Domain Not Resolving
G.W. Haywood
bind at jubileegroup.co.uk
Tue Nov 21 13:42:12 UTC 2017
Hi there,
On Tue, 21 Nov 2017, Ron Wingfield wrote:
> ... our registered domain, archaxis.net, is not resolving ...
As has been mentioned, you don't have a nameserver listening on IP
162.202.233.81. At a guess, you need to restart it.
> We run BIND version 9.10.2 ...
Upgrade. See for example
http://www.cvedetails.com/cve/CVE-2016-2776/
> ... This has worked for past months until 3 NOV 2017 ...
It depends on your definition of 'worked'. I'd say that it has never
worked, it's just sort of limped along in spite of all your mistakes.
> Again, I emphasize that this configuration has been working since modified
> Thr Aug 6 2015 following conversion to AT&T U-verse, and has not changed
> since Jan 12 2017 when added an SPF TXT RR for archaxis.net.
> [...]
> Can any of you list members see any thing wrong with the previously
> included zone file?
Your configuration has probably never been correct. At some stage,
something you wanted to happen might have happened, but that was just
blind luck. Your zone file is a mess. Most importantly the four
names ns1, ns2, alpha and bravo all have the same IP address which is
ridiculous in this context. There are two SPF TXT records when only
one is allowed by the RFCs, and I suspect that neither of them will do
what's required. The simplest thing you can do with those is delete
them. The address for localhost (127.0.0.1) should be in /etc/hosts,
not in your zone file, and very probably it already is.
When you've got the rest of your DNS mess sorted out, and when you've
ensured your site is secure (upgrade BIND - and keep it up to date;
did you know that you have servers listening to the entire Internet on
ports 22, 110, 8080 and 60443?; are *they* patched up to date? this
includes firmware updates for your Linksys router ...) then you might
drop by the SPF users' mailing list for advice on your SPF TXT record.
> After reporting this continuing unsatisfactory fail to AT&T, they have yet
> again responded "As was stated, it shows that we are correctly delegating
> the records. The issue still persists that your nameservers A records are
> not resolving. That is wholly outside our control or access. PTR requests
> will continue to fail as the ns1.archaxis.net and ns2.archaxis.net are not
> responding to requests."
AT&T is correct. You have told them that you are running your own
name servers, which is a lie - you've only ever had one, and that's
not acceptable. Your name service is not running on the one server
which you do have.
> Who is to blame?
You are.
> I am at my wit?s end. This was working ? why did it just stop?
I don't know why it stopped. You *might* have suffered from the DOS
attack mentioned in the above CVE, but I think it's much more likely
that you broke something. It might be that that something was your
nameserver configuration, or perhaps you've broken the server's boot
scripts, or perhaps you've changed your router or its configuration
and it isn't forwarding DNS requests to your internal server. These
are all your responsibilities.
There are many free DNS services available. I suggest you pick one of
them, and many of your problems will be, er, resolved. The services
from he.net have always been very good for my purposes, and extend to
areas beyond simple IPv4 DNS. They will keep their servers patched.
They offer educational material too.
As a general observation, not knowing what you're doing is dangerous
on the Internet. Please take some time out of your undoubtedly busy
life to try to ensure that you aren't a menace to the rest of us. A
good start might be to read the famous "DNS and BIND".
--
73,
Ged.
More information about the bind-users
mailing list