Problem: no ANSWER section in external queries only

Benton Roberts bentonr at orad-ny.com
Fri Jul 2 21:51:21 UTC 2004 

Hello, BIND experts.

I am having a configuration problem with named which is preventing my 
nameserver from responding correctly to external queries. I am new to 
setting up DNS, so please forgive me if I do not provide the correct 
information for debugging this problem...

I have a server which is currently listening to several public IP 
addresses. One of these addresses is already serving a named domain, but 
my machine is not currently acting as the this paricular domain's 
nameserver -- the company I registered the domain with provides a web 
page for updating their own DNS server's address records, so I simply 
pointed the name of my domain to the desired IP address.

Now, I have recently agreed to use another of the public IP addresses to 
host a different domain, which someone else has registered with a 
different company. This person gave me the authentication info for 
administering this new domain (hereafter called "newdomain.net"), 
through a similar web interface provided by the company with whom he has 
registered it. However, this interface does not allow me to update the 
registrar's DNS records -- instead, I'm provided only with a 
"delegation" form for entering nameserver addresses, not a form for 
adding actual DNS "A-records". So it seems that I have to setup named 
and configure it to be authoritative for newdomain.net....

So, like a good Linux user, I started with the instructions in the DNS 
HowTo <http://www.tldp.org/HOWTO/DNS-HOWTO.html>, and it seems I have 
everything configured correctly for newdomain.net, except that I'm 
getting different responses when I query the server externally than when 
I query it from its own command-line. Specifically, I get no ANSWER or 
AUTHORITY sections when querying the server from a remote system.

In the config files and output samples that follow, I've subsituted 
"mydomain.net" for the name of the actual domain I'm trying to get 
working, and "<MY.PUB.IP.ADDR>" for the IP address I'd like to assign 
this domain to. So here's the result of trying to resolve 
www.newdomain.net from a command-prompt on the server itself:
===========================================
root at www:/var/named> dig www.newdomain.net

; <<>> DiG 9.2.1 <<>> www.newdomain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26099
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.newdomain.net.            IN      A

;; ANSWER SECTION:
www.newdomain.net.     259200  IN      A       <MY.PUB.IP.ADDR>

;; AUTHORITY SECTION:
newdomain.net.         259200  IN      NS      ns.newdomain.net.

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 28 18:35:31 2004
;; MSG SIZE  rcvd: 69
===========================================


Looks fine. I can perform the same query from the same host, only using 
the IP address that I want the nameserver to listen on...
===========================================
root at www:/var/named> dig @<MY.PUB.IP.ADDR> www.newdomain.net

; <<>> DiG 9.2.1 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59824
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.newdomain.net.            IN      A

;; ANSWER SECTION:
www.newdomain.net.     259200  IN      A       <MY.PUB.IP.ADDR>

;; AUTHORITY SECTION:
newdomain.net.         259200  IN      NS      ns.newdomain.net.

;; Query time: 2 msec
;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
;; WHEN: Mon Jun 28 18:40:37 2004
;; MSG SIZE  rcvd: 69
==========================================


OK, that works fine too. But here's the response I get when running the 
same command from another system:
===========================================
root at other_host:~> dig @<MY.PUB.IP.ADDR> www.newdomain.net

; <<>> DiG 9.2.2 <<>> @<MY.PUB.IP.ADDR> www.newdomain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26930
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.newdomain.net.            IN      A

;; Query time: 165 msec
;; SERVER: <MY.PUB.IP.ADDR>#53(<MY.PUB.IP.ADDR>)
;; WHEN: Mon Jun 28 18:46:10 2004
;; MSG SIZE  rcvd: 36
===========================================

A perfectly legitimate server response, but with no answer section! This 
confuses me. It's not a networking problem, because the server is 
responding just fine (I can even telnet to port 53). It doesn't appear 
to be an access restrictions problem, because no permissions error is 
reported in the log file (just as a test, I briefly enabled access 
control and verified the expected behavior: a lookup failure on the 
client and a "query denied" error message in the server log). So what 
could be causing this behavior?

Here's the two config files I believe are relevant...
Contents of /var/named/newdomain.net:
===========================================
;
; Zone file for newdomain.net
;
$TTL 3D
@       IN      SOA     www.newdomain.net. admin.newdomain.net. (
                         199802151       ; serial, todays date + todays 
serial #
                         8H              ; refresh, seconds
                         2H              ; retry, seconds
                         4W              ; expire, seconds
                         1D )            ; minimum, seconds
;
                 TXT     "newdomain.net"
                 NS      ns              ; Inet Address of name server
                 MX      10 mail         ; Primary Mail Exchanger


localhost       A       127.0.0.1


www             A       <MY.PUB.IP.ADDR>
                 MX      10 mail


ns              CNAME   www
mail            CNAME   www
ftp             CNAME   www
gw              CNAME   www
===========================================



Contents of /etc/named.conf:
===========================================
options {
         directory "/var/named";
};

controls {
         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
         type hint;
         file "named.ca";
};

zone "localhost" IN {
         type master;
         file "localhost.zone";
         allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
         type master;
         file "named.local";
         allow-update { none; };
};

//      my new domain
zone "newdomain.net" {
        type master;
         notify no;
         file "newdomain.net";
};

// Reverse DNS lookups
zone "<ADDR.IP.PUB>.in-addr.arpa" {
         type master;
         notify no;
         file "<ADDR.IP.PUB">;
};

include "/etc/rndc.key";
===========================================

Any ideas about how to attack this problem will be gratefully accepted. 
For example, how can I get some more useful debugging information about 
the processing of the non-working requests?

Thanks in advance,
-benton
-------------
Benton Roberts
Application / Support Engineer, Orad
tel:917.861.7462
mailto:bentonr at orad-ny.com

More information about the bind-users mailing list