|
General software and network General OS-independent software and network questions, X11, MTA, routing, etc. |
|
Thread Tools | Display Modes |
|
|||
The whois information lists your nameserver
Code:
$ whois sniper-unix.org Domain ID:D148812964-LROR Domain Name:SNIPER-UNIX.ORG Created On:07-Aug-2007 10:39:02 UTC Last Updated On:29-Nov-2009 23:13:42 UTC Expiration Date:07-Aug-2010 10:39:02 UTC Sponsoring Registrar:Tucows Inc. (R11-LROR) Status:INACTIVE Registrant ID:tuc06mFuMT9ASVvO [snip] Tech ID:tu0KHV6WwUe3LiyT Tech Name:Technical support Technical support Tech Organization:Telekom Slovenije, d.d. Tech Street1:Cigaletova 15 Tech Street2: Tech Street3: Tech City:Ljubljana Tech State/Province: Tech Postal Code:1000 Tech Country:SI [snip] Name Server:NS.SNIPER-UNIX.ORG Name Server: Name Server: Name Server: Name Server: Name Server: Name Server: You should contact your registrar Tucows.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
-You- do not have the authority to manage the domain name. Making up your own server name is not enough. The root servers must be configured to point to your nameserver. At the moment, your DNS is managed by afilias-nst.info / afilias-nst.org:
http://network-tools.com/default.asp...niper-unix.org Do a little Googling for how DNS works. After you understand how the DNS root-servers work, in relation to downstream DNS servers ... contact your ISP once more, and find a technicial who understands what needs to be done via whatever company afilias-nst uses, they are not on the list of .org registrars: http://www.pir.org/index.php?db=cont...gistrants&id=2 Right now, there are two ignorant people on the phone with each other: you, and the clerk at the ISP. -One- of you needs to know what they are talking about. |
|
|||
Yes, but they usually insist that there is also second nameserver in another netblock
You can easily check with dig whether your nameserver has been adopted into the domain name system: Code:
$ dig +norecurse -t ns SNIPER-UNIX.ORG @a.root-servers.net ; <<>> DiG 9.3.4 <<>> +norecurse -t ns SNIPER-UNIX.ORG @a.root-servers.net ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52839 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 12 ;; QUESTION SECTION: ;SNIPER-UNIX.ORG. IN NS ;; AUTHORITY SECTION: ORG. 172800 IN NS A0.ORG.AFILIAS-NST.INFO. ORG. 172800 IN NS D0.ORG.AFILIAS-NST.ORG. ORG. 172800 IN NS B2.ORG.AFILIAS-NST.ORG. ORG. 172800 IN NS C0.ORG.AFILIAS-NST.INFO. ORG. 172800 IN NS B0.ORG.AFILIAS-NST.ORG. ORG. 172800 IN NS A2.ORG.AFILIAS-NST.INFO. ;; ADDITIONAL SECTION: A0.ORG.AFILIAS-NST.INFO. 172800 IN A 199.19.56.1 A0.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:e::1 A2.ORG.AFILIAS-NST.INFO. 172800 IN A 199.249.112.1 A2.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:40::1 B0.ORG.AFILIAS-NST.ORG. 172800 IN A 199.19.54.1 B0.ORG.AFILIAS-NST.ORG. 172800 IN AAAA 2001:500:c::1 B2.ORG.AFILIAS-NST.ORG. 172800 IN A 199.249.120.1 B2.ORG.AFILIAS-NST.ORG. 172800 IN AAAA 2001:500:48::1 C0.ORG.AFILIAS-NST.INFO. 172800 IN A 199.19.53.1 C0.ORG.AFILIAS-NST.INFO. 172800 IN AAAA 2001:500:b::1 D0.ORG.AFILIAS-NST.ORG. 172800 IN A 199.19.57.1 D0.ORG.AFILIAS-NST.ORG. 172800 IN AAAA 2001:500:f::1 ;; Query time: 174 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Thu Dec 3 01:09:00 2009 ;; MSG SIZE rcvd: 435 The answer is an referral, or "I don't have that info, but the following nameservers can help you further". Then you ask one of those they referred: 199.19.56.1 Code:
$ dig +norecurse -t ns SNIPER-UNIX.ORG @199.19.56.1 ; <<>> DiG 9.3.4 <<>> +norecurse -t ns SNIPER-UNIX.ORG @199.19.56.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20045 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;SNIPER-UNIX.ORG. IN NS ;; AUTHORITY SECTION: ORG. 900 IN SOA a0.org.afilias-nst.info. noc.afilias-nst.info. 2008922739 1800 900 604800 86400 ;; Query time: 139 msec ;; SERVER: 199.19.56.1#53(199.19.56.1) ;; WHEN: Thu Dec 3 01:13:24 2009 ;; MSG SIZE rcvd: 96 You can repeat this for the others
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump Last edited by J65nko; 3rd December 2009 at 12:17 AM. Reason: Added example how to use dig to check the nameserver |
|
||||
What you need are so-called 'glue records' (http://faq.domainmonster.com/dns/glue_record/ gives a childish, but illustrative explanation), which the registrar of your domain uses to point to the IP addresses of your nameservers (yes, preferably two).
Now there's no one able to tell anyone where NS.SNIPER-UNIX.ORG can be found .. I'm sure TUCOWS (or the affiliate registrar that you appear to work with) has a web interface for managing domain records? In that case you can make the glue record(s) yourself. The domain is probably marked 'inactive' because no DNS records are available right now -- so it fails basic sanity checks that most registrars have in place, like 'lame resolver' or 'lame delegation' errors. Have the glue record(s) added by your registrar (or do it yourself if you have direct access via a GUI), make sure your own nameserver dishes out the correct records (esp. the NS records), and it'll come back to life. If your registrar has no idea what you're on about, move your domain to a registrar who does, and who enables you to maintain your own glue records (like Tucows itself, or networksolutions, or godaddy ... etc.) Last edited by DutchDaemon; 3rd December 2009 at 12:39 AM. |
|
||||
Quote:
Hi! Via my registrar (webpage) i did that, what you are talking about (i hope so) If you try forward dns lookup for ns.sniper-unix.org it resolve to my correct IP address... http://www.kloth.net/services/nslookup.php Quote:
__________________
If anything can go wrong, it will. If it can't, it will anyway |
|
||||
So you may have to click around a bit more on your registrar's web interface. With e.g. NetSol you can just choose the option to manage your own DNS server. If you don't (or can't) do something like that, your registrar will simply keep answering those queries authoritatively without handing out the glue records to pass queries on to your own DNS server. Though I seem to see no one answering any queries for you now, because I see no hand-off from the org's root servers to any other DNS server, so the resolver chain is broken. Your INACTIVE listing may be the cause of that (they may also be caused by non-payment ..).
Code:
# dnscheck -cuvz SNIPER-UNIX.ORG [ ] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a.root-servers.net" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a0.org.afilias-nst.info" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@b2.org.afilias-nst.org" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@d0.org.afilias-nst.org" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@b0.org.afilias-nst.org" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@a2.org.afilias-nst.info" [org] /usr/bin/dig +norecurse ns "sniper-unix.org" "@c0.org.afilias-nst.info" [ ] /usr/bin/dig ns "sniper-unix.org" sniper-unix.org (serial 0) Code:
# dnscheck -cuviz un.org [ ] /usr/bin/dig +norecurse ns "un.org" "@a.root-servers.net" [org] /usr/bin/dig +norecurse ns "un.org" "@d0.org.afilias-nst.org" + un.org. IN NS auth00.ns.uu.net. (serial 2009111801) + un.org. IN NS dcens01.un.org. (serial 2009111801) + un.org. IN NS secens01.un.org. (serial 2009111801) [ ] /usr/bin/dig ns "un.org" + un.org. IN NS auth00.ns.uu.net. (serial 2009111801) + un.org. IN NS secens01.un.org. (serial 2009111801) + un.org. IN NS dcens01.un.org. (serial 2009111801) |
|
||||
Maybe an image is more illustrative.
http://www.rwxrwxrwx.net/domain.png As you can see in the image, I can opt to choose the bluehost DNS servers or my own. I chose to use my own. The UI will of course be different for you, but at least this should explain how it should more or less look like in case it wasn't already clear.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
||||
Yep, it's almost exactly the same at NetSol.
http://tinypic.com/r/ok27tc/6 http://tinypic.com/r/dyqek2/6 Last edited by DutchDaemon; 4th December 2009 at 12:35 AM. |
|
||||
Thanks guys for help, i transfered my domain to netsol and now waiting to complete...
Also want to know if is possible and correctly to have one zone inside my network (behind NAT) somethink like sniper.local for my host with local ip (192.168...) and ofcoure one existing zone sniper-unix.org ?
__________________
If anything can go wrong, it will. If it can't, it will anyway |
|
|||
Yes, you can have a 'private' zone in your local network. I use 'utp.xnet' for my private domain
Code:
$ dig -t ns utp.xnet @192.168.222.11 ; <<>> DiG 9.3.4 <<>> -t ns utp.xnet @192.168.222.11 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54374 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;utp.xnet. IN NS ;; ANSWER SECTION: utp.xnet. 259200 IN NS ns1.utp.xnet. ;; ADDITIONAL SECTION: ns1.utp.xnet. 259200 IN A 192.168.222.11 ;; Query time: 2 msec ;; SERVER: 192.168.222.11#53(192.168.222.11) ;; WHEN: Sun Dec 6 12:20:20 2009 ;; MSG SIZE rcvd: 60 Code:
$ ping -c2 hercules.utp.xnet PING hercules.utp.xnet (192.168.222.20): 56 data bytes 64 bytes from 192.168.222.20: icmp_seq=0 ttl=255 time=0.024 ms 64 bytes from 192.168.222.20: icmp_seq=1 ttl=255 time=0.016 ms --- hercules.utp.xnet ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 0.016/0.020/0.024/0.004 ms Code:
$ dig -x 192.168.222.88 ; <<>> DiG 9.3.4 <<>> -x 192.168.222.88 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;88.222.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 88.222.168.192.in-addr.arpa. 604800 IN PTR xenophanes.utp.xnet. ;; Query time: 3 msec ;; SERVER: 192.168.222.10#53(192.168.222.10) ;; WHEN: Sun Dec 6 12:23:15 2009 ;; MSG SIZE rcvd: 78
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
OK good
I figure out that people from different networks (who isn't on my local network) couldn't resolve through my DNS. So if they configure their resolver to IP where my DNS listen it doesn't works. Is this behaviour default BIND security setting ?
__________________
If anything can go wrong, it will. If it can't, it will anyway Last edited by sniper007; 6th December 2009 at 10:14 PM. |
|
||||
I don't understand exactly what you mean, so I'll address two points off-hand.
1. BIND as a local network resolving server BIND denies recursive DNS queries by default (as it should); if you have a network for which BIND should act as the central DNS server, you'll have to set up an access list (acl) and allow that acl to query your DNS recursively. 2. BIND as the authoritative nameserver for your domains BIND will only allow external queries to your master zones (the domains you host) if allow-query for those master zones is set (usually to 'all'). These are answers to two very different issues, so be more precise in describing your problem. |
|
||||
No this is not problem just asking if this is normal that people from different network couldn't using my DNS server (e.g. for internet browsing) insted their ISP dns...
__________________
If anything can go wrong, it will. If it can't, it will anyway |
|
||||
I don't think you read DutchDaemon's answer, above:
Quote:
I started with this "how to":http://www.langfeldt.net/DNS-HOWTO/BIND-9/ The BIND administrator's guide should be available on your FreeBSD system. (On my OpenBSD system, it begins at /usr/share/doc/html/bind/Bv9ARM.html ) |
|
||||
Yes ofcoure, i read and now all is clear
I also successfully transfered domain to networksolution but status is still INACTIVE. Status:CLIENT TRANSFER PROHIBITED Status:INACTIVE Status:TRANSFER PROHIBITED Status:TRANSFERPERIOD Status:RENEWPERIOD Note: I just bought DNS and BIND by Cricket Liu, Paul Albitz
__________________
If anything can go wrong, it will. If it can't, it will anyway |
|
|||
See my recent post for how to set up BIND as an authoritative name server.
If you really want to know DNS and not how an particular popular nameserver, BIND, implements DNS you should spend some time on djbdns. Install it on an old PC and play with it
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Sun Java System Web Server - Active Server Pages (yes ASP) | hopla | FreeBSD General | 0 | 26th September 2008 08:22 AM |