Problem: no ANSWER section in external queries only
Benton Roberts
bentonr at orad-ny.com
Fri Jul 2 21:51:21 UTC 2004
Hello, BIND experts.
I am having a configuration problem with named which is preventing my
nameserver from responding correctly to external queries. I am new to
setting up DNS, so please forgive me if I do not provide the correct
information for debugging this problem...
I have a server which is currently listening to several public IP
addresses. One of these addresses is already serving a named domain, but
my machine is not currently acting as the this paricular domain's
nameserver -- the company I registered the domain with provides a web
page for updating their own DNS server's address records, so I simply
pointed the name of my domain to the desired IP address.
Now, I have recently agreed to use another of the public IP addresses to
host a different domain, which someone else has registered with a
different company. This person gave me the authentication info for
administering this new domain (hereafter called "newdomain.net"),
through a similar web interface provided by the company with whom he has
registered it. However, this interface does not allow me to update the
registrar's DNS records -- instead, I'm provided only with a
"delegation" form for entering nameserver addresses, not a form for
adding actual DNS "A-records". So it seems that I have to setup named
and configure it to be authoritative for newdomain.net....
So, like a good Linux user, I started with the instructions in the DNS
HowTo <http://www.tldp.org/HOWTO/DNS-HOWTO.html>, and it seems I have
everything configured correctly for newdomain.net, except that I'm
getting different responses when I query the server externally than when
I query it from its own command-line. Specifically, I get no ANSWER or
AUTHORITY sections when querying the server from a remote system.
In the config files and output samples that follow, I've subsituted
"mydomain.net" for the name of the actual domain I'm trying to get
working, and "<MY.PUB.IP.ADDR>" for the IP address I'd like to assign
this domain to. So here's the result of trying to resolve
www.newdomain.net from a command-prompt on the server itself:
===========================================
root at www:/var/named> dig www.newdomain.net
; <<>> DiG 9.2.1 <<>> www.newdomain.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26099
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.newdomain.net. IN A
;; ANSWER SECTION:
www.newdomain.net. 259200 IN A <MY.PUB.IP.ADDR>
;; AUTHORITY SECTION:
newdomain.net. 259200 IN NS ns.newdomain.net.
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 28 18:35:31 2004
;; MSG SIZE rcvd: 69
===========================================
Looks fine. I can perform the same query from the same host, only using
the IP address that I want the nameserver to listen on...
===========================================
root at www:/var/named> dig @<MY.PUB.IP.ADDR> www.newdomain.net
; <<>> DiG 9.2.1 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59824
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.newdomain.net. IN A
;; ANSWER SECTION:
www.newdomain.net. 259200 IN A <MY.PUB.IP.ADDR>
;; AUTHORITY SECTION:
newdomain.net. 259200 IN NS ns.newdomain.net.
;; Query time: 2 msec
;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
;; WHEN: Mon Jun 28 18:40:37 2004
;; MSG SIZE rcvd: 69
==========================================
OK, that works fine too. But here's the response I get when running the
same command from another system:
===========================================
root at other_host:~> dig @<MY.PUB.IP.ADDR> www.newdomain.net
; <<>> DiG 9.2.2 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26930
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.newdomain.net. IN A
;; Query time: 165 msec
;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
;; WHEN: Mon Jun 28 18:46:10 2004
;; MSG SIZE rcvd: 36
===========================================
A perfectly legitimate server response, but with no answer section! This
confuses me. It's not a networking problem, because the server is
responding just fine (I can even telnet to port 53). It doesn't appear
to be an access restrictions problem, because no permissions error is
reported in the log file (just as a test, I briefly enabled access
control and verified the expected behavior: a lookup failure on the
client and a "query denied" error message in the server log). So what
could be causing this behavior?
Here's the two config files I believe are relevant...
Contents of /var/named/newdomain.net:
===========================================
;
; Zone file for newdomain.net
;
$TTL 3D
@ IN SOA www.newdomain.net. admin.newdomain.net. (
199802151 ; serial, todays date + todays
serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "newdomain.net"
NS ns ; Inet Address of name server
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
www A <MY.PUB.IP.ADDR>
MX 10 mail
ns CNAME www
mail CNAME www
ftp CNAME www
gw CNAME www
===========================================
Contents of /etc/named.conf:
===========================================
options {
directory "/var/named";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
// my new domain
zone "newdomain.net" {
type master;
notify no;
file "newdomain.net";
};
// Reverse DNS lookups
zone "<ADDR.IP.PUB>.in-addr.arpa" {
type master;
notify no;
file "<ADDR.IP.PUB">;
};
include "/etc/rndc.key";
===========================================
Any ideas about how to attack this problem will be gratefully accepted.
For example, how can I get some more useful debugging information about
the processing of the non-working requests?
Thanks in advance,
-benton
-------------
Benton Roberts
Application / Support Engineer, Orad
tel:917.861.7462
mailto:bentonr at orad-ny.com
More information about the bind-users
mailing list