PDA

View Full Version : DNS stuff (bind cfg and theory)


Ovidiu
8th November 2005, 15:06
hi guys,

I registered a domain name ending with .ro - during registration I was asked to enter DNS, I entered my IP for both primary and secondary.
now I got this email confirming that my request is being processed:

At the end of each month, a periodic zone check is performed for all the
domains to collect errors, hostcount and other domain statistics. You are very
kindly asked to allow zone transfer for the machines ftp.rnc.ro (192.162.16.79),
server.rotld.ro (192.162.16.225) and s2.rnc.ro (192.162.16.6). These three machines
run software for the validation of the nameservers delegated to the .ro domains.
Also RIPE hostcount statistics depend on this data.

now what needs to be done with ispconfig? I guess I need to add a new site pointing to webspace, with the name newdomain.ro and tick DNS so dns records will be set up.

is that all? I do not really know much about DNS, is there a link to a good site explaining DNS theory? I only know the "basics" about DNS and mx records, thats it. I mean I know you can't summarize it all in a few sentences but I just need a general overview, maybe an explanation of the terms used like zones, zone transfer, etc.

falko
8th November 2005, 16:29
It's not necessary that you create a new web site, but you should create DNS records for that domain under DNS Manager. That's all you have to do.

Ovidiu
8th November 2005, 23:36
kind off ;-)
if I start creating a new DNS record it asks me a lot of questions, if I create a new site (which I also will need as I said I registered this new domain) it will not ask me anything except the domain details I have to fill in anyway.
Besides was this right : I entered my IP for both primary and secondary ?

falko
8th November 2005, 23:54
Besides was this right : I entered my IP for both primary and secondary ?
Where did you enter it?

Ovidiu
8th November 2005, 23:57
I registered a domain name ending with .ro - during registration I was asked to enter DNS, I entered my IP for both primary and secondary.

I can guess where you are aiming from your tone alone...

I entered my IP as 1. + 2. DNS during registrations, now I had a look at the DNS entry on my server and there are the 2 nameserevrs of my provider entered as DNS so I guess its all fine.

If I understod this right: all computers asking for my domain will get my IP as DNS => when they arrive at my domain they will be "connected" to the net using the NS of my provider ? So I am acting like a cache ? Is this right? if not really could you maybe sum it up in 1-2 sentences?

Ovidiu
21st November 2005, 11:45
now I recently tried to register another .ru domain and during registration they asked about nameservernames and IPs and sent me an email explaininmg that they need the nameservers of my server - which I did not understand, I mean if I give them the nameservers of my host, he wil know nothing about my new domain, I guess again I have to give them my IP for 1st. and 2nd NS but what about the NS names which they want???

how do you guys handle this stuff?

P.S. this would be quite urgent, so please somebody give me some hints.

falko
21st November 2005, 12:21
I guess you have to create the proper DNS records first before you register the domains, and when you register the domain, you tell them those name servers where you created the records (e.g. ns1.example.com and ns2.example.com).

Ovidiu
21st November 2005, 13:06
I guess you have to create the proper DNS records first before you register the domains, and when you register the domain, you tell them those name servers where you created the records (e.g. ns1.example.com and ns2.example.com).

when you say I should create the dns records, do you mean I should make a new site in my ispcfg panel, say create dns and thats it? I guess I can look up the created information in the DNS manager of ispcfg, right? But what about the ns ? I mean I can only give my servername or IP?

what about this ns1.example.com and ns2.example.com stuff where should that info come from?

falko
21st November 2005, 14:25
http://www.howtoforge.com/forums/showthread.php?t=1207

Ovidiu
21st November 2005, 14:39
thank you ;-)

that link pretty much explained exactly what I was asking for. BUT I asked on the 8th and the other guy, two days later so I did not do a search on the topic again.
The last thing I am unsure about is this:lets say I do not use a dedicated NS instead I just let my webserver be a NS too, can I just use the servername like hxxxx.serverkompetenz.net (which resolves to my IP) instead of the usual naming convention aka ns.myserver.com ?

falko
21st November 2005, 15:58
g I am unsure about is this:lets say I do not use a dedicated NS instead I just let my webserver be a NS too, can I just use the servername like hxxxx.serverkompetenz.net (which resolves to my IP) instead of the usual naming convention aka ns.myserver.com ?

Yes, should be ok.

Ovidiu
25th November 2005, 12:37
I tried to test the DNS records of one of the domains I am offering NS for locally on my server at: http://www.dnsreport.com/
and it reported this error:

ERROR: One or more of the NS records that your nameservers report are invalid:
81.169.163.106. is not a valid host name (it must be a host name, not an IP address)
81.169.163.104. is not a valid host name (it must be a host name, not an IP address)

when registering the domain I gave my hostname and IP as NS, which is ok so far, the above IPs are the nameservers I have set in the /etc/resolve.conf (I think this is the file where the nameservers for my server are listed...) should I enter their names there instead of the IPs?

falko
25th November 2005, 13:13
81.169.163.106 and 81.169.163.104 are Strato name servers! When you register the domain, you have to set your own name servers as authoritative name servers for the domain!

Ovidiu
25th November 2005, 13:21
I did that.
I set up hxxxx.serverkompetenz.net (my servername) as the authoritative NS for my domain. Still when doing the test I get the above error, the domain I am talking about is zice.ro (test it here: h**p://w*w.dnsreport.com/tools/dnsreport.ch?domain=zice.ro )

falko
25th November 2005, 13:34
I did a dig zice.ro.
This doesn't look ok:
;; AUTHORITY SECTION:
zice.ro. 10800 IN NS zice.ro.
It's the hen <-> egg problem.

Please post your zone file. Under Debian it must be something like /etc/bind/pri.zice.ro.

Ovidiu
25th November 2005, 14:06
$TTL 86400
@ IN SOA 81.169.163.104. admin.zice.ro. (
2005112301 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS 81.169.163.104. ; Inet Address of name server 1
NS 81.169.163.106. ; Inet Address of name server 2
;

MX 10 mail.

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

falko
25th November 2005, 18:58
$TTL 86400
@ IN SOA 81.169.163.104. admin.zice.ro. (
2005112301 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS 81.169.163.104. ; Inet Address of name server 1
NS 81.169.163.106. ; Inet Address of name server 2
;

MX 10 mail.

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

You have put the Strato name servers into that file instead of your hxxx.serverkompetenz.net server. Try to change that.

Ovidiu
25th November 2005, 20:26
sorry I don't understand that. I Have the strato NS inside its the ...104 and ...106 IPs, my hxxxx.serverkompetenz.net is nowhere inside this file as you can see.

except here, but its ok here as I have understood:
zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

You just left me with a big questionmark on my face???

falko
26th November 2005, 18:03
Your file should look like this:

$TTL 86400
@ IN SOA hxxx.serverkompetenz.net. admin.zice.ro. (
2005112301 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS hxxx.serverkompetenz.net. ; Inet Address of name server 1
NS hxxx.serverkompetenz.net. ; Inet Address of name server 2
;

MX 10 mail.

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
So somewhere in your ISPConfig settings you have entered the IP addresses of Strato's name servers instead of hxxx.serverkompetenz.net.

Ovidiu
26th November 2005, 23:36
*doh*
I was stupid ;-) got it working now, thx

Ovidiu
27th November 2005, 01:51
:mad: still some more questions and errors:

question:

MX 10 mail.

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

Does that look right? Or should it be like this:

MX 10 mail.zice.ro

zice.ro. A 81.169.176.18
www.zice.ro A 81.169.176.18
mail.zice.ro A 81.169.176.18

errors:

have a look at the recent changes of the report here: http://www.dnsreport.com/tools/dnsreport.ch?domain=zice.ro

###edit###

I found out this is right:
MX 10 mail

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18
* A 81.169.176.18


but now I stumbled upon the SPF records, found a wizard here: http://www.openspf.org/wizard.html?mydomain=zice.ro&a=yes&mx=yes&ptr=no&a_colon=&mx_colon=&ip4_colon=&include=&all=yes&record_so_far=%22v%3Dspf1+a+mx+%7Eall%22&use_built_from_args=1

but the results differ from the results of ispcfg.

The wizards results:
Paste this into your zone file:

zice.ro. IN TXT "v=spf1 a mx ~all"
So this should also appear in DNS. You may or may not be in charge of the DNS for these entries; if you are, add them.

h5810.serverkompetenz.net. IN TXT "v=spf1 a -all"
mail.zice.ro. IN TXT "v=spf1 a -all"


while ispcfg comes up only with this:

mail.zice.ro. IN TXT "v=spf1 a mx ~all"


Sorry for all these, maybe dumb, questions but once I stumble opun a thing I can't rest until its (perfectly) finished ;-)

Btw. does anyone here use a DNS provider he can recommend?

falko
27th November 2005, 16:50
It can be

MX 10 mail.zice.ro.

zice.ro. A 81.169.176.18
www.zice.ro. A 81.169.176.18
mail.zice.ro. A 81.169.176.18 (note the dot at the end of each FQDN!!!)

or

MX 10 mail

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18 if you want to use relative host names. Please have a look here:
http://langfeldt.net/DNS-HOWTO/BIND-9/


The wizards results:

Paste this into your zone file:

zice.ro. IN TXT "v=spf1 a mx ~all"
So this should also appear in DNS. You may or may not be in charge of the DNS for these entries; if you are, add them.

h5810.serverkompetenz.net. IN TXT "v=spf1 a -all"
mail.zice.ro. IN TXT "v=spf1 a -all"

while ispcfg comes up only with this:

Quote:
mail.zice.ro. IN TXT "v=spf1 a mx ~all"
Why don't you create three SPF records in ISPConfig, like the ones the wizards proposes?


Btw. does anyone here use a DNS provider he can recommend?
For my technical domain I'm using DirectI's ( http://www.directi.com/ ) DNS manager.

Ovidiu
27th November 2005, 18:57
thx for the tips,

I partly managed to fix it but it was tricky to do, if one does not really know what is to be filled in in the ispcfg... the field have different names than used in other tools / other how-to s

I figured out how to create this

zice.ro. IN TXT "v=spf1 a mx ~all"
this: mail.zice.ro. IN TXT "v=spf1 a mx ~all" I already had, but I have no clue how to create the last one:
h5810.serverkompetenz.net. IN TXT "v=spf1 a -all"

AND there seems to be some error somewhere (doesn't have to be ispcfg)... all of a sudden, that online-dns test did not work anymore, I had a look in the control panel and all looked normal, but when having a look into the pri.zice.ro file I saw there was a "." after MX 10 mail => MX 10 mail. which did not work. I manually deleted it and hopefully it will stay away ;)

Still I have no clue as to what stealth ns are, I am going to read your link to the how to know, thx

Ovidiu
3rd March 2006, 13:31
sorry, probs again after reinstalling server mith my NS records. could anyone post a working pri.xxxxx file here? including mx records and SPF records? you can take out IP addresses or hostnames,

thx

and on the other hand a dns report on zice.ro gives me this:

ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it. This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 81.169.176.18 reports that it will do recursive lookups.

falko
3rd March 2006, 17:59
sorry, probs again after reinstalling server mith my NS records. could anyone post a working pri.xxxxx file here? including mx records and SPF records? you can take out IP addresses or hostnames,

thx

Here you go:

$TTL 86400
@ IN SOA ns5.example.com. hostmaster.example.com. (
2004122103 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS ns5.example.com. ; Inet Address of name server 1
NS ns6.example.com. ; Inet Address of name server 2
;

MX 10 mail.test.de.

test.de. A 1.2.3.4
www A 1.2.3.4
mail A 1.2.3.4

test.de. IN TXT "v=spf1 a mx ~all"

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

Ovidiu
5th March 2006, 19:48
ok thx. but how would it look like with 2 nameservers? I tried to put hxxxx.serverkompetenz.net and mail.zice.ro as nameservers, does not work, I do not really know how to input this into ispconfig panel...

heres my pri.zice.ro

$TTL 86400
@ IN SOA h5810.serverkompetenz.net. admin.zice.ro. (
2006030506 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS h5810.serverkompetenz.net. ; Inet Address of name server 1
NS h5810.serverkompetenz.net. ; Inet Address of name server 2
;

MX 10 h5810.serverkompetenz.net.

zice.ro. A 81.169.176.18
www A 81.169.176.18
mail A 81.169.176.18

mail.zice.ro. TXT "v=spf1 a mx ~all"

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;


besides that do you have any clue why the test above said I have an open dns server? I did all according to the debian perfect setup...


and have a look at your example: test.de. IN TXT "v=spf1 a mx ~all" my record does not have the IN ? why would that be missing?

falko
5th March 2006, 20:42
ok thx. but how would it look like with 2 nameservers? I tried to put hxxxx.serverkompetenz.net and mail.zice.ro as nameservers, does not work, I do not really know how to input this into ispconfig panel...
You must enter your two name servers under Management -> Server -> Settings -> DNS.


besides that do you have any clue why the test above said I have an open dns server? I did all according to the debian perfect setup...
That's ok. It means that everyone can use your nameserver to resolve domain names, like you can use nameservers of different providers for your computers.


and have a look at your example: my record does not have the IN ? why would that be missing?Bind understands both formats (with and without IN).

Ovidiu
6th March 2006, 01:26
I am sorry I have confused you, what I meant was not 2 DNS servers but 2 MX servers. I tried entering values manually as well as using the cfp panel but I am not sure what is expected if I want to add mail.zice.ro as mailserver - what to enter into hostname and what into mailserver... its a bit confusing to me, sorry.

till
6th March 2006, 08:57
If you want to add MX records in ISPConfig DNS-Manager, leave the hostname field blank and anter the domain of your mailserver in the mailserver field.