DNS server not resolving mail server host name

Question

I have two name servers setup with bind. website, example.com, pings and displays fine so I know the dns record for it is ok. But, browsing to mail.example.com and pinging mail.example.com is a fail 90% of the time.

The funny thing is that sometimes a ping test does find mail.example.com and I can check my webmail just fine by browsing to mail.example.com but that only last for about 30 minutes then any ping test after that is back to not being able to resolve mail.example.com and I am not able to navigate to mail.example.com.

by the way, If I ping the mail server just by its public IP and not by the host name mail.example.com, everything is fine and resolving 100% of the time. I can also navigate to my mail server IP in the browser 100% of the time to check my mail and everything is fine. I know this is not a server issue, its got to be DNS.

I don't have something right with my DNS server.

please have a look at my information below and see if you can tell me what I am doing wrong.

When mail.example.com does load in the browser, I run a ping test and this is what I get.

Pinging mail.phrixis.com [52.27.16.178] with 32 bytes of data:
Request timed out.

its actually showing the IP to my mail server.

When I browse to mail.example.com and it doesn't load, I do a ping test and this is what I get.

ping mail.phrixis.com
ping: uknown host mail.phrixis.com

its not picking up the mail server IP at all this time, so that is why its not loading in the browser.

its as if my dns server half the time is saying, " yea, I know where mail.example.com is located" and then the other half of the time it saying "nope, I forgot where mail.example.com is at".

when logged into the ns1.example.com, I dig for mail.example.com and this is what I get.

[root@ns1 ~]# dig @localhost mail.phrixis.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.1 <<>> @localhost mail.phrixis.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8581
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;mail.phrixis.com.              IN      A

;; ANSWER SECTION:
mail.phrixis.com.       86400   IN      A       52.27.16.178

;; AUTHORITY SECTION:
phrixis.com.            86400   IN      NS      ns1.phrixis.com.
phrixis.com.            86400   IN      NS      ns2.phrixis.com.

;; ADDITIONAL SECTION:
ns1.phrixis.com.        86400   IN      A       107.170.58.69
ns2.phrixis.com.        86400   IN      A       138.197.212.168

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May  8 20:00:02 2017
;; MSG SIZE  rcvd: 118

[root@ns1 ~]#

When logged into ns1.example.com, I dig example.com and this is what I get.

[root@ns1 ~]# dig @localhost phrixis.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.1 <<>> @localhost phrixis.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31758
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;phrixis.com.                   IN      A

;; ANSWER SECTION:
phrixis.com.            86400   IN      A       162.243.60.215

;; AUTHORITY SECTION:
phrixis.com.            86400   IN      NS      ns1.phrixis.com.
phrixis.com.            86400   IN      NS      ns2.phrixis.com.

;; ADDITIONAL SECTION:
ns1.phrixis.com.        86400   IN      A       107.170.58.69
ns2.phrixis.com.        86400   IN      A       138.197.212.168

;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May  8 20:03:58 2017
;; MSG SIZE  rcvd: 113

[root@ns1 ~]#

Here is my named.conf file

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        #listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-transfer  { localhost; 138.197.212.168; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "phrixis.com" IN {
        type master;
        file "phrixis.com.zone";
        allow-update { none; };
};

Here is my example.com.zone file

$TTL 86400
@  IN   SOA     ns1.phrixis.com. root.phrixis.com. (
        2013042201      ;Serial
        3600            ;Refresh
        1800            ;Retry
        604800          ;Expire
        86400           ;Minimum TTL
)
; Specify our two nameservers
                IN      NS              ns1.phrixis.com.
                IN      NS              ns2.phrixis.com.
; Resolve nameserver hostnames to IP, replace with your two droplet IP     addresses.
ns1             IN      A               107.170.58.69
ns2             IN      A               138.197.212.168

; Define hostname -> IP pairs which you wish to resolve.
@               IN      A               162.243.60.215
WWW             IN      A               162.243.60.215
mail            IN      A               52.27.16.178
            IN      MX      10      mail.phrixis.com.

any response is greatly appreciated as I am new to running DNS servers.

You included two digs to ns1. None to ns2. ns2 doesn't know about the mail hostname. — , May 08 '17 at 23:05

score 1 · Accepted Answer · answered May 08 '17 at 23:15

It is obvious that why the DNS resolution some times works and sometimes it doesn't. You have advertised two authoritative name servers - ns1.phrixis.com. and ns2.phrixis.com.. One of them - ns2.phrixis.com. - is not resolving the dns entry -

$ dig @ns1.phrixis.com mail.phrixis.com +short
52.27.16.178
$ dig @ns2.phrixis.com mail.phrixis.com +short
$

Solution - make sure that ns2 has the right record as well. I can see that you have the allow-transfer block for ns2 allow-transfer { localhost; 138.197.212.168; }; But you need to validate the zone records are being replicate to ns2.

If ns2 is a secondary dns server, make sure it has the right configuration and that the zone transfer from ns1 to ns2 is working.

Also make sure that ns2 doesn't have any firewall blocking port 53 udp/tcp.

Reference to setup slave dns server - http://www.microhowto.info/howto/configure_bind_as_a_slave_dns_server.html

Thanks, I read the article and applied its solutions and it fixed the issue. — Michael, May 09 '17 at 11:32