I am running CentOS7 with CWP on Digital Ocean droplet. The server is currently hosting two domains, and I added third domain on 26th April. I did it with normal steps, like:
- point domain to my server ns records,
ns1.example.comandns2.example.com - added new domain on cwp from New Account menu with ssl option enabled
After few hours, domain was working fine and I uploaded my web and go live. After that, I tried to enable ssl but I notice, it wasn't installed for that domain. I go ahead and try again to install ssl for the domain, from user account. It throws an error DNS of your domain doesn't point to this server or you have htaccess restrictions
I decided to try it from the WHM, which resulted in same error. I googled and found several articles on CentOS Web Panel Forum, and I tried several solutions, including:
- change hostname (save it again without any modification)
- edit nameserverIPs (save it again without any modification)
- deleting account in particular way, and then adding again
I tried all, but none of them worked for me. Then I decided to manually compare dns config file of problematic domain with working domain. I noticed some records on problematic domain was starting with domain, instead of @ symbol. I matched all lines with working domain configuration, but still no luck.
While searching I found, maybe something is wrong with dns server, I run service named status command to check its status and I found couple of errors network unreachable resolving, complete output can be seen below:
[root@server log]# service named status
Redirecting to /bin/systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-04-28 16:56:51 PKT; 46min ago
Process: 9965 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 9912 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 10792 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 10790 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 10794 (named)
CGroup: /system.slice/named.service
└─10794 /usr/sbin/named -u named -c /etc/named.conf
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Apr 28 16:56:51 serv.xyz.com named[10794]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: k...usted
Apr 28 16:56:51 serv.xyz.com named[10794]: resolver priming query complete
Apr 28 17:24:15 serv.xyz.com named[10794]: client @0x7f9dac0c6f10 193.29.15.169#52139 (5hz.org): query (cache) ...enied
Hint: Some lines were ellipsized, use -l to show in full.
[root@server log]#
Now, I searched for dns solution and I found disabling IPv6 is the solution. I tried to disable that by adding OPTIONS="-4", and even tried to comment IPv6 line, but still no luck.
I am wondering, if there's something wrong with DNS server, then how other two sites are still working? I performed ns lookup, which shows correct dns information. However, when I do ns lookup for problematic domain, it shows ns records but there's no IP linked to it.
I performed lookup on leafdns and this is the error: None of your nameserver names contain glue or A records. This error is fatal. Your domain is not resolveable. Even though there's an error, but I can still access my domain.
Edit: Here is content of my DNS config file
; Generated by CWP
; Zone file for DOMAIN_IN_QUESTION.com
$TTL 14400
@ 86400 IN SOA ns1.SERVER_DOMAIN.com. webmaster.DOMAIN_IN_QUESTION.com. (
2020042832 ; serial, todays date+todays
3600 ; refresh, seconds
7200 ; retry, seconds
1209600 ; expire, seconds
86400 ) ; minimum, seconds
@ 86400 IN NS ns1.SERVER_DOMAIN.com.
@ 86400 IN NS ns2.SERVER_DOMAIN.com.
@ IN A XXX.XXX.XXX.XXX
localhost.DOMAIN_IN_QUESTION.com. IN A 127.0.0.1
@ IN MX 0 DOMAIN_IN_QUESTION.com.
mail 14400 IN CNAME DOMAIN_IN_QUESTION.com.
smtp 14400 IN CNAME DOMAIN_IN_QUESTION.com.
pop 14400 IN CNAME DOMAIN_IN_QUESTION.com.
pop3 14400 IN CNAME DOMAIN_IN_QUESTION.com.
imap 14400 IN CNAME DOMAIN_IN_QUESTION.com.
webmail 14400 IN A XXX.XXX.XXX.XXX
cpanel 14400 IN A XXX.XXX.XXX.XXX
cwp 14400 IN A XXX.XXX.XXX.XXX
www 14400 IN CNAME DOMAIN_IN_QUESTION.com.
ftp 14400 IN CNAME DOMAIN_IN_QUESTION.com.
_dmarc 14400 IN TXT "v=DMARC1; p=none"
@ 14400 IN TXT "v=spf1 +a +mx +ip4:XXX.XXX.XXX.XXX ~all"
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4acT6Vt0/7FVab8FzfLqJ8LU4rciFbo2t4yFmVoX1Uxi4QQsEJqTBZBfnWerkw6zzdY6+WYd4nn/sZSVCXDWC4/bmGylAkewthvOkAK1xsa8mXeOHrhX3CtqlVu3Ti+U4NpmmfgHehqq0NUKF9ma6NaJNMK3zFojToEdqNGQfwIDAQAB"
Note: I made these replacement in the config file:
IP replaced with
XXX.XXX.XXX.XXXServer address replaced with
SERVER_DOMAINAffected domain replaced with
DOMAIN_IN_QUESTION
I don't have any clue, can someone please help me in this? It's been 2+ day and I am very upset. :(
If there are
NSrecords but no correspondingArecords, you could be missing Glue Records from the parent zone. The error messageNone of your nameserver names contain glue or A records. This error is fatal. Your domain is not resolveableis consistent with that.If this domain is
example.comand the name servers are its subdomainsns1.example.comandns2.example.com, it's not enough that you have theArecords on the zone itself, as it would cause an infinite loop:.com, what are the nameservers forexample.com?ns1.example.comandns2.example.com.example.com.example.com?Therefore, the
comrequires to have and give this information directly, as the Glue Records. You can't set these records on your own DNS server, but at the registrar.The
network unreachable resolving './NS/IN': 2001:dc3::35#53errors are probably not related to your current problem. These are DNS request from your DNS server and related to its recursive functionality i.e. when it's trying to resolve domains it doesn't know by itself, authoritatively.Keep in mind that recursive and authoritative DNS servers should be separated, i.e. by the IANA Technical requirements for authoritative name servers:
If your DNS server does need to have recursive functionality, you should of course fix these errors, too. You should also limit the network ranges that are allowed to use the server recursively, in BIND with
allow-recursion { 198.51.100.0/24; };.Did you register and ns1.SERVER_DOMAIN.com and ns2.SERVER_DOMAIN.com as nameserver at your registrar. changing only nameserver of your domain can not redirect dns queries to your server. First you should register 2 two nameserver. then you should change your ns record to your registered nameservers.
To verify configuration:
whois SERVER_DOMAIN.com |grep -i "name server:"dig -t ns SERVER_DOMAIN.comFirst query should have ns1.SERVER_DOMAIN.com and ns2.SERVER_DOMAIN.com In second query, in answer section should contain an answer.
Then the query will forwarded to your servers. For verify it, open tcpdump at port 53 on your server. And from another location (not from your servers) perform a soa dns query like
dig -t soa SERVER_DOMAIN.com. The answer section should contain the line at your zone file. If not look your tcpdump output, if there is no output, there is a firewall blocking the dns port, if there is output, then dns configuration has errors. Do a config test with:named-checkconf /etc/named.conf named-checkzone SERVER_DOMAIN.com /var/named/[ZONEFILE]Probably, at least one of them will be failed. Fix the errors. And reperform soa dns query.
Then debug, DOMAIN_IN_QUESTION.com.
First check TLD records same as SERVER_DOMAIN.com. Same steps:
whois DOMAIN_IN_QUESTION.com |grep -i "name server:"dig -t ns DOMAIN_IN_QUESTION.comAll of these steps should return "(ns1|ns2).SERVER_DOMAIN.com. If not, the configuration at registrar has problems. Contact them.
Check conf and zone conf
named-checkconf /etc/named.conf named-checkzone DOMAIN_IN_QUESTION.com /var/named/[ZONEFILE]If there is errors then fix it.
Do a soa record query. This query should be answered by your dns server. Open a tcpdump and check also dns traffic packets.
SOA answer should match as your SOA line at zone config file.