Nameservers are not resolving to IP for a domain

Question

I am running CentOS7 with CWP on Digital Ocean droplet. The server is currently hosting two domains, and I added third domain on 26th April. I did it with normal steps, like:

1. point domain to my server ns records, ns1.example.com and ns2.example.com
2. added new domain on cwp from New Account menu with ssl option enabled

After few hours, domain was working fine and I uploaded my web and go live. After that, I tried to enable ssl but I notice, it wasn't installed for that domain. I go ahead and try again to install ssl for the domain, from user account. It throws an error DNS of your domain doesn't point to this server or you have htaccess restrictions

I decided to try it from the WHM, which resulted in same error. I googled and found several articles on CentOS Web Panel Forum, and I tried several solutions, including:

1. change hostname (save it again without any modification)
2. edit nameserverIPs (save it again without any modification)
3. deleting account in particular way, and then adding again

I tried all, but none of them worked for me. Then I decided to manually compare dns config file of problematic domain with working domain. I noticed some records on problematic domain was starting with domain, instead of @ symbol. I matched all lines with working domain configuration, but still no luck.

While searching I found, maybe something is wrong with dns server, I run service named status command to check its status and I found couple of errors network unreachable resolving, complete output can be seen below:

[root@server log]# service named status
    Redirecting to /bin/systemctl status named.service
    ● named.service - Berkeley Internet Name Domain (DNS)
       Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
       Active: active (running) since Tue 2020-04-28 16:56:51 PKT; 46min ago
      Process: 9965 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
      Process: 9912 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
      Process: 10792 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
      Process: 10790 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
     Main PID: 10794 (named)
       CGroup: /system.slice/named.service
               └─10794 /usr/sbin/named -u named -c /etc/named.conf

    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:dc3::35#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:200::b#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
    Apr 28 16:56:51 serv.xyz.com named[10794]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: k...usted
    Apr 28 16:56:51 serv.xyz.com named[10794]: resolver priming query complete
    Apr 28 17:24:15 serv.xyz.com named[10794]: client @0x7f9dac0c6f10 193.29.15.169#52139 (5hz.org): query (cache) ...enied
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@server log]#

Now, I searched for dns solution and I found disabling IPv6 is the solution. I tried to disable that by adding OPTIONS="-4", and even tried to comment IPv6 line, but still no luck.

I am wondering, if there's something wrong with DNS server, then how other two sites are still working? I performed ns lookup, which shows correct dns information. However, when I do ns lookup for problematic domain, it shows ns records but there's no IP linked to it.

I performed lookup on leafdns and this is the error: None of your nameserver names contain glue or A records. This error is fatal. Your domain is not resolveable. Even though there's an error, but I can still access my domain.

Edit: Here is content of my DNS config file

; Generated by CWP
; Zone file for DOMAIN_IN_QUESTION.com
$TTL 14400
@    86400        IN      SOA     ns1.SERVER_DOMAIN.com. webmaster.DOMAIN_IN_QUESTION.com. (
                2020042832 ; serial, todays date+todays
                3600            ; refresh, seconds
                7200            ; retry, seconds
                1209600         ; expire, seconds
                86400 )         ; minimum, seconds
@   86400   IN  NS      ns1.SERVER_DOMAIN.com.
@   86400   IN  NS      ns2.SERVER_DOMAIN.com.
@ IN A XXX.XXX.XXX.XXX
localhost.DOMAIN_IN_QUESTION.com. IN A 127.0.0.1
@ IN MX 0 DOMAIN_IN_QUESTION.com.
mail 14400 IN CNAME DOMAIN_IN_QUESTION.com.
smtp 14400 IN CNAME DOMAIN_IN_QUESTION.com.
pop  14400 IN CNAME DOMAIN_IN_QUESTION.com.
pop3 14400 IN CNAME DOMAIN_IN_QUESTION.com.
imap 14400 IN CNAME DOMAIN_IN_QUESTION.com.
webmail 14400 IN A XXX.XXX.XXX.XXX
cpanel 14400 IN A XXX.XXX.XXX.XXX
cwp 14400 IN A XXX.XXX.XXX.XXX
www 14400 IN CNAME DOMAIN_IN_QUESTION.com.
ftp 14400 IN CNAME DOMAIN_IN_QUESTION.com.
_dmarc  14400   IN  TXT "v=DMARC1; p=none"
@   14400   IN  TXT "v=spf1 +a +mx +ip4:XXX.XXX.XXX.XXX ~all"
default._domainkey 14400 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCi4acT6Vt0/7FVab8FzfLqJ8LU4rciFbo2t4yFmVoX1Uxi4QQsEJqTBZBfnWerkw6zzdY6+WYd4nn/sZSVCXDWC4/bmGylAkewthvOkAK1xsa8mXeOHrhX3CtqlVu3Ti+U4NpmmfgHehqq0NUKF9ma6NaJNMK3zFojToEdqNGQfwIDAQAB"

Note: I made these replacement in the config file:

1. IP replaced with XXX.XXX.XXX.XXX

2. Server address replaced with SERVER_DOMAIN

3. Affected domain replaced with DOMAIN_IN_QUESTION

I don't have any clue, can someone please help me in this? It's been 2+ day and I am very upset. :(

Answer 1

If there are NS records but no corresponding A records, you could be missing Glue Records from the parent zone. The error message None of your nameserver names contain glue or A records. This error is fatal. Your domain is not resolveable is consistent with that.

If this domain is example.com and the name servers are its subdomains ns1.example.com and ns2.example.com, it's not enough that you have the A records on the zone itself, as it would cause an infinite loop:

1. Hello .com, what are the nameservers for example.com?
2. They are ns1.example.com and ns2.example.com.
3. Ok. What are their IP addresses?
4. I don't know. You should ask from the name servers of example.com.
5. Ok. What are the nameservers for example.com?

Therefore, the com requires to have and give this information directly, as the Glue Records. You can't set these records on your own DNS server, but at the registrar.

---

The network unreachable resolving './NS/IN': 2001:dc3::35#53 errors are probably not related to your current problem. These are DNS request from your DNS server and related to its recursive functionality i.e. when it's trying to resolve domains it doesn't know by itself, authoritatively.

Keep in mind that recursive and authoritative DNS servers should be separated, i.e. by the IANA Technical requirements for authoritative name servers:

No open recursive name service

The authoritative name servers must not provide recursive name service. This requirement is tested by sending a query outside the jurisdiction of the authority with the “RD”-bit set.

If your DNS server does need to have recursive functionality, you should of course fix these errors, too. You should also limit the network ranges that are allowed to use the server recursively, in BIND with allow-recursion { 198.51.100.0/24; };.

Answer 2

Did you register and ns1.SERVER_DOMAIN.com and ns2.SERVER_DOMAIN.com as nameserver at your registrar. changing only nameserver of your domain can not redirect dns queries to your server. First you should register 2 two nameserver. then you should change your ns record to your registered nameservers.

To verify configuration:

1. Do a whois query to get ns: whois SERVER_DOMAIN.com |grep -i "name server:"
2. Do a ns record query: dig -t ns SERVER_DOMAIN.com

First query should have ns1.SERVER_DOMAIN.com and ns2.SERVER_DOMAIN.com In second query, in answer section should contain an answer.

Then the query will forwarded to your servers. For verify it, open tcpdump at port 53 on your server. And from another location (not from your servers) perform a soa dns query like dig -t soa SERVER_DOMAIN.com. The answer section should contain the line at your zone file. If not look your tcpdump output, if there is no output, there is a firewall blocking the dns port, if there is output, then dns configuration has errors. Do a config test with:

named-checkconf /etc/named.conf named-checkzone SERVER_DOMAIN.com /var/named/[ZONEFILE]

Probably, at least one of them will be failed. Fix the errors. And reperform soa dns query.

Then debug, DOMAIN_IN_QUESTION.com.

First check TLD records same as SERVER_DOMAIN.com. Same steps:

1. Do a whois query to get ns: whois DOMAIN_IN_QUESTION.com |grep -i "name server:"
2. Do a ns record query: dig -t ns DOMAIN_IN_QUESTION.com

All of these steps should return "(ns1|ns2).SERVER_DOMAIN.com. If not, the configuration at registrar has problems. Contact them.

Check conf and zone conf

named-checkconf /etc/named.conf named-checkzone DOMAIN_IN_QUESTION.com /var/named/[ZONEFILE]

If there is errors then fix it.

Do a soa record query. This query should be answered by your dns server. Open a tcpdump and check also dns traffic packets.

SOA answer should match as your SOA line at zone config file.