Bind 9 et Dns config

Discussion in 'Installation/Configuration' started by albertf, Sep 21, 2019.

  1. albertf

    albertf Member HowtoForge Supporter

    Hello,
    Just done fresh install and totally confused due to my bad level with the command line !
    I don't understand my DNS are not working.
    1- First of all I imported one dedicated Ip Failover to use it for one domain name, then I have one IP for the VPS and one IP for the domain name
    2- Created Client accouint
    3- Setup website
    4- Setup Dns
    After I checked if it's working with Bind
    Code:
    sudo rndc status
    version: BIND 9.11.5-P4-5.1-Debian (Extended Support Version) <id:998753c>
    running on vps730322: Linux x86_64 4.19.0-5-cloud-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08)
    boot time: Sat, 21 Sep 2019 02:33:04 GMT
    last configured: Sat, 21 Sep 2019 05:20:01 GMT
    configuration file: /etc/bind/named.conf
    CPUs found: 1
    worker threads: 1
    UDP listeners per interface: 1
    number of zones: 103 (97 automatic)
    debug level: 0
    xfers running: 0
    xfers deferred: 0
    soa queries in progress: 0
    query logging is OFF
    recursive clients: 0/900/1000
    tcp clients: 3/150
    server is up and running
    Bind OK
    after
    Code:
    dig @localhost clear-optical.com
    
    ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @localhost clear-optical.com
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1392
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: dc8820ad2a86bdfc08a06aff5d85c26d751484220ce5090d (good)
    ;; QUESTION SECTION:
    ;clear-optical.com.             IN      A
    
    ;; ANSWER SECTION:
    clear-optical.com.      3600    IN      A       87.98.149.60
    
    ;; AUTHORITY SECTION:
    clear-optical.com.      3600    IN      NS      ns2.clear-optical.com.
    clear-optical.com.      3600    IN      NS      ns1.clear-optical.com.
    
    ;; ADDITIONAL SECTION:
    ns1.clear-optical.com.  3600    IN      A       87.98.149.60
    ns2.clear-optical.com.  3600    IN      A       87.98.149.60
    
    ;; Query time: 0 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Sat Sep 21 08:25:49 CEST 2019
    ;; MSG SIZE  rcvd: 158
    
    Apparantly everything looks Ok, but the website is not browserable
    Do you see any errors in my DNS ?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. albertf

    albertf Member HowtoForge Supporter

    Yes I followed your tutorial Set up DNS with ISPConfig
    and after I came here ;-)
    Do you see any error above ? and what I can test to check it more ?
     
  4. albertf

    albertf Member HowtoForge Supporter

    One thing is very strange !
    If I can see my Dns zone in Ipsconfig normaly I can see it as well in /etc/bind/ right ?
    Then in /etc/bind/ I have only this file "pri.clear-optical.com.err" concerning this domain name !
    Why I do not get more files in /etc/bind/ concerning this domain name ???
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You may have used my Tutorial, but you have not read it. Read the part about
    named-checkzone, perhaps search for string
    named-checkzone
    Have you properly registered your domain and its name servers?
    Code:
    whois clear-optical.com | egrep -i "(name server|nserver)"
       Name Server: NS1.CLEAR-OPTICAL.COM
       Name Server: NS2.CLEAR-OPTICAL.COM
    Name Server: ns1.clear-optical.com
    Name Server: ns2.clear-optical.com
    
    Are those two name servers the hosts you have set up with ISPConfig?
     
  6. albertf

    albertf Member HowtoForge Supporter

    Code:
    Have you properly registered your domain and its name servers? 
    This domain name was working perfectly with Plesk on an other Vps, I didn't change anything on this domain name even the IP is still the same, I just moved My IP failover to this new VPS with Ispconfig (Debian 10).

    Code:
    Are those two name servers the hosts you have set up with ISPConfig? 
    I am sorry I do not understand your question because the answer was in my first post, what do you mean ?
     
  7. albertf

    albertf Member HowtoForge Supporter

    of course I am ready to restart all the process to setup the DNS with Ispconfig but before I would like to get some answers of my questions just above to do not restart and get after the same result.
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you have .err file in bind directory, that means the zone has some error that causes bind not to load it. What that error is I do not know, but you can find it out by using the name-checkzone command.
    I went to the trouble of writing that DNS Tutorial after noticing threads in this forum on name service setup were basically going nowhere. I had high hopes that after that tutorial we would at least be in the same ballpark and get name service issues fixed faster. Of course, now I see my plan has a flaw: the tutorial does not help at all when persons setting up name service do not read it. Back to the old drawing board.
     
  9. albertf

    albertf Member HowtoForge Supporter

    Anyway, thanks for your help....
    Maybe you can help me step by step ?
    If I'm using :
    Code:
    named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com.err
    I get this result
    Code:
    # named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com.err
    zone clear-optical.com/IN: NS 'ns1.clear-optical.com' has no address records (A or AAAA)
    zone clear-optical.com/IN: not loaded due to errors.
    
    But How this is can be possible ? because in IspConfig I have already one A record
    Which A record is expected ?

    [​IMG]

    Here is the file : /etc/bind/pri.clear-optical.com
    Code:
    $TTL        3600
    @       IN      SOA     ns1.clear-optical.com. vps730322.gestion-des-domaines.com. (
                            2019092107       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            3600 )            ; minimum, seconds
    ;
    
    clear-optical.com. 3600 A        87.98.149.60
    ns1.clear-optical.com 3600 A        87.98.149.60
    ns2.clear-optical.com. 3600 A        87.98.149.60
    clear-optical.com. 3600      NS        ns1.clear-optical.com.
    clear-optical.com. 3600      NS        ns2.clear-optical.com.
    ns1.clear-optical.com. 3600      NS        clear-optical.com.
    ns2.clear-optical.com. 3600      NS        clear-optical.com.
    
    
    
    $INCLUDE Kclear-optical.com.+007+19806.key
    
    $INCLUDE Kclear-optical.com.+007+46400.key
    Here is the file : /etc/bind/pri.clear-optical.com.err
    Code:
    $TTL        3600
    @       IN      SOA     ns1.clear-optical.com. vps730322.gestion-des-domaines.com. (
                            2019092115       ; serial, todays date + todays serial #
                            7200              ; refresh, seconds
                            540              ; retry, seconds
                            604800              ; expire, seconds
                            3600 )            ; minimum, seconds
    ;
    
    clear-optical.com. 3600 A        87.98.149.60
    ns1.clear-optical.com 3600 A        87.98.149.60
    ns2.clear-optical.com. 3600 A        87.98.149.60
    www.clear-optical.com. 3600      CNAME        clear-optical.com.
    clear-optical.com. 3600      NS        ns1.clear-optical.com.
    clear-optical.com. 3600      NS        ns2.clear-optical.com.
    
    If I'm using this command
    Code:
    named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com without .err at the end
    Code:
    # named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com
    dns_master_load: /etc/bind/pri.clear-optical.com:20: Kclear-optical.com.+007+19806.key: file not found
    dns_master_load: /etc/bind/pri.clear-optical.com:22: Kclear-optical.com.+007+46400.key: file not found
    zone clear-optical.com/IN: loading from master file /etc/bind/pri.clear-optical.com failed: file not found
    zone clear-optical.com/IN: not loaded due to errors.
    
    I get more confused because it answer that there is no file named pri.clear-optical.com, BUT I can see this file with Sftp !
    [​IMG]
    and
    Code:
    # host clear-optical.com 87.98.149.60
    ;; connection timed out; no servers could be reached
    
    That's crazy !!!
    I really don't undertand....
     
    Last edited: Sep 21, 2019
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Code:
    ns1.clear-optical.com 3600 A        87.98.149.60
    ns2.clear-optical.com. 3600 A        87.98.149.60
    Compare the two lines carefully. The first does not have dot character at end of the name.
     
  11. albertf

    albertf Member HowtoForge Supporter

    Yes, now the file /etc/bind/pri.clear-optical.com.err has disappeared
    but
    Code:
    named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com without .err at the end
    Still give me this error
    Code:
    # named-checkzone clear-optical.com /etc/bind/pri.clear-optical.com
    dns_master_load: /etc/bind/pri.clear-optical.com:20: Kclear-optical.com.+007+19806.key: file not found
    dns_master_load: /etc/bind/pri.clear-optical.com:22: Kclear-optical.com.+007+46400.key: file not found
    zone clear-optical.com/IN: loading from master file /etc/bind/pri.clear-optical.com failed: file not found
    zone clear-optical.com/IN: not loaded due to errors.
    
    Even if these files already exist !
    [​IMG]
    What can be this problem ? that's not normal to get this difference beetween Putty and WinSCP !
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You have to put the included files in a directory bind loads files from, or instead of relative path give full pathname for the files.
    Instead of
    Code:
    $INCLUDE Kclear-optical.com.+007+19806.key
    write
    Code:
    $INCLUDE /etc/bind/Kclear-optical.com.+007+19806.key
    if you put those files in that directory.
    If you want to use the relative filename, put the $INCLUDED files to the same directory where you have the zone files.
    By the way, what are these included files and where did they come from?
     
  13. albertf

    albertf Member HowtoForge Supporter

    I don't know :) this was done by ISPConfig not by me, add /etc/bind/ manually is not the right way...
    Done already but I still get this
    Code:
    named-checkzone clear-optical.com /var/named/clear-optical.com
    zone clear-optical.com/IN: loading from master file /var/named/clear-optical.com failed: file not found
    zone clear-optical.com/IN: not loaded due to errors.
    
    these is no folder /named/ !
    Arf what's wrong !
    [​IMG]
     
    Last edited: Sep 21, 2019
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Do you have that file? What does
    Code:
    ls -lh /var/named/ 
    show?
     
  15. albertf

    albertf Member HowtoForge Supporter

    As in my screenshot above the is no folder /var/named
    Code:
    # ls -lh /var/named/
    ls: cannot access '/var/named/': No such file or directory
    
    This is a fresh install with Debian 10
    And This is working
    Code:
    dig @localhost clear-optical.com
    
    ; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @localhost clear-optical.com
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6849
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ; COOKIE: 6575a18cb2d35605e28bf4595d8628acabb9ee9ee1ff4ca1 (good)
    ;; QUESTION SECTION:
    ;clear-optical.com.             IN      A
    
    ;; ANSWER SECTION:
    clear-optical.com.      3600    IN      A       87.98.149.60
    
    ;; AUTHORITY SECTION:
    clear-optical.com.      3600    IN      NS      ns2.clear-optical.com.
    clear-optical.com.      3600    IN      NS      ns1.clear-optical.com.
    
    ;; ADDITIONAL SECTION:
    ns1.clear-optical.com.  3600    IN      A       87.98.149.60
    ns2.clear-optical.com.  3600    IN      A       87.98.149.60
    
    ;; Query time: 1 msec
    ;; SERVER: ::1#53(::1)
    ;; WHEN: Sat Sep 21 15:42:04 CEST 2019
    ;; MSG SIZE  rcvd: 158
    
    But Not
    Code:
    host clear-optical.com 87.98.149.60
    ;; connection timed out; no servers could be reached
    
    I have headache :eek:
     
    Last edited: Sep 21, 2019
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Forget that bogus named-checkzone command, you do not have /var/named directory on that host so
    /var/named/clear-optical.com really does not exist so the error message is correct. Why care about /var/named/clear-optical.com when it does not exist? On my Debian name server using bind /var/named does not exist either.
    I assume you have now followed the instrunctions in that DNS Tutorial on how to test name service is working?
    Now show results of this command:
    Code:
    ip a
    or if that fails then
    Code:
    ifconfig -a
    Then show output of this:
    Code:
    grep -i listen-on /etc/bind/*
     
  17. albertf

    albertf Member HowtoForge Supporter

    Code:
    ip a
    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
           valid_lft forever preferred_lft forever
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
        link/ether fa:16:3e:78:f1:0e brd ff:ff:ff:ff:ff:ff
        inet 51.77.159.133/32 brd 51.77.159.133 scope global dynamic eth0
           valid_lft 81563sec preferred_lft 81563sec
        inet6 fe80::f816:3eff:fe78:f10e/64 scope link
           valid_lft forever preferred_lft forever
    Code:
    ifconfig -a
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 51.77.159.133  netmask 255.255.255.255  broadcast 51.77.159.133
            inet6 fe80::f816:3eff:fe78:f10e  prefixlen 64  scopeid 0x20<link>
            ether fa:16:3e:78:f1:0e  txqueuelen 1000  (Ethernet)
            RX packets 277612  bytes 28638043 (27.3 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 106837  bytes 42746027 (40.7 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    
    lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
            inet 127.0.0.1  netmask 255.0.0.0
            inet6 ::1  prefixlen 128  scopeid 0x10<host>
            loop  txqueuelen 1000  (Local Loopback)
            RX packets 14725  bytes 4396762 (4.1 MiB)
            RX errors 0  dropped 0  overruns 0  frame 0
            TX packets 14725  bytes 4396762 (4.1 MiB)
            TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
    Code:
    grep -i listen-on /etc/bind/*
    /etc/bind/named.conf.options:   listen-on-v6 { any; };
    grep: /etc/bind/slave: Is a directory
    
    In all case I have done my best, I'm a beginner
    My VPS is hosted by OVH, the IP for this VPS is automaticly setup with my VPS name https://vps730322.ovh.net:8080/ that I am using to be connected on Ispconf. For this reason I didn't used your config with in-addr.arpa, on some other VPS that I used I never did this and it was working well..
    The IP's failover for the domain name are automatically sticked on this VPS by the architecture of OVH servers.
    ns1.domain.com and ns2.domain.com are managed by Ovh in the interface of my domain name.
    My case looks like to far from your tutorial for using multiserver setup, for a beginner it's like impossible to sort out what I need to keep or not in this tutorial, this tutorial is too advanced for a beginner.
     
    Last edited: Sep 22, 2019
  18. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Try command
    Code:
    host clear-optical.com 51.77.159.133
    This should work, since 51.77.159.133 is the IP-address of your host. At least it is the IP-number of the host on which you run the ip a -command.
    Is your setup a single server? I have so far assumed it is, but now that I read this thread from the beginning I note there has not been a mention of that.
    Anyway, with the correct IP number, check how the name service works now.
     
  19. albertf

    albertf Member HowtoForge Supporter

    Code:
    # host clear-optical.com 51.77.159.133
    Using domain server:
    Name: 51.77.159.133
    Address: 51.77.159.133#53
    Aliases:
    
    clear-optical.com has address 87.98.149.60
    
    But the IP address of clear-optical.com is 87.98.149.60 and not 51.77.159.133 (Ip Adress of the VPS)
    and I get a wrong result
    Code:
    # host clear-optical.com 87.98.149.60
    ;; connection timed out; no servers could be reached
    
    Maybe something is wrong with the PTR reserve of 87.98.149.60 ?
     
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    There are two different IP-addresses here, or two different concepts.
    The IP-address your host has and which it uses is 51.77.159.133. You can verify this is so using the ip a -command.
    The IP-address entered in DNS Name service for clear-optical.com in your name server is 87.98.149.60, as can be seen by querying it with command host from your name server.
    The ip-addresses you have entered for ns1 and ns2 are:
    Code:
    $ host ns1.clear-optical.com 51.77.159.133
    Using domain server:
    Name: 51.77.159.133
    Address: 51.77.159.133#53
    Aliases:
    
    ns1.clear-optical.com has address 87.98.149.60
    
    $ host ns2.clear-optical.com 51.77.159.133
    Using domain server:
    Name: 51.77.159.133
    Address: 51.77.159.133#53
    Aliases:
    
    ns2.clear-optical.com has address 87.98.149.60
    
    If you fix the entries for ns1 and ns1 to be 51.77.159.133, that would be one step forward.
     

Share This Page