My Primary Name Server on my home network doesn't recognize the Domain Name for which it is master. i am running redhat 9.0., my domain is substantis.com , and my server is ns1.substantis.com. which also serves as mail and www (IP 66.92.149.1960). it is located behind my linux firewall/router on a DMZ. My secondary server is run by my ISP who is also handling the reverse lookup (no reverse delegation for my IP). I can't understand how to trouble shoot the responses i get from DIG to solve my problem. By the way, when I ssh to an external PC and do a dig on NS1.substantis.com, it doesn't recognize substantis.com but it will resolve its IP address and any valid domain.
[root@ns1 root]# dig substantis.com

; <<>> DiG 9.2.1 <<>> substantis.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34989
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;substantis.com. IN A

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 16 06:51:56 2003
;; MSG SIZE rcvd: 32

[root@ns1 root]# dig 66.92.149.196

; <<>> DiG 9.2.1 <<>> 66.92.149.196
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46337
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0

;; QUESTION SECTION:
;66.92.149.196. IN A

;; ANSWER SECTION:
66.92.149.196. 604800 IN A 66.92.149.196

;; AUTHORITY SECTION:
. 518379 IN NS K.ROOT-SERVERS.NET.
. etc.

;; Query time: 68 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 16 06:52:07 2003
;; MSG SIZE rcvd: 258

Here are my files:

NAMED.CONF
// generated by named-bootconf.pl
options {
directory "/var/named" ;
forwarders {
66.92.159.2;
216.231.41.2;
};
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 uses an unprivileged
// port by default.

query-source address * port 53;

};
zone "." {
type hint;
file "named.ca";
};
zone "named.local" {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local.rev";
allow-update { none; };
};

// our primary information
zone "substantis.com" {
type master;
file "named.substantis.com";
allow-update {none;};
};
zone "149.92.66.in-addr.arpa" {
type master;
file "named.rev";
};
"/etc/named.conf" 41L, 1004C

NAMED.LOCAL
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

NAMED.LOCAL.REV
$TTL 172800
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
3h ; Refresh
15 ; Retry
1w ; Expire
3h ) ; Minimum
IN NS localhost.
1 IN PTR localhost.

named.substantis.com
$TTL 86400
@ IN SOA substantis.com. maworden.hotmail.com. (
2003101709 ;serial number
1800 ;temporary refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
IN NS ns1.substantis.com.
IN NS ns2.speakeasy.net.
IN NS ns1.speakeasy.net.
IN A 66.92.149.196 ; suggested by poster
IN MX 10 ns1.substantis.com.
localhost IN A 127.0.0.1 ; resolve localhost
smoothwall IN A 10.1.1.1 ; internet gateway
ns1 IN A 66.92.149.196 ; name server
mail IN A 66.92.149.196 ; mail to name server
www IN A 66.92.149.196 ; apache to name server
www IN CNAME ns1 ; apache alias

149.92.66.IN.-ADDR.ARPA
$TTL 604800
@ IN SOA 149.92.66.in-addr.arpa. maworden.hotmail.com. (
2003101810
10800 ;refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
IN NS ns1.substantis.com.
IN NS ns2.speakeasy.net.
IN NS ns1.speakeasy.net.
196 IN PTR smoothwall.substantis.com.
196 IN PTR mail.substantis.com.
196 IN PTR www.substantis.com.
196 IN PTR ns1.substantis.com.

Try adding this line directly below the $TTL 86400 line in named.substantis.com

$ORIGIN substantis.com.

Status is still SERVFAIL. That means that the domain does exist and the root name servers have information on this domain, but that the authoritative name servers are not answering queries for this domain.


when i ask for all of the resource records for a given domain., i get the following result

% dig @66.92.149.198 substantis.com axfr
;; Connection to 66.92.149.198#53(66.92.149.198) for substantis.com failed: connection refused.

Your domain records show

ns1.speakeasy.net
ns2.speakeasy.net

as also being authoritative, but neither of these answer for records your domain. These name servers don't seem to be working at all.

To allow zone transfers, you need to enable those in the named.conf file

Read the BIND docs about "allow-transfer" statements.

You'll also want to read up on "allow-query" satements.

And make sure you have UDP port 53 open on the firewall for queries. You'll need TCP port 53 open for zone transfers.

Thanks.

Added to named.conf this entry:
options {

allow-query { 10.1.1.0/16; 10.1.10.0/16; 216.231.41.19; 216.254.0.9 };

allow-transfer { 216.231.41.19; 216.254.0.9 };
};


Is there a good way to test the effect on the secondary servers or a way to force them to update (or predict when they will update)?

Originally posted by rioguia
Is there a good way to test the effect on the secondary servers or a way to force them to update (or predict when they will update)?

Add a notify statement. That will force an update to slaves if you make changes in the master.

fredg thanks for your help.
i think we need to get back to basics.

i have yet to get this dns server up and running. to simplify things, at least unitl i get better at this, i have eliminated the router and NAT as an issue.

Specifically, I have taken the dns out from behind a hardware router / firewall and made the DNS server the firewall. I have edited my files to reflect this change and still no resolution for substantis.com. I am reposting my edited files. MY ONE QUESTION IS THIS: WHY CAN'T MY DNS SERVER FIND ITSELF WITH THE HOST COMMAND?

[root@ns1 root]# host ns1.substantis.com
Host ns1.substantis.com not found: 2(SERVFAIL)


NAMED.CONF
// generated by named-bootconf.pl
options {
directory "/var/named" ;
version "[I don't respond to version queries]";
query-source address * port 53;

};
zone "." {
type hint;
file "named.ca";
};
zone "named.local" {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local.rev";
allow-update { none; };
};

// our primary information
zone "substantis.com" {
type master;
file "named.substantis.com";
allow-update {none;};
notify yes;
};
zone "149.92.66.in-addr.arpa" {
type master;
file "named.rev";

NAMED.SUBSTANTIS.COM
$TTL 86400
substantis.com. IN SOA ns1.substantis.com. maworden.hotmail.com. (
2003101918 ;serial number in year,month,day## format
1800 ;temporary refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
substantis.com IN NS ns1.substantis.com.
substantis.com. IN NS ns2.speakeasy.net.
substantis.com. IN NS ns1.speakeasy.net.

localhost.substantis.com. IN A 127.0.0.1 ; resolve localhost
ns1.substantis.com. IN A 66.92.149.196 ; name server
www.substantis.com. IN CNAME ns1.substantis.com. ;CNAME for ns1.substantis.com
mail.substantis.com. IN CNAME ns1.substantis.com. ;CNAME for ns1.substantis.com
IN MX 10 ns1.substantis.com.

NAMED.REV
$TTL 604800
149.92.66.in-addr.arpa. IN SOA ns1.substantis.com. maworden.hotmail.com. (
2003101814 ;Serial, todays date + todays serial
10800 ;refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
;
; Name servers
;
NS ns1.substantis.com.

NAMED.LOCAL
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022703 ; Serial
28800 ; Refresh 8 hours
14400 ; Retry four hours
3600000 ; Expire 6 weeks
86400 ) ; Minimum 1 day

IN NS localhost.
IN PTR localhost.

NAMED.LOCAL.REV
$TTL 172800
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
3h ; Refresh
15 ; Retry
1w ; Expire
3h ) ; Minimum
IN NS localhost.
1 IN PTR localhost.

You'll want to look in /var/log/messages and see if named is actually starting or is failing for some reason. I still see some synatx erors, unless you just aren't pasting all the stuff in here - missing @, missing }; type things.

Your allow-query entry should be changed to any for now.

Also look in /etc/resolv.conf and make sure you have appropriate entries there.

Thanks for your feed-back. I have reviewed and modified the files per your instructions. unfortunately, i still have the servfail response for dig substantis.com. is it possible that the issue relates to my ISP maintaining the reverse IP authority (rather than delegating it to me)? Do I need to make any special adjustments due to the reverse lookup?

Regardless, here are my results below:

[root@ns1 root]# ps -u named
PID TTY TIME CMD
15522 ? 00:00:00 named

/etc/named.resolv
search substantis.com
nameserver 127.0.0.1

/etc/host.conf
#Lookup names via DNS first then fall back to /etc/hosts.
order bind,hosts
# We have machines with multiple IP addresses.
multi on

/etc/nsswitch.conf
bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files

netgroup: files

publickey: nisplus

automount: files
aliases: files nisplus


[root@ns1 root]# tail /var/log/messages [ OK ]
Oct 19 16:08:58 ns1 named[15522]: listening on IPv4 interface lo, 127.0.0.1#53
Oct 19 16:08:58 ns1 named[15522]: listening on IPv4 interface eth0, 66.92.149.196#53
Oct 19 16:08:58 ns1 named[15522]: listening on IPv4 interface eth1, 192.168.0.1#53
Oct 19 16:08:58 ns1 named[15522]: command channel listening on 127.0.0.1#953
Oct 19 16:08:58 ns1 named[15522]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Oct 19 16:08:58 ns1 named[15522]: zone 149.92.66.in-addr.arpa/IN: loaded serial 2003101814
Oct 19 16:08:58 ns1 named[15522]: dns_master_load: named.substantis.com:18: mail.substantis.com: CNAME and other data
Oct 19 16:08:58 ns1 named[15522]: zone substantis.com/IN: loading master file named.substantis.com: CNAME and other data
Oct 19 16:08:58 ns1 named[15522]: running

FILES

named.conf
// generated by named-bootconf.pl
options {
directory "/var/named" ;
version "[I don't respond to version queries]";
query-source address * port 53;
allow-query { any; };
allow-transfer { 216.231.41.19; 216.254.0.9; };
};
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "named.local";
};
// our primary information
zone "substantis.com" {
type master;
file "named.substantis.com";
allow-update {none;};
notify yes;
};
zone "149.92.66.in-addr.arpa" {
type master;
file "named.rev";
allow-update {none;};
notify yes;
};

named.local
$TTL 86400
@ IN SOA ns1.substantis.com. maworden@hotmail.com (
2003101904 ; Serial
28800 ; Refresh 8 hours
14400 ; Retry four hours
3600000 ; Expire 6 weeks
86400 ) ; Minimum 1 day

NS localhost.
1 PTR localhost.

named.substantis.com
$TTL 86400
@ IN SOA ns1.substantis.com. maworden.hotmail.com. (
2003101920 ;serial number in year,month,day## format
1800 ;temporary refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
TXT "Simple dns setup"
IN A 66.92.149.196;
NS ns1.substantis.com.
NS ns2.speakeasy.net.
NS ns1.speakeasy.net.

localhost IN A 127.0.0.1 ; resolve localhost
ns1 IN A 66.92.149.196 ; name server
www IN CNAME ns1 ;CNAME for ns1.substantis.com
mail IN CNAME ns1 ;CNAME for ns1.substantis.com
IN MX 10 mail ;CNAME for ns1.substantis.com

named.local
$TTL 604800
@ IN SOA ns1.substantis.com. maworden@hotmail.com. (
2003101815 ;Serial, todays date + todays serial
10800 ;refresh every 10800 for 3 hours
1800 ;retry every 30 minutes
1209600 ;expire in 2 weeks
604800 ) ;minimum 1 week
;
; Name servers
;
NS ns1.substantis.com.
PTR ns1.substantis.com.

I'd make these changes.

/etc/named.resolv
search substantis.com
nameserver 127.0.0.1
nameserver 66.92.149.196
nameserver 192.168.0.1

/etc/host.conf
#Lookup names via /etc/hosts first then fall back to DNS.
order hosts, bind
# We have machines with multiple IP addresses.
multi on


Send me your email address via instant message and I will rewrite your zone files for you and return them to you via email.

I would not bother at all with the 149.92.66.in-addr.arpa reverse zone, you don't have authority for it anyway.

You da' Man! Thank you Fred for your patience and kind assistance. It looks like everything is up and running fine. Now for the Mail and Web server!

You're welcome. I gave you a master zone file with "absolutes" everywhere. I find those clearer, no CNAMES, and easier to maintain.