 1.1.1.1
nameserver 1.1.1.2
nameserver 1.1.1.3
I've set the virtual host up in my httpd.conf file:
<VirtualHost 1.2.3.4:80>
ServerName mydomain.com
ServerAlias mydomain
DocumentRoot /var/www/mysite
</VirtualHost>
Now from here on I've just been palying around with different things. At the moment I've gone into my domain registrar panel and set three nameservers as "ns1.mydomain.com", "ns2.mydomain.com", "ns3.mydomain.com".
I've installed webmin to try and set the DNS zone records and this is what I've got at the moment on the output of various commands:
(where 1.1.1.1, 1.1.1.2, 1.1.1.3 are those DNS resolvers)
[b]nslookup -sil localhost[/b]
conn#duckfusion:~$ nslookup -sil localhost
;; Got SERVFAIL reply from 1.1.1.2, trying next server
;; Got SERVFAIL reply from 1.1.1.3, trying next server
;; connection timed out; no servers could be reached
[b]nslookup -sil mydomain.com[/b]
conn#duckfusion:~$ nslookup -sil mydomain.com
;; Got SERVFAIL reply from 1.1.1.2, trying next server
;; Got SERVFAIL reply from 1.1.1.3, trying next server
;; connection timed out; no servers could be reached
Here is my "named.conf" file:
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
[u]named.conf.options[/u]
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
1.1.1.1; 1.1.1.2; 1.1.1.3; 208.67.222.222; 208.67.220.220;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-query {
any;
};
listen-on port 53 {
any;
};
};
[u]named.conf.local[/u]
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "mydomain.com" {
type master;
file "/var/lib/bind/mydomain.com.hosts";
};
[u]/var/lib/bind/mydomain.com.hosts[/u] (Where 1.2.3.4 is my server's IP)
$ttl 38400
mydomain.com. IN SOA mydomain.com. me.myemail.com. (
1366054515
10800
3600
604800
38400 )
mydomain.com. IN NS mydomain.com.
mydomain.com. IN A 1.2.3.4
www.mydomain.com. IN A 1.2.3.4
mail.mydomain.com. IN A 1.2.3.4
ftp.mydomain.com. IN A 1.2.3.4
ns1.mydomain.com. IN A 1.2.3.4
ns2.mydomain.com. IN A 1.2.3.4
ns3.mydomain.com. IN A 1.2.3.4
mydomain.com. IN NS ns1.mydomain.com.
mydomain.com. IN NS ns2.mydomain.com.
mydomain.com. IN NS ns3.mydomain.com.
mydomain.com. IN MX 10 mail.mydomain.com.
That's as far as I've got.
I can obviously get to the server via IP address as URL, but as of yet not by domain name.
Could anyone let me know:
A) Where I've gone wrong
B) What I need to do to achieve this?
Thank you very much.
Running your own named is overkill and not needed. Here's what a valid setup looks like:
Your web server hosting provider (where your website lives) gave you some DNS resolvers. These are intended to provide DNS resolution to your web server, so it can find OTHER hosts on the Internet. These resolvers have nothing to do with hosting YOUR domain, and you cannot make changes to their domain definitions.
Your DNS Hosting Provider has their own DNS servers, which are used by default to host your DNS "A" record. If you truly reconfigured your DNS hosting account to use the web provider's DNS servers, this is an error. You cannot add your DNS record to those servers.
On your DNS Hosting Provider's control panel, first set it back to using their DNS servers; then create an "A" record for your domain, pointing to the IP of your web server host.
In summary:
DNS Hosting Provider
DNS Server(s) contain:
www.yourserver.com A 1.2.3.4
alias.yourserver.com CNAME www.yourserver.com (maybe)
yourserver.com MX where.you.receive.mail (maybe)
Web Hosting Provider
Your web server at 1.2.3.4
/etc/resolv.conf
nameserver 1.1.1.1
nameserver 1.1.1.2
nameserver 1.1.1.3
That's all you need to do for other people to be able to find your server.
The only reason to run your own DNS would be to host an entire network consisting of multiple machines, behind a firewall, or hosting an entire Class C or greater set of IP addresses. To do this you'd need peering and routing agreements with other providers, which I don't think you have.
EDIT
$ dig duckfusion.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> duckfusion.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32080
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 17
;; QUESTION SECTION:
;duckfusion.com. IN A
;; ANSWER SECTION:
duckfusion.com. 1800 IN A 87.117.219.53
duckfusion.com. 1800 IN A 192.31.186.140
;; AUTHORITY SECTION:
duckfusion.com. 172800 IN NS dns4.registrar-servers.com.
duckfusion.com. 172800 IN NS dns5.registrar-servers.com.
duckfusion.com. 172800 IN NS dns3.registrar-servers.com.
duckfusion.com. 172800 IN NS dns1.registrar-servers.com.
duckfusion.com. 172800 IN NS dns2.registrar-servers.com.
So, the IT department decided to change a bunch of domain names and it broke a bunch of stuff in my lab network. I have a suse linux dns server (which I didn't setup and don't know much about). I was wondering if there was a way I could make it manually resolve ip addresses to the old domain names.
Simply modifying the software in my lab to point to the new domain names wont work (because there are other labs at other sites that will still be using the old domain names).
here are some relevant quotes from this tutorial:
Examples Corporation has been assigned the network 192.0.2.0/24 and internally we are using 10.0.0.0/24.
Let's start serving the external names and IPs, we edit /etc/bind/named.conf.local4 and add:
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
and then we create /etc/bind/db.example.com with the following contents:
; example.com
$TTL 604800
# IN SOA ns1.example.com. root.example.com. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800); Negative Cache TTL
;
# IN NS ns1
IN MX 10 mail
IN A 192.0.2.1
ns1 IN A 192.0.2.1
mail IN A 192.0.2.128 ; We have our mail server somewhere else.
www IN A 192.0.2.1
client1 IN A 192.0.2.201 ; We connect to client1 very often.
So what you want to do is replace "example.com" with whatever domain your programs access, replace "192.0.2.whatever" with your destination ip and remove the "ns1", "mail", "www", "clien1" lines and replace it with
*.yourdomain.com. IN A your.ip.address.255