DNS Error, only for Com-Domains!

Discussion in 'General' started by spr, Aug 1, 2010.

  1. spr

    spr New Member

    Hi

    We've widen up our Serverstructure and outsourced our DNS and Mailserver on two new machines. Boths are in different datacenters.

    Server 1 ist the Master DNS and Mailserver
    Server 2 is a complete Mirror of Server 1

    Now we've the problem that Google-Mail (and some other little providers) can't send mails to our Servers!!
    Only the .com Domains aren't working...

    Here is what dig says:

    Dig via Google-Public-DNS

    dig @8.8.8.8 ns datengarten.com

    ; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 ns datengarten.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50702
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;datengarten.com. IN NS

    ;; Query time: 2449 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sun Aug 1 11:19:26 2010
    ;; MSG SIZE rcvd: 33

    Dig via T-Online DNS:

    dig ns datengarten.com

    ; <<>> DiG 9.7.0-P1 <<>> ns datengarten.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9721
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;datengarten.com. IN NS

    ;; ANSWER SECTION:
    datengarten.com. 11872 IN NS ns1.datengarten.net.
    datengarten.com. 11872 IN NS ns2.datengarten.net.

    ;; ADDITIONAL SECTION:
    ns1.datengarten.net. 11872 IN A 78.46.233.41

    ;; Query time: 3 msec
    ;; SERVER: 192.168.1.254#53(192.168.1.254)
    ;; WHEN: Sun Aug 1 11:19:51 2010
    ;; MSG SIZE rcvd: 100

    Again, this is only on .com Domains.
    Look here at .de domain also via Google-Public-DNS

    dig @8.8.8.8 ns datengarten.de

    ; <<>> DiG 9.7.0-P1 <<>> @8.8.8.8 ns datengarten.de
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29605
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;datengarten.de. IN NS

    ;; ANSWER SECTION:
    datengarten.de. 83999 IN NS ns1.datengarten.net.
    datengarten.de. 83999 IN NS ns2.datengarten.net.

    ;; Query time: 48 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sun Aug 1 11:20:45 2010
    ;; MSG SIZE rcvd: 83

    ----

    I absolutly helpless!
    Please somebody tell me whats wrong there.

    regards
    spr

    P.S. I've installed all servers following "Perfect Server How To for Lenny (on Lenny)" and all other features are working fine!
     
  2. till

    till Super Moderator

    To get nearer to the problem, first test if it is a problem with the servers by running:

    dig @localhost ALL datengarten.com

    on the shell of both servers and post the output.

    Additionally, post the output of:

    iptables -L

    from both servers.
     
  3. spr

    spr New Member

    Hi,

    output of Server 1:

    dig @localhost ALL datengarten.com

    ; <<>> DiG 9.6-ESV-R1 <<>> @localhost ALL datengarten.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 25338
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;ALL. IN A

    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Aug 1 19:07:02 2010
    ;; MSG SIZE rcvd: 21

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19402
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;datengarten.com. IN A

    ;; ANSWER SECTION:
    datengarten.com. 86400 IN A 88.198.55.45

    ;; AUTHORITY SECTION:
    datengarten.com. 86400 IN NS ns1.datengarten.net.
    datengarten.com. 86400 IN NS ns2.datengarten.net.

    ;; ADDITIONAL SECTION:
    ns1.datengarten.net. 86400 IN A 78.46.233.41

    ;; Query time: 1 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Aug 1 19:07:02 2010
    ;; MSG SIZE rcvd: 116


    iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    DROP tcp -- anywhere loopback/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (18 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:tacacs-ds
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:mysql
    PAROLE tcp -- anywhere anywhere tcp dpt:munin
    PAROLE tcp -- anywhere anywhere tcp dpt:6999
    PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
    PAROLE tcp -- anywhere anywhere tcp dpt:9367
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:tacacs-ds
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    Output of Server 2:

    dig @localhost ALL datengarten.com

    ; <<>> DiG 9.6-ESV-R1 <<>> @localhost ALL datengarten.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 45876
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;ALL. IN A

    ;; Query time: 23 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Aug 1 17:17:04 2010
    ;; MSG SIZE rcvd: 21

    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58057
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;datengarten.com. IN A

    ;; ANSWER SECTION:
    datengarten.com. 86400 IN A 88.198.55.45

    ;; AUTHORITY SECTION:
    datengarten.com. 86400 IN NS ns1.datengarten.net.
    datengarten.com. 86400 IN NS ns2.datengarten.net.

    ;; ADDITIONAL SECTION:
    ns1.datengarten.net. 86400 IN A 78.46.233.41

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Aug 1 17:17:04 2010
    ;; MSG SIZE rcvd: 116


    iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere loopback/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (17 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:ssmtp
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:mysql
    PAROLE tcp -- anywhere anywhere tcp dpt:munin
    PAROLE tcp -- anywhere anywhere tcp dpt:6999
    PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
    PAROLE tcp -- anywhere anywhere tcp dpt:9742
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    ACCEPT udp -- anywhere anywhere udp dpt:3307
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-ssh (0 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere


    I hope you can help me solving this.

    thanks till.

    spr
     
  4. matty

    matty New Member

    It looks like you haven't redelegated datengarten.com onto your new nameservers, as whois lists the nameservers as dns[1-3].nsdns.info. Having said that, ns1 & ns2.datengarten.net both respond for me with .com records.

    Edit: You have something funky with the records for your nameservers. It looks like you are using a wildcard record in datengarten.net. Put proper A records in for each of ns1 and ns2.datengarten.net. Currently both come up as 78.46.233.41, where ns2 should be 85.114.140.111 according to your delegation records.
     
    Last edited: Aug 2, 2010
  5. spr

    spr New Member

    Hi

    I´ve switched it to our "Domain/DNS Provider" yesterday evening to get our Mailserver reliable connected!
    But if you now dig for daten-garten.com you can still see what´s happening (or not)!!

    spr
     
  6. matty

    matty New Member

    Everything in daten-garten.com resolves to 88.198.55.45, but it otherwise appears to be working fine.

    In my other post, I recommended you add an A record for ns2.datengarten.net in the datengarten.net zone. I think I've figured out what's actually happening. The zone for your nameservers, datengarten.net is actually delegated to ns[1-3].domaindiscount24.net. In there, you have records for ns1 & ns2.datengarten.net which point at your nameservers. Your nameserver also have a zone configured for datengarten.net, but in there you don't have a record for ns2.datengarten.net.

    Also, the MX records for daten-garten.com & datengarten.com include mta1 & mta2.datengarten.net (datengarten.de doesn't) which have different answers from your servers and the domaindiscount ones. I'd really suggest you either remove the datengarten.net zone from your nameservers, or redelegate the zone to them (and add the ns2 record).

    When I query records against your nameservers, I see the following error which I believe is because of the above.
     
    Last edited: Aug 3, 2010

Share This Page