3

I have been trying to make bind work on Fedora 21, and haven't succeeded doing it.

I read a few tutorials which basically instructed me to create a zone for my domain and an inverse mapper, then found a tool called system-config-bind from Red Hat, which generated the following files

named.conf

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "STATIC_IP.IN-ADDR.ARPA." IN {
        type master;
        file "STATIC_IP.db";
};
zone "transportelasnieves.com.ve." IN {
        type master;
        file "transportelasnieves.com.ve.db";
};
zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

transportelasnieves.com.ve.db

$TTL 1D
@       1D      SOA     @       root.transportelasnieves.com.ve. (      2
                                                3H
                                                1H
                                                1W
                                                1D )
        IN      1D      A       STATIC_IP.161
        NS      @

STATIC_IP.db

$TTL 1H
@       SOA     transportelasnieves.com.ve.     root.transportelasnieves.com.ve. (      2
                                                3H
                                                1H
                                                1W
                                                1H )
        NS      transportelasnieves.com.ve.
161     PTR     transportelasnieves.com.ve.

but it's still not working.

I know that because I can't ping to the domain and intoDNS also gives me these errors

  • Mismatched NS records

  • DNS servers responded 

    ERROR: One or more of your nameservers did not respond: 
       The ones that did not respond are: STATIC_IP.161

  • Multiple Nameservers

  • Missing nameservers reported by your nameservers
  • SOA record (No valid SOA record).

and some others.

I am sure the port 53 is accessible from outside, because I can telnet to it if I give the server's IP, i.e STATIC_IP.161

iharob
  • 137
  • 8

1 Answers1

3

This isn't really about BIND. It's about DNS in general. You're breaking a few basic rules of DNS administration.

  • Multiple Nameservers: You should have at least two NS records defined in your zone for redundancy. Right now you don't. Both servers should be located in physically separate locations in order to prevent DNS outages.
  • One or more of your nameservers did not respond: No replies are coming back from your nameserver when external clients communicate with it. We can't really answer why: you'll need to perform some basic network troubleshooting. Make sure that the request packets are arriving, and that replies are being sent back along the correct network route.

By themselves, these problems are fatal. You need to address these before tackling the remaining errors being reported as they may be related.

It would be a good idea to read Should we host our own nameservers?. There is a minimum barrier to entry on knowledge when it comes to hosting your own DNS servers. You do not want to be responsible for company wide outages of your internet facing domains. Do not let your manager force you into this position if you are not trained for it.

If you're determined to proceed with running your own DNS server, at the bare minimum you need to spend a weekend with a book on the topic. A mentor of some sort and a lab you can play around in without impacting production are both highly recommended.

Community
  • 1
Andrew B
  • 31,858
  • 12
  • 90
  • 128
  • I understand, can you give me a Hint on how to test if the nameserver is responding, even a link or some guideline names of the tools that might be needed, I am a c programmer, but have never managed a server in my life. – iharob Jan 28 '15 at 20:56
  • 1
    If you aren't operating this server as a system administrator by trade, this technically isn't on-topic for Serverfault. :) The best hint I can give you is that you will always need a remote server for troubleshooting your internet facing DNS issues. You need a reply to come back when you execute `dig @STATIC_IP.161 transportelasnieves.com.ve`. Until you've solved that problem, the DNS server is basically dead to the world. – Andrew B Jan 28 '15 at 21:00
  • Sorry for asking you something else, and yes I am the system administrator too, `dig @IP trasnportelasnieves.com.ve` worked, it responded with the correct answer as far as I can understand, but the `dig transportelasnieves.com.ve` fails, what does that mean? – iharob Jan 28 '15 at 21:08
  • 1
    The latter not working is related: your ISP's nameservers can't communicate with that IP address. Make sure that the firewall (or similar device) is allowing unrecognized IP addresses to reach the DNS server. *And turn off recursion.* You should not provide recursion on an internet facing DNS server. It's a security risk. – Andrew B Jan 28 '15 at 21:32