DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default Problems with my new DNS server

Hi guys!

I have some problems with my new DNS server.

Few years ago i bought domain sniper-unix.org and by default used ISP nameserver for this domain. Now i configure my own nameserver ns.sniper-unix.org and changed nameserver for my domain but domain doesn't works.

I contacted ISP and ask them what is wrong and they said that top level domain server doeesn't serve any information about my dns

what can i do ?
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #2   (View Single Post)  
Old 2nd December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

The whois information lists your nameserver
Code:
$ whois sniper-unix.org 
Domain ID:D148812964-LROR
Domain Name:SNIPER-UNIX.ORG
Created On:07-Aug-2007 10:39:02 UTC
Last Updated On:29-Nov-2009 23:13:42 UTC
Expiration Date:07-Aug-2010 10:39:02 UTC
Sponsoring Registrar:Tucows Inc. (R11-LROR)
Status:INACTIVE
Registrant ID:tuc06mFuMT9ASVvO
[snip]
Tech ID:tu0KHV6WwUe3LiyT
Tech Name:Technical support Technical support
Tech Organization:Telekom Slovenije, d.d.
Tech Street1:Cigaletova 15
Tech Street2:
Tech Street3:
Tech City:Ljubljana
Tech State/Province:
Tech Postal Code:1000
Tech Country:SI
[snip]
Name Server:NS.SNIPER-UNIX.ORG
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
But it also says the registration is INACTIVE
You should contact your registrar Tucows.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 2nd December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

-You- do not have the authority to manage the domain name. Making up your own server name is not enough. The root servers must be configured to point to your nameserver. At the moment, your DNS is managed by afilias-nst.info / afilias-nst.org:

http://network-tools.com/default.asp...niper-unix.org

Do a little Googling for how DNS works. After you understand how the DNS root-servers work, in relation to downstream DNS servers ... contact your ISP once more, and find a technicial who understands what needs to be done via whatever company afilias-nst uses, they are not on the list of .org registrars:

http://www.pir.org/index.php?db=cont...gistrants&id=2

Right now, there are two ignorant people on the phone with each other: you, and the clerk at the ISP. -One- of you needs to know what they are talking about.
Reply With Quote
  #4   (View Single Post)  
Old 2nd December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

Thanks both gor quick replay. So if i understand correctly: Registrar for my domain should ensure that root server point to my nameserver ?
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #5   (View Single Post)  
Old 2nd December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Yes, but they usually insist that there is also second nameserver in another netblock

You can easily check with dig whether your nameserver has been adopted into the domain name system:
Code:
$ dig +norecurse -t ns SNIPER-UNIX.ORG @a.root-servers.net

; <<>> DiG 9.3.4 <<>> +norecurse -t ns SNIPER-UNIX.ORG @a.root-servers.net
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52839
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12

;; QUESTION SECTION:
;SNIPER-UNIX.ORG.               IN      NS

;; AUTHORITY SECTION:
ORG.                    172800  IN      NS      A0.ORG.AFILIAS-NST.INFO.
ORG.                    172800  IN      NS      D0.ORG.AFILIAS-NST.ORG.
ORG.                    172800  IN      NS      B2.ORG.AFILIAS-NST.ORG.
ORG.                    172800  IN      NS      C0.ORG.AFILIAS-NST.INFO.
ORG.                    172800  IN      NS      B0.ORG.AFILIAS-NST.ORG.
ORG.                    172800  IN      NS      A2.ORG.AFILIAS-NST.INFO.

;; ADDITIONAL SECTION:
A0.ORG.AFILIAS-NST.INFO. 172800 IN      A       199.19.56.1
A0.ORG.AFILIAS-NST.INFO. 172800 IN      AAAA    2001:500:e::1
A2.ORG.AFILIAS-NST.INFO. 172800 IN      A       199.249.112.1
A2.ORG.AFILIAS-NST.INFO. 172800 IN      AAAA    2001:500:40::1
B0.ORG.AFILIAS-NST.ORG. 172800  IN      A       199.19.54.1
B0.ORG.AFILIAS-NST.ORG. 172800  IN      AAAA    2001:500:c::1
B2.ORG.AFILIAS-NST.ORG. 172800  IN      A       199.249.120.1
B2.ORG.AFILIAS-NST.ORG. 172800  IN      AAAA    2001:500:48::1
C0.ORG.AFILIAS-NST.INFO. 172800 IN      A       199.19.53.1
C0.ORG.AFILIAS-NST.INFO. 172800 IN      AAAA    2001:500:b::1
D0.ORG.AFILIAS-NST.ORG. 172800  IN      A       199.19.57.1
D0.ORG.AFILIAS-NST.ORG. 172800  IN      AAAA    2001:500:f::1

;; Query time: 174 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Dec  3 01:09:00 2009
;; MSG SIZE  rcvd: 435
Here we do a non-recursive query at the a.root-servers.net for the nameserver of your domain.
The answer is an referral, or "I don't have that info, but the following nameservers can help you further".
Then you ask one of those they referred: 199.19.56.1
Code:
$ dig  +norecurse -t ns SNIPER-UNIX.ORG @199.19.56.1        

; <<>> DiG 9.3.4 <<>> +norecurse -t ns SNIPER-UNIX.ORG @199.19.56.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20045
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;SNIPER-UNIX.ORG.               IN      NS

;; AUTHORITY SECTION:
ORG.                    900     IN      SOA     a0.org.afilias-nst.info. noc.afilias-nst.info. 2008922739 1800 900 604800 86400

;; Query time: 139 msec
;; SERVER: 199.19.56.1#53(199.19.56.1)
;; WHEN: Thu Dec  3 01:13:24 2009
;; MSG SIZE  rcvd: 96
This returns a SOA record instead of a proper answer.
You can repeat this for the others
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 3rd December 2009 at 12:17 AM. Reason: Added example how to use dig to check the nameserver
Reply With Quote
  #6   (View Single Post)  
Old 3rd December 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

What you need are so-called 'glue records' (http://faq.domainmonster.com/dns/glue_record/ gives a childish, but illustrative explanation), which the registrar of your domain uses to point to the IP addresses of your nameservers (yes, preferably two).

Now there's no one able to tell anyone where
NS.SNIPER-UNIX.ORG can be found ..

I'm sure TUCOWS (or the affiliate registrar that you appear to work with) has a web interface for managing domain records? In that case you can make the glue record(s) yourself.

The domain is probably marked 'inactive' because no DNS records are available right now -- so it fails basic sanity checks that most registrars have in place, like 'lame resolver' or 'lame delegation' errors.

Have the glue record(s) added by your registrar (or do it yourself if you have direct access via a GUI), make sure your own nameserver dishes out the correct records (esp. the NS records), and it'll come back to life.

If your registrar has no idea what you're on about, move your domain to a registrar who does, and who enables you to maintain your own glue records (like Tucows itself, or networksolutions, or godaddy ... etc.)

Last edited by DutchDaemon; 3rd December 2009 at 12:39 AM.
Reply With Quote
  #7   (View Single Post)  
Old 3rd December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by DutchDaemon View Post
What you need are so-called 'glue records' (http://faq.domainmonster.com/dns/glue_record/ gives a childish, but illustrative explanation), which the registrar of your domain uses to point to the IP addresses of your nameservers (yes, preferably two).

Now there's no one able to tell anyone where
NS.SNIPER-UNIX.ORG can be found ..

I'm sure TUCOWS (or the affiliate registrar that you appear to work with) has a web interface for managing domain records? In that case you can make the glue record(s) yourself.

The domain is probably marked 'inactive' because no DNS records are available right now -- so it fails basic sanity checks that most registrars have in place, like 'lame resolver' or 'lame delegation' errors.

Have the glue record(s) added by your registrar (or do it yourself if you have direct access via a GUI), make sure your own nameserver dishes out the correct records (esp. the NS records), and it'll come back to life.

If your registrar has no idea what you're on about, move your domain to a registrar who does, and who enables you to maintain your own glue records (like Tucows itself, or networksolutions, or godaddy ... etc.)

Hi!

Via my registrar (webpage) i did that, what you are talking about (i hope so)

If you try forward dns lookup for ns.sniper-unix.org it resolve to my correct IP address...



http://www.kloth.net/services/nslookup.php

Quote:
... here is the nslookup result for ns.sniper-unix.org from server localhost, querytype=A :

DNS server handling your query: localhost
DNS server's address: 127.0.0.1#53

Non-authoritative answer:
Name: ns.sniper-unix.org
Address: 86.61.66.23
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
  #8   (View Single Post)  
Old 3rd December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

You now have an A record and an RRSIG record for ns.sniper-unix.org.

It is -not- part of the Internet's DNS infrastructure. sniper-unix.org's DNS is still managed by your ISP.
Reply With Quote
  #9   (View Single Post)  
Old 3rd December 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

So you may have to click around a bit more on your registrar's web interface. With e.g. NetSol you can just choose the option to manage your own DNS server. If you don't (or can't) do something like that, your registrar will simply keep answering those queries authoritatively without handing out the glue records to pass queries on to your own DNS server. Though I seem to see no one answering any queries for you now, because I see no hand-off from the org's root servers to any other DNS server, so the resolver chain is broken. Your INACTIVE listing may be the cause of that (they may also be caused by non-payment ..).

Code:
# dnscheck -cuvz SNIPER-UNIX.ORG
[   ] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a.root-servers.net"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a0.org.afilias-nst.info"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@b2.org.afilias-nst.org"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@d0.org.afilias-nst.org"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@b0.org.afilias-nst.org"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a2.org.afilias-nst.info"
[org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@c0.org.afilias-nst.info"
[   ] /usr/bin/dig ns "sniper-unix.org"
sniper-unix.org (serial 0)
A healthy resolver chain looks like this:

Code:
# dnscheck -cuviz un.org   
[   ] /usr/bin/dig +norecurse ns "un.org" "@a.root-servers.net"
[org] /usr/bin/dig +norecurse ns "un.org" "@d0.org.afilias-nst.org"
      + un.org. IN NS auth00.ns.uu.net. (serial 2009111801)
      + un.org. IN NS dcens01.un.org. (serial 2009111801)
      + un.org. IN NS secens01.un.org. (serial 2009111801)

[   ] /usr/bin/dig ns "un.org"
      + un.org. IN NS auth00.ns.uu.net. (serial 2009111801)
      + un.org. IN NS secens01.un.org. (serial 2009111801)
      + un.org. IN NS dcens01.un.org. (serial 2009111801)
Reply With Quote
Old 3rd December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

I think i'll transfer my domain to networksolutions.com.
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
Old 3rd December 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,074
Thanked 198 Times in 156 Posts
Default

Maybe an image is more illustrative.

http://www.rwxrwxrwx.net/domain.png

As you can see in the image, I can opt to choose the bluehost DNS servers or my own. I chose to use my own. The UI will of course be different for you, but at least this should explain how it should more or less look like in case it wasn't already clear.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 4th December 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

Yep, it's almost exactly the same at NetSol.

http://tinypic.com/r/ok27tc/6
http://tinypic.com/r/dyqek2/6

Last edited by DutchDaemon; 4th December 2009 at 12:35 AM.
Reply With Quote
Old 6th December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

Thanks guys for help, i transfered my domain to netsol and now waiting to complete...



Also want to know if is possible and correctly to have one zone inside my network (behind NAT) somethink like sniper.local for my host with local ip (192.168...) and ofcoure one existing zone sniper-unix.org ?
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
Old 6th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Yes, you can have a 'private' zone in your local network. I use 'utp.xnet' for my private domain
Code:
$ dig -t ns utp.xnet @192.168.222.11

; <<>> DiG 9.3.4 <<>> -t ns utp.xnet @192.168.222.11
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54374
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;utp.xnet.                      IN      NS

;; ANSWER SECTION:
utp.xnet.               259200  IN      NS      ns1.utp.xnet.

;; ADDITIONAL SECTION:
ns1.utp.xnet.           259200  IN      A       192.168.222.11

;; Query time: 2 msec
;; SERVER: 192.168.222.11#53(192.168.222.11)
;; WHEN: Sun Dec  6 12:20:20 2009
;; MSG SIZE  rcvd: 60
So I can refer to hosts by name
Code:
$ ping -c2 hercules.utp.xnet
PING hercules.utp.xnet (192.168.222.20): 56 data bytes
64 bytes from 192.168.222.20: icmp_seq=0 ttl=255 time=0.024 ms
64 bytes from 192.168.222.20: icmp_seq=1 ttl=255 time=0.016 ms
--- hercules.utp.xnet ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.016/0.020/0.024/0.004 ms
A reverse lookup:
Code:
$ dig -x 192.168.222.88 

; <<>> DiG 9.3.4 <<>> -x 192.168.222.88
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33621
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;88.222.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
88.222.168.192.in-addr.arpa. 604800 IN  PTR     xenophanes.utp.xnet.

;; Query time: 3 msec
;; SERVER: 192.168.222.10#53(192.168.222.10)
;; WHEN: Sun Dec  6 12:23:15 2009
;; MSG SIZE  rcvd: 78
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Old 6th December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

OK good

I figure out that people from different networks (who isn't on my local network) couldn't resolve through my DNS. So if they configure their resolver to IP where my DNS listen it doesn't works. Is this behaviour default BIND security setting ?
__________________
If anything can go wrong, it will. If it can't, it will anyway

Last edited by sniper007; 6th December 2009 at 10:14 PM.
Reply With Quote
Old 6th December 2009
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

I don't understand exactly what you mean, so I'll address two points off-hand.

1. BIND as a local network resolving server

BIND denies recursive DNS queries by default (as it should); if you have a network for which BIND should act as the central DNS server, you'll have to set up an access list (acl) and allow that acl to query your DNS recursively.

2. BIND as the authoritative nameserver for your domains

BIND will only allow external queries to your master zones (the domains you host) if allow-query for those master zones is set (usually to 'all').

These are answers to two very different issues, so be more precise in describing your problem.
Reply With Quote
Old 7th December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

No this is not problem just asking if this is normal that people from different network couldn't using my DNS server (e.g. for internet browsing) insted their ISP dns...
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
Old 7th December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,711
Thanked 214 Times in 189 Posts
Default

I don't think you read DutchDaemon's answer, above:
Quote:
BIND will only allow external queries to your master zones (the domains you host) if allow-query for those master zones is set (usually to 'all').
I think it is time you opened a BIND manual.

I started with this "how to":http://www.langfeldt.net/DNS-HOWTO/BIND-9/

The BIND administrator's guide should be available on your FreeBSD system. (On my OpenBSD system, it begins at /usr/share/doc/html/bind/Bv9ARM.html )
Reply With Quote
Old 7th December 2009
sniper007's Avatar
sniper007 sniper007 is offline
Real Name: Jurif
Fdisk Soldier
 
Join Date: Jun 2008
Location: Slovenia
Posts: 50
Thanked 0 Times in 0 Posts
Default

Yes ofcoure, i read and now all is clear

I also successfully transfered domain to networksolution but status is still INACTIVE.

Status:CLIENT TRANSFER PROHIBITED
Status:INACTIVE
Status:TRANSFER PROHIBITED
Status:TRANSFERPERIOD
Status:RENEWPERIOD

Note: I just bought DNS and BIND by Cricket Liu, Paul Albitz
__________________
If anything can go wrong, it will. If it can't, it will anyway
Reply With Quote
Old 7th December 2009
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

See my recent post for how to set up BIND as an authoritative name server.

If you really want to know DNS and not how an particular popular nameserver, BIND, implements DNS you should spend some time on djbdns. Install it on an old PC and play with it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sun Java System Web Server - Active Server Pages (yes ASP) hopla FreeBSD General 0 26th September 2008 08:22 AM


All times are GMT. The time now is 07:08 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick