DNS servfail

Discussion in 'Installation/Configuration' started by wcsing, Dec 25, 2011.

  1. wcsing

    wcsing New Member

    Hi everyone,

    Just install Debian 6 with desktop and perfect server, setup a client in ISP (3.0.4.1) and a zone by DNS wizard. But when i check the DNS with nslookup and it shown SERVFAIL:

    =====================================================
    root@ci1:/home/terry# nslookup
    > server 10.0.1.150
    Default server: 10.0.1.150
    Address: 10.0.1.150#53
    > tadj.com
    Server: 10.0.1.150
    Address: 10.0.1.150#53

    ** server can't find tadj.com.tadj.com: SERVFAIL
    ======================================================
    check the following files and it seem OK, can some one tell me what should i try?

    IN /etc/bind/named.cond
    ...........
    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    ............


    IN /etc/bind/named.conf.options
    ....................................
    // forwarders {
    // 0.0.0.0;
    // };

    auth-nxdomain no; # conform to RFC1035

    listen-on-v6 { any; };
    ......................................


    IN /etc/bind/named.conf.local
    ..................
    zone "tadj.com" {
    type master;
    allow-transfer {none;};
    file "/etc/bind/pri.tadj.com";
    };
    ...................


    in /etc/bind/named.conf.default-zones
    ..............................................
    // prime the server with knowledge of the root servers
    zone "." {
    type hint;
    file "/etc/bind/db.root";
    };

    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912

    zone "localhost" {
    type master;
    file "/etc/bind/db.local";
    };

    zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
    };

    zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
    };

    zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
    };
    ..................................................


    and there is full records in /etc/bind/pri.tadj.com
    ................................
    $TTL 3600
    @ IN SOA ci1.tadj.com. terry.computerinstruments.com.au. (
    2011122501 ; serial, todays date + todays serial #
    7200 ; refresh, seconds
    540 ; retry, seconds
    604800 ; expire, seconds
    86400 ) ; minimum, seconds
    ;

    mail 3600 A 123.243.65.181
    tadj.com. 3600 A 123.243.65.181
    tadj.com. 3600 MX 10 mail.tadj.com.
    tadj.com. 3600 NS ci1.tadj.com.
    tadj.com. 3600 NS ns1.telstra.net.
    www 3600 A 123.243.65.181
    ...................................

    also netstat as;

    oot@ci1:/home/terry# netstat -tap
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 localhost.localdo:10024 *:* LISTEN 1487/amavisd (maste
    tcp 0 0 localhost.localdo:10025 *:* LISTEN 2705/master
    tcp 0 0 *:mysql *:* LISTEN 2248/mysqld
    tcp 0 0 *:pop3 *:* LISTEN 2720/dovecot
    tcp 0 0 *:imap2 *:* LISTEN 2720/dovecot
    tcp 0 0 *:sunrpc *:* LISTEN 788/portmap
    tcp 0 0 *:ftp *:* LISTEN 2652/pure-ftpd (SER
    tcp 0 0 ci1.tadj.com:domain *:* LISTEN 1326/named
    tcp 0 0 localhost.locald:domain *:* LISTEN 1326/named
    tcp 0 0 *:ssh *:* LISTEN 2251/sshd
    tcp 0 0 localhost.localdoma:ipp *:* LISTEN 1871/cupsd
    tcp 0 0 *:smtp *:* LISTEN 2705/master
    tcp 0 0 localhost.localdoma:953 *:* LISTEN 1326/named
    tcp 0 0 *:imaps *:* LISTEN 2720/dovecot
    tcp 0 0 *:35553 *:* LISTEN 800/rpc.statd
    tcp 0 0 *:pop3s *:* LISTEN 2720/dovecot
    tcp6 0 0 [::]:http-alt [::]:* LISTEN 1500/apache2
    tcp6 0 0 [::]:www [::]:* LISTEN 1500/apache2
    tcp6 0 0 [::]:tproxy [::]:* LISTEN 1500/apache2
    tcp6 0 0 [::]:ftp [::]:* LISTEN 2652/pure-ftpd (SER
    tcp6 0 0 [::]:domain [::]:* LISTEN 1326/named
    tcp6 0 0 [::]:ssh [::]:* LISTEN 2251/sshd
    tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN 1871/cupsd
    tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 1326/named
    tcp6 0 0 [::]:https [::]:* LISTEN 1500/apache2
    root@ci1:/home/terry#

    Thanks.
     
  2. falko

    falko Super Moderator

    What's in /etc/bind/named.conf.local?

    What's the output of
    Code:
    dig @localhost tadj.com
    ?
     
  3. wcsing

    wcsing New Member

    in /etc/bind/named.conf.local:
    ..................................................
    zone "tadj.com" {
    type master;
    allow-transfer {none;};
    file "/etc/bind/pri.tadj.com";
    };

    -------------------------------------------------------------
    root@ci1:/home/terry# dig @localhost tadj.com

    ; <<>> DiG 9.7.3 <<>> @localhost tadj.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36391
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;tadj.com. IN A

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Dec 27 10:09:26 2011
    ;; MSG SIZE rcvd: 26

    root@ci1:/home/terry#

    Thanks
     
  4. falko

    falko Super Moderator

    What are the outputs of
    Code:
    netstat -uap
    and
    Code:
    iptables -L
    ?
     
  5. wcsing

    wcsing New Member

    root@ci1:/home/terry# netstat -uap

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    udp 0 0 ci1.tadj.com:46127 uneeda.telstra.n:domain ESTABLISHED 19856/firefox-bin
    udp 0 0 ci1.tadj.com:49199 uneeda.telstra.n:domain ESTABLISHED 19856/firefox-bin
    udp 0 0 ci1.tadj.com:domain *:* 1313/named
    udp 0 0 localhost.locald:domain *:* 1313/named
    udp 0 0 *:965 *:* 789/rpc.statd
    udp 0 0 *:mdns *:* 1261/avahi-daemon:
    udp 0 0 *:39149 *:* 1261/avahi-daemon:
    udp 0 0 *:sunrpc *:* 774/portmap
    udp 0 0 *:ipp *:* 1920/cupsd
    udp 0 0 ci1.tadj.com:ntp *:* 2514/ntpd
    udp 0 0 localhost.localdoma:ntp *:* 2514/ntpd
    udp 0 0 *:ntp *:* 2514/ntpd
    udp 0 0 *:48395 *:* 789/rpc.statd
    udp 0 0 ci1.tadj.com:56482 uneeda.telstra.n:domain ESTABLISHED 19856/firefox-bin
    udp6 0 0 [::]:domain [::]:* 1313/named
    udp6 0 0 [::]:48713 [::]:* 1261/avahi-daemon:
    udp6 0 0 [::]:mdns [::]:* 1261/avahi-daemon:
    udp6 0 0 fe80::213:72ff:feb4:ntp [::]:* 2514/ntpd
    udp6 0 0 ip6-localhost:ntp [::]:* 2514/ntpd
    udp6 0 0 [::]:ntp [::]:* 2514/ntpd


    root@ci1:/home/terry# iptables -L
    Chain INPUT (policy DROP)
    target prot opt source destination
    fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    DROP tcp -- anywhere loopback/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- base-address.mcast.net/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (15 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:www
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
    PAROLE tcp -- anywhere anywhere tcp dpt:mysql
    PAROLE tcp -- anywhere anywhere tcp dpt:http-alt
    PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere
    root@ci1:/home/terry#

    Thanks
     
  6. falko

    falko Super Moderator

    Looks ok. Can you post your FULL /etc/bind/named.conf here (not sure if what you posted in your first post was the full file)?
     
  7. wcsing

    wcsing New Member

    Sure, here is my /etc/bind/named.local:

    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    ~
    "/etc/bind/named.conf" 11L, 463C 1,1 All
     
  8. falko

    falko Super Moderator

    I see you didn't create an A record for ci1.tadj.com - maybe that is the problem.
     
  9. wcsing

    wcsing New Member

    Add A record and reboot server, but same error.

    IN /etc/bind/pri.tadj.com:

    $TTL 3600
    @ IN SOA ci1.tadj.com. terry.computerinstruments.com.au. (
    2011123101 ; serial, todays date + todays serial #
    7200 ; refresh, seconds
    540 ; retry, seconds
    604800 ; expire, seconds
    86400 ) ; minimum, seconds
    ;

    ci1.tadj.com 86400 A 123.243.65.181
    mail 3600 A 123.243.65.181
    tadj.com. 3600 A 123.243.65.181
    tadj.com. 3600 MX 10 mail.tadj.com.
    tadj.com. 3600 NS ci1.tadj.com.
    tadj.com. 3600 NS ns1.telstra.net.
    www 3600 A 123.243.65.181

    ~
    ~
    ~
    "/etc/bind/pri.tadj.com" 17L, 705C 1,1 All

    root@ci1:/home/terry# dig @localhost tadj.com

    ; <<>> DiG 9.7.3 <<>> @localhost tadj.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44142
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;tadj.com. IN A

    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sat Dec 31 10:05:05 2011
    ;; MSG SIZE rcvd: 26

    Will it help if we reinstall ISP3 ?

    Falko; Happy New Year to you and your family. (many thanks for all the help). Terry Dec/2011.
     
  10. falko

    falko Super Moderator

    You forgot the dot. It must either be
    Code:
    ci1.tadj.com[B][COLOR="Red"].[/COLOR][/B] 86400 A 123.243.65.181
    or
    Code:
    ci1 86400 A 123.243.65.181
    Thanks a lot, I wish the same to you and your family. :)
     
  11. wcsing

    wcsing New Member

    YES, YES, IT WORK. (after put in the dot .)

    Thank you for this New Year gift.
     

Share This Page