PDA

View Full Version : DNS Failure


eal1619
17th October 2007, 07:55
Issues:
Hi, I’m experiencing an inconsistent report from ISPConfig control panel, which indicates that all services are up and running without issues. The problem is that command – line function “dig” and DOS command – line “ping” both indicates that the name server responsible for mydomain.tld is unreachable, stating: ‘connection timed out; no servers could be reached’. The system was reconfigured a week ago, handing name server responsibility to BIND9 under ISPConfig under the advice of GoDaddy; I used a How-To posted here to setup two name servers, a master and slave running on two separate machines; ns1.mydomain.tld and ns2.mydomain.tld respectively. Yet, WebPages, email, administrations and ftp services are only accessible using the static IP address.
The new configuration has been running for a week (before then, GoDaddy and Qwest managed my DNS needs), but since yesterday I lost the ability to resolve DNS queries, yet ISPConfig reports that my name server is up and running. I contacted GoDaddy, they told me it was Qwest fault (my ISP); Qwest says it my fault. I’ve been fooling around with name server issues now for 2 month; and every time I think I’m out of the woods, the system works a few days and fail and I’m back to square one, I figure if the experiment does not kill me I should in the in become a master of all things DNS.
So, does anyone know what I should do? Thank you in advance.

till
17th October 2007, 10:24
Please run the command on your server:

dig @localhost yourdomain.com

Do you get a answer from the nameserver? If not, post the output of:

netstat -tap
iptables -L

eal1619
18th October 2007, 00:07
Hi, these are the printouts you've requested; Thank you.

mydomain:~ # dig @localhost mydomain.tld ;printout reads

; <<>> DiG 9.3.2 <<>> @localhost mydomain.tld
; (1 server found)
;; global options: printcmd
;; Got Answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22372

;; flag; qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.tld. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;;WHEN: Wed Oct 17 14:32:11 2007
;; MSG SIZE rcvd: 29


mydomain:~ # natstat -tap ; printout reads

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:imaps *:* LISTEN 4693/couriertcpd
tcp 0 0 *:pop3s *:* LISTEN 4702/couriertcpd
tcp 0 0 *:mysql *:* LISTEN 2297/mysqld
tcp 0 0 *:netbios-ssn *:* LISTEN 4777/smbd
tcp 0 0 *:pop3 *:* LISTEN 4667/couriertcpd
tcp 0 0 *:imap *:* LISTEN 4681/couriertcpd
tcp 0 0 *:sunrpc *:* LISTEN 4377/portmap
tcp 0 0 localhost:novell-zen *:* LISTEN 4641/zmd
tcp 0 0 *:www-http *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:hosts2-ns *:* LISTEN 3020/ispconfig_http
tcp 0 0 localhost:820 *:* LISTEN 4884/famd
tcp 0 0 *:ftp *:* LISTEN 18025/proftpd: (acc
tcp 0 0 67.42.41.26:domain *:* LISTEN 7664/named
tcp 0 0 LynnBoxS0.datace:domain *:* LISTEN 7664/named
tcp 0 0 localhost:domain *:* LISTEN 7664/named
tcp 0 0 *:ssh *:* LISTEN 4631/sshd
tcp 0 0 localhost:ipp *:* LISTEN 4639/cupsd
tcp 0 0 *:smtp *:* LISTEN 17949/master
tcp 0 0 localhost:953 *:* LISTEN 7664/named
tcp 0 0 *:https *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:microsoft-ds *:* LISTEN 4777/smbd
tcp 0 0 67.42.41.26:ssh 67.42.41.29:aas ESTABLISHED 12068/3
tcp 0 0 67.42.41.26:ssh 67.42.41.2:sun-as-iiops ESTABLISHED 13088/4


mydomain:~ # iptables -L ; printout reads

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:imaps *:* LISTEN 4693/couriertcpd
tcp 0 0 *:pop3s *:* LISTEN 4702/couriertcpd
tcp 0 0 *:mysql *:* LISTEN 2297/mysqld
tcp 0 0 *:netbios-ssn *:* LISTEN 4777/smbd
tcp 0 0 *:pop3 *:* LISTEN 4667/couriertcpd
tcp 0 0 *:imap *:* LISTEN 4681/couriertcpd
tcp 0 0 *:sunrpc *:* LISTEN 4377/portmap
tcp 0 0 localhost:novell-zen *:* LISTEN 4641/zmd
tcp 0 0 *:www-http *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:hosts2-ns *:* LISTEN 3020/ispconfig_http
tcp 0 0 localhost:820 *:* LISTEN 4884/famd
tcp 0 0 *:ftp *:* LISTEN 18025/proftpd: (acc
tcp 0 0 67.42.41.26:domain *:* LISTEN 7664/named
tcp 0 0 LynnBoxS0.datace:domain *:* LISTEN 7664/named
tcp 0 0 localhost:domain *:* LISTEN 7664/named
tcp 0 0 *:ssh *:* LISTEN 4631/sshd
tcp 0 0 localhost:ipp *:* LISTEN 4639/cupsd
tcp 0 0 *:smtp *:* LISTEN 17949/master
tcp 0 0 localhost:953 *:* LISTEN 7664/named
tcp 0 0 *:https *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:microsoft-ds *:* LISTEN 4777/smbd
tcp 0 0 67.42.41.26:ssh 67.42.41.29:aas ESTABLISHED 12068/3
tcp 0 0 67.42.41.26:ssh 67.42.41.2:sun-as-iiops ESTABLISHED 13088/4

falko
18th October 2007, 16:12
Hi, these are the printouts you've requested; Thank you.

mydomain:~ # dig @localhost mydomain.tld ;printout reads

; <<>> DiG 9.3.2 <<>> @localhost mydomain.tld
; (1 server found)
;; global options: printcmd
;; Got Answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22372

;; flag; qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mydomain.tld. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;;WHEN: Wed Oct 17 14:32:11 2007
;; MSG SIZE rcvd: 29

At least you got an answer (instead of connection refused or something like that) so BIND is running.

Can you try this from another host again? E.g. dig @servers.ip.add.ress mydomain.tld

Also, can you post the output of iptables -L again? In your last post you posted the netstat output twice.

eal1619
18th October 2007, 18:41
mydomain:~# iptable -L ; printout on local machine,

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:imap
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere

mydomainS0:~ # dig @server.ip.add.ress datacell.us ; printout,

dig: couldn't get address for 'servers.ip.add.ress : not found

I do get such messages as; connection timed out, when I perform the "dig" command from another terminal, but on the local machine ( the server in question ) I get a printout of 'not found'. But all along ISPConfig c panel reports that BIND9 is online; if you ping the ip address of the server, the machine replies without issuse. You can use the ip address to access the ftp site, webpages with no problems; BIND9 suppose to be SOA, which it did for a week before something failed.

falko
19th October 2007, 12:54
mydomain:~# iptable -L ; printout on local machine,

Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere loopback/8
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere

Chain PAROLE (9 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:http
PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:imap
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhereLooks good. :)

mydomainS0:~ # dig @server.ip.add.ress datacell.us ; printout,

dig: couldn't get address for 'servers.ip.add.ress : not found

I do get such messages as; connection timed out, when I perform the "dig" command from another terminal, but on the local machine ( the server in question ) I get a printout of 'not found'. But all along ISPConfig c panel reports that BIND9 is online; if you ping the ip address of the server, the machine replies without issuse. You can use the ip address to access the ftp site, webpages with no problems; BIND9 suppose to be SOA, which it did for a week before something failed.Did you replace servers.ip.add.ress with your server's IP address?

eal1619
20th October 2007, 01:30
Yes, its print is;

hostname1: ~# dig "IP ADDRESS" mydomain.tld

;;Got Answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDMAIN, id: 2256
;; flag: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;"IP ADDRESS".______________IN_______A

;; AUTHORITY SECTION:
.______________900________ IN_______SOA________a.root-servers.net. nstld.verisign-gre.com. 2007101900 1000 900 604800 86400

;; Query time: 229 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Fri Oct 19 16:04:14 2007
;; MSG SIZE rcvd: 184



; <<>> DIG 9.3.4 <<>> "IP ADDRESS" mydomain.tld
;; global options: printcmd
;; connection timed out; no servers could be reached
hostname: ~#

falko
21st October 2007, 00:26
You must put an @ in front of the IP address, like this:
dig @1.2.3.4 mydomain.tld

eal1619
21st October 2007, 05:58
I apologize,

hostname1:~# dig @"IP ADDRESS" mydomain.tld

; <<>> DiG 9.3.2 <<>> @"IP ADDRESS" mdomain.tld
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31019
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datacell.us______________________IN_______A

;; Query time: 4 msec
;; SERVER: "IP ADDRESS"#53 ("IP ADDRESS")
;; WHEN: Sat Oct 20 20:46:22 2007
;; MSG SIZE rcvd: 29

hostname1:~#

Thank you.

falko
22nd October 2007, 13:46
There's no ANSWER section, which means your DNS server doesn't know mydomain.tld. Are you sure you added a zone for mydomain.tld in ISPConfig's DNS MAnager?

eal1619
22nd October 2007, 20:09
I think so, the BIND daemon was originally configured by ISPConfig; when this problem began any changes I attempted to make to the name.conf script resulted in server failure apon restart ( concerning setting up a secondary name server; where a zone transfer script was needed and added ), so I was forced to return to the original script, that was configured by proxy by ISPConfig necessary to setup mydomain.tld "master" DNS Entry in DNS Manager of ISPConfig. The primary name server worked for a week before failing as it where. This is a copy of my #/etc/name.conf

options {
pid-file "/var/lib/named/var/run/named/named.pid";
directory "/var/lib/named";
auth-nxdomain no;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." {
type hint;
file "root.hint";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "127.0.0.zone";
};

zone "41.42.67.in-addr.arpa" {
type master;
file "pri.41.42.67.in-addr.arpa";
};


zone "mydomain.tld" {
type master;
file "pri.mydomain.tld";
};



//// MAKE MANUAL ENTRIES BELOW THIS LINE! ////


This is copy of #/var/lib/named/pri.41.42.67.in.addr.arpa

$TTL 86400
@ IN SOA NS1.mydomain.tld. hostmaster.mydomain.tld. (
2007100802 ; serial, todays date + todays serial #
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS NS1.MYDOMAIN.TLD.
NS NS2.MYDOMAIN.TLD.
25 PTR mydomain.tld.
25 PTR www.mydomain.tld.
25 PTR mail.mydomain.tld.
25 PTR LynnBoxS0.mydomain.tld.
25 PTR ns1.mydomain.tld.
25 PTR ftp.mydomain.tld.

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;


This is a copy of my #/var/lib/named/pri.mydomain.tld

$TTL 86400
@ IN SOA NS1.MYDOMAIN.TLD. admin.mydomain.tld. (
2007101602 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS NS1.MYDOMAIN.TLD. ; Inet Address of name server 1
NS NS2.MYDOMAIN.TLD. ; Inet Address of name server 2
;

MX 10 mail.mydomain.tld.
MX 20 LynnBoxS0.mydomain.tld.

mydomain.tld. A 67.42.41.25
www A 67.42.41.25
mail A 67.42.41.25
LynnBoxS0 A 67.42.41.25
ftp A 67.42.41.25

datacell.us. TXT "v=spf1 ip4:67.42.41.24 ip4:67.42.41.25 ip4:67.42.41.26 ip4:67.42.41.27 ip4:67.42.41.28 ip4:67.42.41.29 ip4:67.42.41.30 ip4:67.42.41.31 a mx ptr a:lynnboxs0.mydomain.tld a:mail.mydomain.tld a:www.mydomain.tld a:mydomain.tld mx:mydomain.tld mx:lynnboxs0.mydomain.tld mx:mail.mydomain.tld mx:www.mydomain.tld include:a ~all"

;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

Thank you.

falko
23rd October 2007, 19:17
when this problem began any changes I attempted to make to the name.conf script resulted in server failure apon restart
Thank you.What was the exact error message? Any errors in your logs?

eal1619
23rd October 2007, 20:41
Their appears to be nothing in my logs concerning BIND9 failure, as of right now ispconfig indicates that BIND9 is up and running and everything is fine ( though this is not ture, '#dig @"ip address" mydomain.tld' command-line prints servfail as the status of the suppose SOA name server; which is 'ns1.datacell.us'). Last week when I attempted to adjust name.conf script to allow a zone transfer to a slave secondary name server, BIND9 went offline; when I removed the script concerning zone transfer from the name.conf script and rebooted the application, the BIND9 server returned to a state of online according to ispconfig. Their appears to be no log specifically for BIND9; the log file is empty. For admin purposes I have ispconfig email client issuses messages concerning settings, monitoring and status to an outside email account with yahoo.com so I can access this information remotely even if I experience name server, mail directory, smtp, or POP/IMAP failure. Such messages are basic, and simply informs you that a service using a specific port is offline.

Though I'm completely in the dark as to why this system isn't working yet as far as I can tell it should ( and it once did ), I can't spend much more time on it; should / could I just reinstall BIND9 and reconfigure it or even reinstall the control panel and operating system?

falko
24th October 2007, 21:13
What's the output of netstat -tap? Do you get any errors when you restart BIND?

eal1619
24th October 2007, 21:49
Hi, here it is,

LynnBoxS0:~ # netstat -tap

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:imaps *:* LISTEN 4693/couriertcpd
tcp 0 0 *:pop3s *:* LISTEN 4702/couriertcpd
tcp 0 0 *:mysql *:* LISTEN 2297/mysqld
tcp 0 0 *:netbios-ssn *:* LISTEN 4777/smbd
tcp 0 0 *:pop3 *:* LISTEN 4667/couriertcpd
tcp 0 0 *:imap *:* LISTEN 4681/couriertcpd
tcp 0 0 *:sunrpc *:* LISTEN 4377/portmap
tcp 0 0 localhost:novell-zen *:* LISTEN 4641/zmd
tcp 0 0 *:www-http *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:hosts2-ns *:* LISTEN 3020/ispconfig_http
tcp 0 0 localhost:820 *:* LISTEN 4884/famd
tcp 0 0 ns2.datacell.us:domain *:* LISTEN 24340/named
tcp 0 0 LynnBoxS0.datace:domain *:* LISTEN 24340/named
tcp 0 0 localhost:domain *:* LISTEN 24340/named
tcp 0 0 *:ftp *:* LISTEN 12709/proftpd: (acc
tcp 0 0 *:ssh *:* LISTEN 4631/sshd
tcp 0 0 localhost:ipp *:* LISTEN 4639/cupsd
tcp 0 0 localhost:953 *:* LISTEN 24340/named
tcp 0 0 *:smtp *:* LISTEN 12656/master
tcp 0 0 *:https *:* LISTEN 3290/httpd2-prefork
tcp 0 0 *:microsoft-ds *:* LISTEN 4777/smbd
tcp 0 0 LynnBoxS0.datacel:53307 m1.2mdn.net:www-http ESTABLISHED 13552/firefox-bin
tcp 0 0 LynnBoxS0.datacell.:ssh 67.42.41.29:pacerforum ESTABLISHED 24200/3
LynnBoxS0:~ # /etc/init.d/named restart
Shutting down name server BIND done
Starting name server BIND done
LynnBoxS0:~ #

eal1619
24th October 2007, 21:58
Oh, this is the dig command-line code return on localhost:

LynnBoxS0:~ # dig @datacell.us
dig: couldn't get address for 'datacell.us': not found
LynnBoxS0:~ # dig @67.42.41.25 datacell.us

; <<>> DiG 9.3.2 <<>> @67.42.41.25 datacell.us
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24897
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datacell.us. IN A

;; Query time: 1 msec
;; SERVER: 67.42.41.25#53(67.42.41.25)
;; WHEN: Wed Oct 24 12:50:01 2007
;; MSG SIZE rcvd: 29

LynnBoxS0:~ #

eal1619
24th October 2007, 22:10
Using a How-To found here, I've configured GoDaddy to point incoming DNS request at NS1.DATACELL.US and NS2.DATACELL.US at IP addresses 67.42.41.25 and 67.42.41.26 respectively. My ISP Qwest Comm Reverse DNS Configuration page has been configed to point toward NS1/NS2.DATACELL.US and respective IP addresses. How do I get BIND9 to behave as a authoritative name server for concerning domain names?

falko
25th October 2007, 17:14
Using a How-To found here, I've configured GoDaddy to point incoming DNS request at NS1.DATACELL.US and NS2.DATACELL.US at IP addresses 67.42.41.25 and 67.42.41.26 respectively.
Are you sure? Because I don't get an answer when I try to look up these hosts:

server2:~# dig NS1.DATACELL.US

; <<>> DiG 9.3.4 <<>> NS1.DATACELL.US
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51430
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 8

;; QUESTION SECTION:
;NS1.DATACELL.US. IN A

;; AUTHORITY SECTION:
us. 143101 IN NS I.GTLD.BIZ.
us. 143101 IN NS J.GTLD.BIZ.
us. 143101 IN NS K.GTLD.BIZ.
us. 143101 IN NS A.GTLD.BIZ.
us. 143101 IN NS B.GTLD.BIZ.
us. 143101 IN NS C.GTLD.BIZ.

;; ADDITIONAL SECTION:
I.GTLD.BIZ. 143101 IN AAAA 2001:503:d1ae:ffff:ffff:ffff:ffff:ff7e
I.GTLD.BIZ. 143101 IN A 156.154.96.126
J.GTLD.BIZ. 143101 IN AAAA 2001:503:a124:ffff:ffff:ffff:ffff:ff7e
K.GTLD.BIZ. 143101 IN AAAA 2001:503:e239::3:1
K.GTLD.BIZ. 143101 IN A 156.154.72.65
A.GTLD.BIZ. 128014 IN A 209.173.53.162
B.GTLD.BIZ. 128014 IN A 209.173.57.162
C.GTLD.BIZ. 128014 IN A 209.173.60.65

;; Query time: 354 msec
;; SERVER: 193.174.32.18#53(193.174.32.18)
;; WHEN: Thu Oct 25 18:56:35 2007
;; MSG SIZE rcvd: 303

server2:~# dig NS2.DATACELL.US

; <<>> DiG 9.3.4 <<>> NS2.DATACELL.US
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20004
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 8

;; QUESTION SECTION:
;NS2.DATACELL.US. IN A

;; AUTHORITY SECTION:
us. 143083 IN NS I.GTLD.BIZ.
us. 143083 IN NS J.GTLD.BIZ.
us. 143083 IN NS K.GTLD.BIZ.
us. 143083 IN NS A.GTLD.BIZ.
us. 143083 IN NS B.GTLD.BIZ.
us. 143083 IN NS C.GTLD.BIZ.

;; ADDITIONAL SECTION:
I.GTLD.BIZ. 143083 IN AAAA 2001:503:d1ae:ffff:ffff:ffff:ffff:ff7e
I.GTLD.BIZ. 143083 IN A 156.154.96.126
J.GTLD.BIZ. 143083 IN AAAA 2001:503:a124:ffff:ffff:ffff:ffff:ff7e
K.GTLD.BIZ. 143083 IN AAAA 2001:503:e239::3:1
K.GTLD.BIZ. 143083 IN A 156.154.72.65
A.GTLD.BIZ. 127996 IN A 209.173.53.162
B.GTLD.BIZ. 127996 IN A 209.173.57.162
C.GTLD.BIZ. 127996 IN A 209.173.60.65

;; Query time: 98 msec
;; SERVER: 193.174.32.18#53(193.174.32.18)
;; WHEN: Thu Oct 25 18:56:53 2007
;; MSG SIZE rcvd: 303

server2:~#

eal1619
29th October 2007, 19:35
I went back and reviewed the “HowTo” at http://www.hotforge.com/ispconfig_dns_godaddy and the mistakes I made. I adjusted ISPConfig server #1 and made the step-wise adjustment of my GoDaddy “Domain Control Mngt.” And setup and configured a ISPConfig server #2 to exact specification stated in mentioned “HowTo”; now I’m back where I started from, I’m tempted to hand DNS / Name Server functions over to GoDaddy, but in the long run this want do.
On page one of the “HowTo” they instruct you to create DNS records for both ns1.datacell.us and ns2.datacell.us that points ISPConfig server 1 and 2 respectively; and take datacell.us out of parked status inturn, using their name servers. After these changes have propagated over the net I can proceed to page 2 of “HowTo” .
Dig cmd printout of (b) are the messages acquired after page one changes were made, dig @mydomain.tld cmd yield a “connection timed out; no server could be reached”; but dig mydomain.tld and dig any mydomain.tld cmd supported the configuration changes made on page 1 of the “HowTo”.
Now that I’ve turned over SOA to ns1.datacell.us and ns2.datacell.us after following the configuration plan on page 2 and 3 of this “HowTo”, I get the dig cmd print out of (a), shown below.


(a) These results where obtain after authority was handed over to ns1.datacell.us and ns2.datacell.us

DNSWatch -> DNS Lookup for datacell.us

Searching for datacell.us. A record at G.ROOT-SERVERS.NET. [192.112.36.4] ...took 127 ms
Searching for datacell.us. A record at I.GTLD.BIZ. [156.154.96.126] ...took 93 ms
Searching for datacell.us. A record at NS2.datacell.us. [67.42.41.29] ...took 210 ms
SERVFAIL
Searching for datacell.us. A record at NS1.datacell.us. [67.42.41.25] ...took 212 ms
SERVFAIL
Searching for datacell.us. A record at NS2.datacell.us. [67.42.41.29] ...took 209 ms
SERVFAIL
Searching for datacell.us. A record at NS1.datacell.us. [67.42.41.25] ...took 210 ms
SERVFAIL
None of the nameservers responded correctly.

Total elapsed query time: 1,061 ms

LynnBoxS1:~# dig datacell.us

; <<>> Dig 9.3.2 <<>> datacell.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:53943
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datacell.us. IN A

;; QUERY time: 414 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Mon Oct 29 10:50:40 2007
;; MSG SIZE rvcd: 29

LynnBoxS0:~# dig any datacell.us

; <<>> Dig 9.3.2 <<>> datacell.us
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id:53943
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;datacell.us. IN A

;; QUERY time: 414 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Mon Oct 29 10:50:40 2007
;; MSG SIZE rvcd: 29


DiG cmd any of ns1.datacell.us and ns2.datacell.us generates the same results, as well as DiG cmd w/o ‘any’ of ns1.datacell.us and ns2.datacell.us.

(b) these results where acquired when GoDaddy name servers possessed authority, following the instructions on page one of the "HowTo"

LynnBoxS1:~# dig ns1.datacell.us any datacell.us
;: Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30706
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;ns1.datacell.us IN ANY

;; ANSWER SECTION:
ns1.datacell.us 3600 IN A 67.42.41.25

;; AUTHORITY SECTION:
datacell.us 3537 IN NS ns43.domaincontrol.com
datacell.us 3537 IN NS ns44.domaincontrol.com

;; ADDITIONAL SECTION:
ns43.domaincontrol.com. 2592 IN A 208.109.78.180

;; Query time: 118 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Sun Oct 28 23:12:35 2007
;; MSG SIZE rcvd: 120


; <<>> DiG 9.3.4 <<>> ns1.datacell.us any datacell.us
;; global option: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19591
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITONAL: 0

;; QUESTION SECTION:
;datacell.us IN A

;; ANSWER SECTION:
datacell.us. 10000 IN A 6742.41.25

;; Query time: 12 msec
;; SERVER: 67.42.41.30#53(67.42.41.30)
;; WHEN: Sun Oct 28 23:12:35 2007
;; MSG SIZE rcvd: 45





LynnBoxS1:~# dig any datacell.us

;: Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6445
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;datacell.us IN ANY

;; ANSWER SECTION:
datacell.us 3454 IN NS ns44.domaincontrol.com
datacell.us 3454 IN NS ns43.domaincontrol.com
datacell.us 81119 IN SOA ns43.domaincontrol.com. dns.joma.x.net. 2007102500 28800 7200 604800 86400

;; AUTHORITY SECTION:
datacell.us 3454 IN NS ns43.domaincontrol.com
datacell.us 3454 IN NS ns44.domaincontrol.com

;; ADDITIONAL SECTION:
ns43.domaincontrol.com. 1946 IN A 208.109.78.180

;; Query time: 84 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Sun Oct 28 23:14:12 2007
;; MSG SIZE rcvd: 177






LynnBoxS1:~# dig any ns2.datacell.us

;; global options: printcmd
;: Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56915
;; flags: qr rd ra; QUERY: 1, ANSWER:1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ns2.datacell.us IN ANY

;; ANSWER SECTION:
ns2.datacell.us 3600 IN A 67.42.41.29

;; AUTHORITY SECTION:
datacell.us 3600 IN NS ns43.domaincontrol.com
datacell.us 3600 IN NS ns44.domaincontrol.com

;; ADDITIONAL SECTION:
ns43.domaincontrol.com. 711 IN A 208.109.78.180
ns44.domaincontrol.com 1195 IN A 208.109.80.75

;; Query time: 138 msec
;; SERVER: 68.6.16.30#53(68.6.16.30)
;; WHEN: Sun Oct 28 23:16:10 2007
;; MSG SIZE rcvd: 136

All along ISPConfig reports that BIND9 on both servers are working fine.
What should I do?

eal1619
29th October 2007, 21:17
67.42.41.29 is from United States(US) in region North America

TraceRoute to 67.42.41.29 [ns2.datacell.us]
Hop (ms) (ms) (ms) IP Address Host name
1 1 1 1 66.98.244.1 gphou-66-98-244-1.ev1servers.net
2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1servers.net
3 0 0 0 66.98.240.6 gphou-66-98-240-6.ev1servers.net
4 1 1 4 129.250.10.229 ge-1-13.r04.hstntx01.us.bb.gin.ntt.net
5 2 1 2 129.250.4.233 xe-1-3-0.r20.hstntx01.us.bb.gin.ntt.net
6 9 6 6 129.250.3.129 as-0.r20.dllstx09.us.bb.gin.ntt.net
7 8 11 8 129.250.4.38 po-2.r03.dllstx09.us.bb.gin.ntt.net
8 11 9 13 129.250.8.186 ge-0.qwest.dllstx09.us.bb.gin.ntt.net
9 9 9 7 205.171.225.6 dal-core-02.inet.qwest.net
10 Timed out Timed out Timed out -
11 46 46 46 205.171.129.74 phnx-agw2.inet.qwest.net
12 45 45 45 216.160.199.142 phnx-dsl-gw18-142.phnx.qwest.net
13 Timed out Timed out Timed out -
14 89 88 88 67.42.41.29 ns2.datacell.us

Trace complete






67.42.41.25 is from United States(US) in region North America

TraceRoute to 67.42.41.25 [ns1.datacell.us]
Hop (ms) (ms) (ms) IP Address Host name
1 0 0 1 66.98.244.1 gphou-66-98-244-1.ev1servers.net
2 0 0 0 66.98.241.16 gphou-66-98-241-16.ev1servers.net
3 0 0 0 66.98.240.6 gphou-66-98-240-6.ev1servers.net
4 3 2 4 129.250.10.229 ge-1-13.r04.hstntx01.us.bb.gin.ntt.net
5 1 1 1 129.250.4.233 xe-1-3-0.r20.hstntx01.us.bb.gin.ntt.net
6 9 6 41 129.250.3.129 as-0.r20.dllstx09.us.bb.gin.ntt.net
7 191 13 219 129.250.4.38 po-2.r03.dllstx09.us.bb.gin.ntt.net
8 8 11 11 129.250.8.190 ge-1.qwest.dllstx09.us.bb.gin.ntt.net
9 7 6 6 205.171.225.6 dal-core-02.inet.qwest.net
10 Timed out Timed out Timed out -
11 44 48 46 205.171.129.74 phnx-agw2.inet.qwest.net
12 45 47 45 216.160.199.142 phnx-dsl-gw18-142.phnx.qwest.net
13 Timed out Timed out Timed out -
14 91 85 87 67.42.41.25 ns1.datacell.us

Trace complete

I hope this provides more info on the subject; it suppose to be columns repersenting 'hop' 'ms' 'ms' 'ms' 'ip address' 'hostname'; I'm wondering if my isp has something to do with this since it is timing out on their systems.

eal1619
8th November 2007, 00:18
Just a follow up, concerning my attempt to establish a secondary name server using two ISPConfig equipped servers injunction with the "HowTo" depicted at http://www.howtoforge.com/ispconfig_dns_godaddy ; my failure was attempting to costume fit this HowTo without fully understanding the mechanics of the DNS. My first mistake was to setup a standalone name server ( using BIND9 ) as a secondary name server, because the primary name server on ISPConfig doesn't allow manual changes to its local BIND9 name.conf file; necessary for allow-transfer script addition, needed for zone transfer to secondary name server. My second mistake is a chicken or the egg faux-pas, where I attempted to use datacell.us as both the SOA and PTR for NS1 / NS2 .datacell.us simultaneously. My third mistake was my failure to officially transfer authority from GoDaddy's name servers to my own, though under the circumstance would have been impossible.
So, I needed to follow the "HowTo" verbatium, no deviation, even down to the folders the DNS record exist in in the ISPConfig c panel DNS Manager Tab. Also only two A records can exist during the "HowTo" setup; www and mail respectively.

The perequist:
a.) 2 ip addresses
b.) 2 unquie domain names
c.) 2 ISPConfig servers
d.) my experience, it must be a clean install, in so far that the DNS Manager: DNS Entry must stripped to 2 A records 'www' and 'mail' with only one mx record for mail.mydomain.tld. Also, no preexisting cname, SPF records or transfer of authority will fail ( they must be removed ).