DNS Seems dont Work on NAT

Discussion in 'Installation/Configuration' started by Wisdown, Sep 7, 2012.

  1. Wisdown

    Wisdown Member

    Hi guys,

    Today i was setting somethings when i discovered my local dns servers runing ISPConfig dont have the control of my domains...
    I did some records, and waited at least 6 hours, and dindt see the results....

    So, looking on the registrar, i checked my domain was on networksolutions with an * (wildcard), because this man setting i already have did, seems be done, but the wildcard was behind this...

    I clicked to point to my DNS server, and now nothing is working...

    My setup is:

    1 Webserver
    1 Mailserver
    1 Databaseserver
    2 DNS Servers

    My Netwroking:

    1 Modem from ISP on bridge mode with pppoe
    1 PC as server with 2 NICs
    1 VMWare runing pfsense as firewall / router on the Server PC doing bridge on those 2 NICs

    All other servers on same Server PC, before point the dns for my local DNS Server was working fine.

    Some data from my dns server:





    Note: I Set all ips to my static public IP

    nslookup domain1.com i get this error:

    ** server can`t find domain.com: SERVFAIL

    Wheres i`missing?
    Last edited: Sep 7, 2012
  2. till

    till Super Moderator Staff Member ISPConfig Developer


    dig @localhost domain1.com
    dig @localhost domain2.com
    dig @localhost domain3.com

    on the shell of your server (the one that runs the bind dns server) and post the output. If you get a failure, check the /var/log/syslog for named errors and post them.

    Common mistakes are that the A records for the NS records are missing. E.g. if

    domain1.com uses ns1.domain1.com. as NS record, then there must exist A record for ns1.domain1.com. as well, otherwise the ns record can not be resolved.
  3. Wisdown

    Wisdown Member

    I addded the ns1 record like you sayed, not sure if is correct i did:

    ns1.domain1.com for domain1.com
    ns1.domain2.com for domain2.com
    ns1.domain3.com for domain3.com

    The answer:

    Same msg for all 3 domains, chaging ony the WHEN and id from query
    Runing same comand for the domain without @localhost , now i see the internal IP from the DNS server

    I need add another A record now for each server using the internal IP?

    Using nslookup domain1.com i get is my pfsense working as fireway / gateway, i added an dns forwarder alias on him for be able to use:


    Inside of my LAN.

    Before run the dig i did:

    cat /dev/null > /var/log/syslog

    After run dig i checked the logs and there only msgs from ispconfig cron jobs
    Last edited: Sep 7, 2012
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    According to your posting above, you use ns1.domain1.com as primary dns server for all domains (at least for domain 2), so you just jĀ“have to add ns1.domain1.com as A-Record to domain1.com, there has nothing to be added in domain2 and domain3.

    the @localhost is required to get a proper result from the local dns server. The nsloookup output is not relevant as well as the output from dig without the @localhost as it queried the wrong server. Please just post the output of the dig command I asked you for, the only thing to be replaced is the domain name and dont remove the @localhost.

    Please take a look at the syslog file in /var/log and post the named errors like I suggested above, you will find the relevant error messages there.
  5. Wisdown

    Wisdown Member

    The outupt from dig is same like previous post:

    I removed the extas ns1 A record from domain 2 and 3, and then some errors come on /var/log/syslog , the dig comand wasnt send errors to sys log

  6. Wisdown

    Wisdown Member

    i dont know what this means:

    I have removed from ispconfig all other things:

    Kim key
    v=spf1 a mx ptr -all

    Letting only the default ones created by the wizard.
    Gonna look for an example of dns file to check the differ.

    Seems i need do an bind course
    I lost the control of my server, dindt run anything (offcourse i now bind is runing, but isnt only for answer queries?), i see this message on log now:

    Looking for the info about this message now.
    Should i get hacked?
    Last edited: Sep 7, 2012
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Please send me the file /etc/bind/pri.domain1.com by pm without changing amnything in the file so I can take a look at it.
  8. Wisdown

    Wisdown Member


    Thanks for the help!!!

    Let me know please if i got hacked.
    I see this message now on syslog:

    But i havent did nothing, was looking on google for dns templates
    I have an snapshot of the servers to restore just in case any problem.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats fine, not related to any hacking attempts. This is the spam filtering system that uses antispam RBL's.
  10. Wisdown

    Wisdown Member

    I found an command to check the zone files:

    named-checkzone daomain1.com /etc/bind/pri.domain1.com

    then i followed to file and removed the line 14

    Check runing ok

    Gonna try add more things, and check for errors
  11. Wisdown

    Wisdown Member

    After test many combinations, i have isolated the problems

    errors occours when i enable on ISPConfig:

    mail XXX.XXX.XXX.XXX
    RP admin.domain1.com.

    Without enable those the named-checkzone says:

    Looking on google for check if there an specific template to RP and mail field
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Please read the pm that I sent you some time ago, I explained you that inkl. links to the RFC.

Share This Page