Bind behind Cisco 675 router
Brad Knowles
brad.knowles at skynet.be
Sat Sep 22 23:18:42 UTC 2001
At 12:49 PM -0600 9/22/01, Deon Garrett wrote:
> The actual ip address is 66.7.185.147.
> It should be the authoratative server for the domain deong.org.
Well, at least the answers I'm seeing are plausible:
% dig @66.7.185.147 deong.org. any
; <<>> DiG 9.2.0rc3 <<>> @66.7.185.147 deong.org. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39533
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;deong.org. IN ANY
;; ANSWER SECTION:
deong.org. 86400 IN SOA ns.deong.org.
root.deong.org. 2001091902 14400 7200 604800 86400
deong.org. 86400 IN NS ns.deong.org.
deong.org. 86400 IN MX 10 deong.org.
deong.org. 86400 IN A 66.7.185.147
;; AUTHORITY SECTION:
deong.org. 86400 IN NS ns.deong.org.
;; ADDITIONAL SECTION:
ns.deong.org. 86400 IN A 66.7.185.147
deong.org. 86400 IN A 66.7.185.147
;; Query time: 111 msec
;; SERVER: 66.7.185.147#53(66.7.185.147)
;; WHEN: Sat Sep 22 19:10:41 2001
;; MSG SIZE rcvd: 163
Of course, this doesn't match the data currently registered with
the gTLD nameservers for .org:
% dig @a.gtld-servers.net. deong.org. any
; <<>> DiG 9.2.0rc3 <<>> @a.gtld-servers.net. deong.org. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29308
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;deong.org. IN ANY
;; ANSWER SECTION:
deong.org. 172800 IN NS NS49.WORLDNIC.COM.
deong.org. 172800 IN NS NS50.WORLDNIC.COM.
;; AUTHORITY SECTION:
deong.org. 172800 IN NS NS49.WORLDNIC.COM.
deong.org. 172800 IN NS NS50.WORLDNIC.COM.
;; ADDITIONAL SECTION:
NS49.WORLDNIC.COM. 172800 IN A 216.168.225.179
NS50.WORLDNIC.COM. 172800 IN A 216.168.225.190
;; Query time: 7 msec
;; SERVER: 192.5.6.30#53(a.gtld-servers.net.)
;; WHEN: Sat Sep 22 19:11:47 2001
;; MSG SIZE rcvd: 137
% dig @NS49.WORLDNIC.COM. deong.org. any
; <<>> DiG 9.2.0rc3 <<>> @NS49.WORLDNIC.COM. deong.org. any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11409
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;deong.org. IN ANY
;; ANSWER SECTION:
deong.org. 86400 IN SOA NS49.WORLDNIC.COM.
namehost.WORLDNIC.COM. 2001091800 3600 3600 432000 86400
deong.org. 86400 IN NS NS49.WORLDNIC.COM.
deong.org. 86400 IN NS NS50.WORLDNIC.COM.
deong.org. 86400 IN A 64.225.154.175
;; AUTHORITY SECTION:
deong.org. 86400 IN NS NS49.WORLDNIC.COM.
deong.org. 86400 IN NS NS50.WORLDNIC.COM.
;; Query time: 72 msec
;; SERVER: 216.168.225.179#53(NS49.WORLDNIC.COM.)
;; WHEN: Sat Sep 22 19:12:03 2001
;; MSG SIZE rcvd: 166
But I suspect that this is exactly what you're trying to get set
up to change, right? Checking out the current version of this domain
with DNS Expert Professional 1.6, I see three things to be concerned
about:
DNS Expert
Detailed Report for deong.org.
9/23/01, 1:13 AM, using the analysis setting "Everything"
======================================================================
Information
----------------------------------------------------------------------
Serial number: 2001091800
Primary name server: ns49.worldnic.com.
Primary mail server: N/A
Number of records: N/A
Errors
----------------------------------------------------------------------
o There are no MX records for the zone
The zone contains no MX records for the zone itself. This will
cause delivery problems for mail sent to any account of the form
user at zone. Every zone for which mail delivery is desired should
contain at least one MX record.
Warnings
----------------------------------------------------------------------
o The name server "ns49.worldnic.com." does not permit zone transfers
The name server "ns49.worldnic.com." has been configured to
reject unauthorized zone transfers and the application will not
be able to use data from this server while analyzing the zone.
o The name server "ns50.worldnic.com." does not permit zone transfers
The name server "ns50.worldnic.com." has been configured to
reject unauthorized zone transfers and the application will not
be able to use data from this server while analyzing the zone.
o Zone transfer from authoritative servers not possible
It was not possible to perform a zone transfer from any of the
authoritative name servers for the zone. This will limit the
range of tests performed for the zone.
o The refresh value in the SOA record is too close to the retry value
The value of the Refresh field in the SOA record (currently 3600)
should be at least three times bigger than the value of the Retry
field (currently 3600).
o All name servers for the zone are on the same subnet.
All name servers for the zone are on the same subnet
(216.168.225.*). If the connection to the network breaks, your
domain will become inaccessible.
----------------------------------------------------------------------
end of report
Specifically, the refresh and retry values should be further
apart (allowing more retries per refresh interval), there should
probably be a mail server registered, and you should be concerned
that both of the registered nameservers are on the same subnet. Now,
using the same tool to check out your private version of the zone, I
see:
DNS Expert
Detailed Report for deong.org.
9/23/01, 1:16 AM, using the analysis setting "Everything"
======================================================================
Information
----------------------------------------------------------------------
Serial number: 2001091902
Primary name server: ns.deong.org.
Primary mail server: deong.org.
Number of records: N/A
Errors
----------------------------------------------------------------------
No errors
Warnings
----------------------------------------------------------------------
o The name server "ns.deong.org." does not permit zone transfers
The name server "ns.deong.org." has been configured to reject
unauthorized zone transfers and the application will not be able
to use data from this server while analyzing the zone.
o Zone transfer from authoritative servers not possible
It was not possible to perform a zone transfer from any of the
authoritative name servers for the zone. This will limit the
range of tests performed for the zone.
o The refresh value in the SOA record is too close to the retry value
The value of the Refresh field in the SOA record (currently
14400) should be at least three times bigger than the value of
the Retry field (currently 7200).
o The zone contains more than one A record with the address
66.7.185.147
There is more than one A record in the zone with the IP address
66.7.185.147.
o There is only one NS record in the zone
The zone contains only one NS record. Every zone should contain
two or more NS records, and the NS records in the zone should
match the delegation data for the domain.
o There is only one MX record in the zone
The zone contains only one MX record. This will cause mail
delivery problems if the primary mail server becomes unavailable.
For safety purposes, there should be two or more mail servers
for every zone, the extra mail servers being used as backup
(secondary) servers for the primary server.
----------------------------------------------------------------------
end of report
Again, the ratio between the refresh and retry intervals should
be modified so as to allow more retries per refresh, and you should
have at least two nameservers registered (worldnic.com could
presumably provide your secondary/slave service, or you could
potentially sign up for free secondary/slace service with
secondary.com), and you should have a backup MX registered (you'd
probably have to talk to your provider about this).
--
Brad Knowles, <brad.knowles at skynet.be>
H4sICIFgXzsCA2RtYS1zaWcAPVHLbsMwDDvXX0H0kkvbfxiwVw8FCmzAzqqj1F4dy7CdBfn7
Kc6wmyGRFEnvvxiWQoCvqI7RSWTcfGXQNqCUAnfIU+AT8OZ/GCNjRVlH0bKpguJkxiITZqes
MxwpSucyDJzXxQEUe/ihgXqJXUXwD9ajB6NHonLmNrUSK9nacHQnH097szO74xFXqtlbT3il
wMsBz5cnfCR5cEmci0Rj9u/jqBbPeES1I4PeFBXPUIT1XDSOuutFXylzrQvGyboWstCoQZyP
dxX4dLx0eauFe1x9puhoi0Ao1omEJo+BZ6XLVNaVpWiKekxN0VK2VMpmAy+Bk7ZV4SO+p1L/
uErNRS/qH2iFU+iNOtbcmVt9N16lfF7tLv9FXNj8AiyNcOi1AQAA
More information about the bind-users
mailing list