BIND and DNS Stuff

Hi,

blah blah!

I'm sure this question has been asked a million times and over, however whiles browsing topics I thought would answer my questions I'm not getting any joy :)

Problem

I have configured two name servers in two different data centers ns1.example.com and ns2.example.com and also configured reverse mapping. However my registrar complains that when it tries a reverse lookup it ends up finding members.linode.com …

am I perhaps doing something wrong? this is my first.

More info

Server 1 is setup as master for example.com, also in named.conf I have defined reverse mapping along with PTR resource records in zone file.

Server 2 is setup as slave for example.com I have defined reverse mapping along with PTR resource records in zone file.

For my configuration I opted to use BIND view configuration to separate internal and external operations, named-checkconfig returns no errors on both servers.

Regards

15 Replies

Blah, blah, blah, are we supposed to just post random guesses about what you did or didn't do, or eventually will provide real details so that we can help?

Do you mean reverse mapping for your Linode's public IP address? You can't control that yourself in your own nameservers, because the IP address comes from a Linode block, so it's their DNS servers that will be used for any PTR requests.

Instead, from within the Linode Manager, on the Remote Access tab for each Linode, under Public IPs there is a "Reverse DNS" link where you can configure the reverse DNS name Linode's servers will answer with for a given Linode.

The process will require that the name you give has a forward resolution back to your IP address already established, as verification.

– David

@vonskippy:

Blah, blah, blah, are we supposed to just post random guesses about what you did or didn't do, or eventually will provide real details so that we can help?

I didn't want to provide too much information, as a security measure from my end. However @db3l understands what I meant.

@db3l:

Do you mean reverse mapping for your Linode's public IP address? You can't control that yourself in your own nameservers, because the IP address comes from a Linode block, so it's their DNS servers that will be used for any PTR requests.

Instead, from within the Linode Manager, on the Remote Access tab for each Linode, under Public IPs there is a "Reverse DNS" link where you can configure the reverse DNS name Linode's servers will answer with for a given Linode.

The process will require that the name you give has a forward resolution back to your IP address already established, as verification.

– David

Thank you , I will try this.

To configure a forward resolution, would I then place the following configuration in my reverse mapping zone definition in named.conf

on master/ ns1

zone "master-ip-reversed.IN-APPR…." IN{

forwarders { master_ip;};

};

on slave/ns2

zone "slave-ip-reversed.IN-APPR…." IN{

forwarders { salve_ip; };

};

Please advice

The forward resolution is just a normal DNS lookup (probably an A record, but could be a CNAME to an A) for the name.

You need to configure this wherever your current DNS for your domain is hosted. Since your issue is switching your registrar to your new servers, that is most likely with your prior DNS hosting, e.g., wherever your current zone points. So no, I don't expect it's something you would do in your new DNS setup, and certainly not in your reverse zone. (Though you of course will likely want the A record in your new DNS server once cut over) Note also that while it's been a while since I configured bind, the "forwarders" entry should, I think, just configure where to pass along requests to another server, but is unrelated to the forward lookup (e.g., name to address) I was referring to.

In other words, if you're trying to change your reverse DNS name for your Linode to node.example.com, you need to add an A record for node.example.com (wherever example.com's DNS is currently being served from) to return your Linode's address. "dig node.example.com" should return your Linode's address.

To your comment about security - DNS information is in general publicly available anyway - that's sort of the point - so you're not really helping anyone help you by being obscure. You're just making it more likely people won't bother to answer.

For example, in this case, if you had included your domain name somewhere along the line I could have done a whois lookup, identified your current registrar and DNS hosts and told you exactly where to change the records in either case. Instead, this response has to be overly generic (which also takes more effort to produce).

– David

@db3l:

The forward resolution is just a normal DNS lookup (probably an A record, but could be a CNAME to an A) for the name.

You need to configure this wherever your current DNS for your domain is hosted. Since your issue is switching your registrar to your new servers, that is most likely with your prior DNS hosting, e.g., wherever your current zone points. So no, I don't expect it's something you would do in your new DNS setup, and certainly not in your reverse zone. (Though you of course will likely want the A record in your new DNS server once cut over) Note also that while it's been a while since I configured bind, the "forwarders" entry should, I think, just configure where to pass along requests to another server, but is unrelated to the forward lookup (e.g., name to address) I was referring to.

In other words, if you're trying to change your reverse DNS name for your Linode to node.example.com, you need to add an A record for node.example.com (wherever example.com's DNS is currently being served from) to return your Linode's address. "dig node.example.com" should return your Linode's address.

To your comment about security - DNS information is in general publicly available anyway - that's sort of the point - so you're not really helping anyone help you by being obscure. You're just making it more likely people won't bother to answer.

For example, in this case, if you had included your domain name somewhere along the line I could have done a whois lookup, identified your current registrar and DNS hosts and told you exactly where to change the records in either case. Instead, this response has to be overly generic (which also takes more effort to produce).

– David

You are correct in both saying the the forwarders has nothing to do with the forwarding you are talking about and also in regards to the security thing.

The domain in question is 4things-cloud.co.za, it is not registered yet, so I believe a dig would return nothing. My registrar requires that I have a reverse mapping setup in-order to register the domain. However I wish not to use linodes ns records ns1-ns5, hence I installed bind.

If I understand you correctly, I would first have to register domain using linode ns records before I can provide vanity ns records?

@4things-cloud:

If I understand you correctly, I would first have to register domain using linode ns records before I can provide vanity ns records?
In general, it'll depend on the restrictions and capabilities of the registrar, but yes, given the requirements you are subject to in this case that's probably the path of least resistance. Requiring the reverse lookup seems a little excessive (I have a server where that isn't true since "ns1" is the same as my "www" host and the latter is the reverse lookup) but have not used that many registrars so am not sure how common such a restriction may be. Although maybe the registrar is really complaining about the domain mismatch (e.g., "members.linode.com" versus your "4things-cloud.ca.za") and not the exact name; though even that might be too constraining.

I suppose alternatively you could just register initially with your "members" hostname for the nameserver Linodes to pass the registrar check and then update that later. But just using Linode's DNS setup will get you a working DNS setup quickly, buying time to work on your own local setup.

For what it's worth, I find it convenient to use Linode's servers, even though I do operate my primary master on my Linode, so you might also consider that as you go forward. If you configure a domain in Linode as a slave to your server, you get all the benefits of Linode's distributed servers for redundancy, so you really only need to operate one master yourself. If you use notifies, you also aren't subject to the 15min refresh time for zone updates that you get when making changes through the manager.

– David

I think I'm pretty close to resolving this issue, however a little assistance would help a great deal.

I have been able to setup BIND on two linode servers A as master B as slave to zones servers are in different locations.

However despite all my efforts to provide vanity ns records having set linode as salve too, my registrar still gets linode.members as reverse address even though I have edited /etc/resolv.conf on both server A and B to use bind running on both servers still no joy

/etc/resolv.conf

4things-cloud.co.za
search 4things-cloud.co.za
nameserver 97.107.133.4
nameserver 178.79.165.76

Server A /etc/named.conf

set server b as slave along with 5 linode servers ns 1 - ns 5

I read somewhere that is I create A records pointing vanity ns records to linodes ns ips this might solve the issue, not so sure about that though…

Any suggestions?

@4things-cloud:

However despite all my efforts to provide vanity ns records having set linode as salve too, my registrar still gets linode.members as reverse address even though I have edited /etc/resolv.conf on both server A and B to use bind running on both servers still no joy
Have you adjusted your reverse DNS in the Linode manager as per earlier in this topic? If your registrar is still getting a members.linode.com as a reverse lookup for your Linode addresses I'm guessing not.

You can't control the reverse DNS from your own servers (and it's unrelated to resolv.conf) - it has to change in the Linode servers that answer the query, which is what the manager option does.

– David

@db3l:

Have you adjusted your reverse DNS in the Linode manager as per earlier in this topic? If your registrar is still getting a members.linode.com as a reverse lookup for your Linode addresses I'm guessing not.

When I try to adjust the reverse lookup on linode manager, I get the following message

No match was found for 'ns1.4things-cloud.co.za'. Reverse DNS must have a matching forward entry that points to one of your IPs.

not sure is this is because the domain is not registered yet? I already have A record pointing to one of my IPs

@4things-cloud:

not sure is this is because the domain is not registered yet? I already have A record pointing to one of my IPs
Yep, but earlier weren't you just going to host your domain on the Linode servers first to take care of that? (Or I think I suggested initially using the members.linode.com name for your registrar as another alternative).

– David

@db3l:

Yep, but earlier weren't you just going to host your domain on the Linode servers first to take care of that? (Or I think I suggested initially using the members.linode.com name for your registrar as another alternative).

the registrar for co.za domain is extremely strict, they refuse to process applications because the number of name-servers provided must match the number of nameservers actually configured, if I use ns1 and ns2 4things-cloud.co.za and then provide linodes nameservers 1 through 5, it rejects my application. I'm not sure why they seem stricter then other registrars so I believe it would be beside to register my domain as .com then provide vanity nameservers to .co.za

Registrar messages:

ERROR: Form had 5[b] Nameservers - but 'dig' counted 7![/b]
!  The Number of NameServer records must be the same as on the application form.
!                
NS1-2 FQDN: ns1.linode.com.
NS1-2 IPV6: 2600:3c00::a
NS1-2 ORIGIN: ns1.4things-cloud.co.za.
NS1-2 E-MAIL: [email protected]
NS1-2 SER-NO: 2011110900
NS1-2 NS RECORD1: ns1.4things-cloud.co.za.
NS1-2 NS RECORD2: ns1.linode.com.
NS1-2 NS RECORD3: ns2.4things-cloud.co.za.
NS1-2 NS RECORD4: ns2.linode.com.
NS1-2 NS RECORD5: ns3.linode.com.
NS1-2 NS RECORD6: ns4.linode.com.
NS1-2 NS RECORD7: ns5.linode.com.

@4things-cloud:

the registrar for co.za domain is extremely strict, they refuse to process applications because the number of name-servers provided must match the number of nameservers actually configured, if I use ns1 and ns2 4things-cloud.co.za and then provide linodes nameservers 1 through 5, it rejects my application. I'm not sure why they seem stricter then other registrars so I believe it would be beside to register my domain as .com then provide vanity nameservers to .co.za
Well, if there's a mismatch between what you tell your registrar and what your zone itself has, then you did that yourself, right, since both sets of information are something you configured? That seems like something in your control (and not necessarily an unreasonable thing for a registrar to check, though if the registrar data is a subset of the zone data it should still be safe technically).

My suggestion - give up on the vanity stuff initially. Clearly it's complicating your setup and interfering with your ability to configure all parts of the system simultaneously to be happy. Instead, set up your domain with the Linode DNS manager, and register it with your registrar using the ns#.linode.com nameservers (and only those). That should be pretty straight forward, and doesn't involve anything on your Linodes themselves (so don't worry about bind configurations, forwarders, /etc/resolv.conf, etc..).

At that point you'll have a working DNS setup for your domain, albeit hosted and managed through Linode. You can then use that DNS setup as a base from which you can work on a vanity configuration. Set up appropriate A records (in the Linode DNS manager) for your Linodes you want to use as nameservers, and then establish reverse mappings through the Linode Manager. You can then move on to your local Linode DNS/bind setup and configure your zones as desired (including matching the intended NS information) and finally update your registrar to point to them instead - now that you'll have satisfied its requirement for a reverse DNS match. Once done (and all DNS has propagated) you can remove the zones from Linode and/or set its DNS manager up to slave from yours for additional redundancy (which would also imply adding them as additional servers with your registrar).

Beyond that though I'm not sure what to suggest. I think at this point you've got all the details you need to make this work, or otherwise need to take it up with your registrar (or find another registrar) as it's mostly their requirements - not all of which are unreasonable - that you're having a hard time complying with. But I suspect that it's just trying to do too many things at once that may be creating the confusion.

– David

I was able to resolve this issue, was pretty straight forward actually now that I thing about it… But as always when your new to something it is always difficult:

Resolution Steps

  • Use Linode DNS manager and create slave zone

  • Configure your domain zone file to use all five linode ns records

  • Create a forwarding address with one of your IPs

  • Register domain at registrar with linode NS records

  • After propagation

** Configure vanity ns records in your domain zone file

** change reverse lookup to your vanity ns records, (you must have a forwarding address pointing to one of your IPs)

** Wait 24Hours

** Update domain at registrar with your vanity ns records

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct