Ping a Specific Port

Question

estol

Asked: 2011-03-25 16:44:31 +0800 CST2011-03-25 16:44:31 +0800 CST 2011-03-25 16:44:31 +0800 CST

BIND returns serverfail when querying for its authoriative domain

772

Hi there Serverfault folks!

First of all: sorry about the title, I had some problem coming up with the proper title.

I have a little home server set up, for internet sharing, samba, basic http, dlna mediaserver and what not, and I happend to have a domain at hand, so I thought why not direct it to this computer?

I have a BIND 9.8.0 installed, and - afaik - configured it properly.

For a few days, the public view did not worked, and I really did not cared, since the local view worked. But now suddenly, even the local view fails.

If I try to query the nameserver for anything in my domain, it returns the following error:

$ nslookup andromeda.dafaces.com
;; Got SERVFAIL reply from ::1, trying next server
;; Got SERVFAIL reply from ::1, trying next server
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find andromeda.dafaces.com.dafaces.com: SERVFAIL

Also, the public view points to the old ip address of the domain, probably because of the same error.

Some information about the system:

$ uname -a
Linux tressis 2.6.37-ARCH #1 SMP PREEMPT Tue Mar 15 09:21:17 CET 2011 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 5000+ AuthenticAMD GNU/Linux

$ named -v
BIND 9.8.0

And the named.conf file:

# cat /etc/named.conf
//
// /etc/named.conf
//

include "/etc/rndc.key";

#controls {
#       inet 127.0.0.1 allow {localhost; } keys { "dnskulcs"; };
#};

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        auth-nxdomain yes;
        datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
        listen-on-v6 { any; };
        listen-on { any; };
// Add this for no IPv4:
//      listen-on { none; };

// Default security settings.
//      allow-recursion { 127.0.0.1; ::1; 192.168.1.0/24; };
//      allow-recursion { any; };
        allow-query { any; };
        allow-transfer { 127.0.0.1; ::1; 92.243.14.172; 87.98.164.164; 88.191.64.64; };
        allow-update { key "dnskulcs"; };
        version none;
        hostname none;
        server-id none;
        zone-statistics yes;

        forwarders { 213.46.246.53; 213.26.246.54; 8.8.8.8; 8.8.4.4; 192.188.242.65; 193.227.196.3; 2001:470:20::2; };
};

view "local" {

        match-clients { 192.168.1.0/24; 127.0.0.1; ::1; fec0:0:0:ffff::/64; };
        recursion yes;

        zone "localhost" IN {
                type master;
                file "localhost.zone";
                allow-transfer { any; };
        };

        zone "0.0.127.in-addr.arpa" IN {
                type master;
                file "127.0.0.zone";
                allow-transfer { any; };
        };

        zone "." IN {
                type hint;
                file "root.hint";
        };

        zone "dafaces.com" IN {
                type master;
                file "internal/dafaces.com.fw";
                allow-update { key "dnskulcs"; };
        };

        zone "1.168.192.in-addr.arpa" IN {
                type master;
                file "internal/dafaces.com.rev";
                allow-update { key "dnskulcs"; };
        };
};

view "public" {
        match-clients { any;};
        recursion no;

        zone "dafaces.com" IN {
                type master;
                file "external/dafaces.com.fw";
                allow-transfer {
                        87.98.164.164; 195.234.42.1; 88.191.64.64;
                };
        };
};

//zone "example.org" IN {
//      type slave;
//      file "example.zone";
//      masters {
//              192.168.1.100;
//      };
//      allow-query { any; };
//      allow-transfer { any; };
//};

logging {
        channel xfer-log {
                file "/var/log/named.log";
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
        };
        category xfer-in { xfer-log; };
        category xfer-out { xfer-log; };
        category notify { xfer-log; };
};

All help would be highly appreciated!

EDIT: Zone files:

# cat /var/named/internal/dafaces.com.fw
$ORIGIN .
$TTL 3600       ; 1 hour
dafaces.com             IN SOA  tressis.dafaces.com. postmaster.dafaces.com. (
                                2011032201 ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                2419200    ; expire (4 weeks)
                                3600       ; minimum (1 hour)
                                )
                        NS      tressis.dafaces.com.
                        A       192.168.1.1
                        MX      10 mail.dafaces.com.
$ORIGIN _tcp.dafaces.com.
_http                   SRV     0 5 80 www.dafaces.com.
_ssh                    SRV     0 5 22 tressis.dafaces.com.
$ORIGIN dafaces.com.
acrisius                A       192.168.1.230
andromeda               A       192.168.1.7
andromeda-win7          CNAME   andromeda
aspasia                 A       192.168.1.233
athena                  A       192.168.1.232
callisto                A       192.168.1.102
db                      A       192.168.1.1
management              A       192.168.1.1 ; web management for the router functions
haley                   A       192.168.1.5
hoth                    A       192.168.1.101
mail                    A       192.168.1.1
satelite                A       192.168.1.20
sony-player             A       192.168.1.103
                        TXT     "310f16de2d2712dfc4ae6e5c54f60f828e"
torrent                 A       192.168.1.1
tracker                 A       192.168.1.1
tressis                 A       192.168.1.1
www                     A       192.168.1.1
zeus                    A       192.168.1.231

and

# cat /var/named/external/dafaces.com.fw
$ORIGIN .
$TTL 3600
dafaces.com             IN SOA  ns.dafaces.com. postmaster.dafaces.com. (
                                        2011032405; serial
                                        28800; refresh
                                        7200; retry
                                        2419200; expire
                                        3600; minimum
                                        )

                        NS      ns.dafaces.com.
                        NS      ns0.xname.org.
                        NS      ns1.xname.org.
                        NS      ns2.xname.org.

                        A       89.135.129.37
                        MX      10 mail.dafaces.com.

$ORIGIN dafaces.com.
;Szolgaltatasok
_ssh._tcp               SRV     0 5 22 tressis
_http._tcp              SRV     0 5 80 www

ns                      A       89.135.129.37
hoth                    A       89.135.129.37
www                     A       89.135.129.37
mail                    A       89.135.129.37
db                      A       89.135.129.37

torrent                 A       89.135.129.37
tracker                 A       89.135.129.37

Edit:

Ohh, hell I almost forgot. Since the node is connected to the internet via a residential connection, there is a possibility, that the public ipv4 address will change(but thank god, it is a very rare case), so I daily update the external IP address in the zone file with a shellscript:

# cat /etc/cron.daily/dnsupdate
#!/bin/sh

FILE="/var/named/external/dafaces.com.fw"
SERIAL=$(date +%Y%m%d05)
PUBLIC_IP=$(ifconfig internet |sed -n "/inet addr:.*255.255.255.255/{s/.*inet addr://; s/ .*//; p}")

cat $FILE | sed --posix 's/^.* serial$/\t\t\t\t\t'$SERIAL'; serial/' | sed --posix 's/[0-9]*\.[0-9]*\.[0-9]*\.[0-9]*/'$PUBLIC_IP'/'  > /tmp/ujzona
mv /tmp/ujzona $FILE
/etc/rc.d/named reload

2 Answers

Voted

laurent · Answer 1 · 2011-03-26T03:48:48+08:00

laurent

2011-03-26T03:48:48+08:002011-03-26T03:48:48+08:00

Try changing the lines:

dafaces.com             IN SOA  tressis.dafaces.com. postmaster.dafaces.com. (

To

dafaces.com. IN SOA tressis.dafaces.com. postmaster.dafaces.com. (

1

Chuck Kollars · Answer 2 · 2013-01-30T18:01:14+08:00

The usual mantra: "what's changed?" By any chance have you fiddled with /etc/resolv.conf, maybe trying to tighten down the timeout a little? (Or is it possible the machine that's running BIND is quite a bit more heavily loaded and significantly slower than it was at first?)

Only a network trace (wireshark?) would tell for sure, but it looks to me like the first request for foo.bar.baz isn't being returned fast enough, so the resolver is timing out and then trying foo.bar.baz.bar.baz (append "domain" to whatever ...even if it's a silly duplication). That second query probably never did work right even before (possibly because of the missing trailing dot mentioned in another response), but it didn't matter during your initial testing because the query never got sent anyway.

Now the query is being sent, and tickling the incorrect behavior that was latent in your BIND configuration all along. Try turning the option timeout:N in /etc/resolv.conf way up and see if it stops happening. (Or turn the option way down so it tickles the problem all the time, then fix the root problem, then turn the option back up to a reasonable value.)

BIND returns serverfail when querying for its authoriative domain

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?