Problem regarding setting up own name service

Discussion in 'Installation/Configuration' started by asgare, Oct 21, 2020.

  1. asgare

    asgare Member

    Hi
    I'm writing after many googling upon forum and guides through. Sorry if you may seem it repetitive.
    I have ISPConfig 2 working well but can't handle the new version. BTW, since my problem not solved I upgraded to 3.2.

    my server information:
    Code:
    Public IP: 89.165.65.225
    Server IP: 192.168.1.191
    
    Host Name: ns1
    domain name: x37.ir

    Server test results:
    1:
    Code:
    [email protected]:/# host ns1.x37.ir 89.165.65.225
    ;; reply from unexpected source: 192.168.1.1#53, expected 89.165.65.225#53
    ;; reply from unexpected source: 192.168.1.1#53, expected 89.165.65.225#53
    ;; connection timed out; no servers could be reached
    
    2:
    Code:
    [email protected]:/# host ns1.x37.ir 192.168.1.191
    ;; connection timed out; no servers could be reached
    
    3: systemctl status bind9.service
    Code:
    bind9.service - BIND Domain Name Server
       Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
       Active: active (running) since Wed 2020-10-21 04:21:01 EDT; 32min ago
         Docs: man:named(8)
      Process: 19674 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=0/SUCCESS)
      Process: 20744 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
     Main PID: 19675 (named)
        Tasks: 27 (limit: 4915)
       Memory: 82.0M
       CGroup: /system.slice/bind9.service
               └─19675 /usr/sbin/named -u bind
    
    Oct 21 04:53:21 ns1 named[19675]: client @0x7fc9c8426070 209.252.188.79#2188 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:21 ns1 named[19675]: client @0x7fc9c8426070 192.221.134.137#58565 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:21 ns1 named[19675]: client @0x7fc9c848b560 193.111.144.161#34333 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:21 ns1 named[19675]: client @0x7fc9c848b560 192.221.134.143#4859 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:22 ns1 named[19675]: client @0x7fc9c8409150 192.221.134.133#53694 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:22 ns1 named[19675]: client @0x7fc9c83785b0 207.177.83.1#60600 (mail.x37.ir): query (cache) 'mail.x37.ir/A/IN' denied
    Oct 21 04:53:22 ns1 named[19675]: client @0x7fc9c83785b0 192.221.134.138#28831 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    
    another test:
    Code:
    [email protected]:/# host 89.165.65.225 89.165.65.225
    ;; reply from unexpected source: 192.168.1.1#53, expected 89.165.65.225#53
    ;; reply from unexpected source: 192.168.1.1#53, expected 89.165.65.225#53
    ;; connection timed out; no servers could be reached
    
    grep named /var/log/syslog
    due to threat size, I shorten the log message

    Code:
    /query.c:7144
    Oct 21 02:29:14 ns1 named[758]: client @0x7fc57047cc50 172.253.219.10#49428 (ns1.x37.ir): query: ns1.x37.ir IN A -E(0) (192.168.1.191)
    Oct 21 02:29:14 ns1 named[758]: client @0x7fc57047cc50 172.253.219.10#49428 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 02:29:14 ns1 named[758]: client @0x7fc57047cc50 172.253.219.10#49428 (ns1.x37.ir): query failed (REFUSED) for ns1.x37.ir/IN/A at 
    Oct 21 02:29:18 ns1 named[758]: client @0x7fc570ea9be0 200.40.53.11#19131 (ns1.x37.ir): query: ns1.x37.ir IN AAAA -E(0)DC (101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.nus.edu.sg): query: ery.c:7144
    Oct 21 02:31:26 ns1 named[758]: client @0x7fc570ea9be0 111.200.195.67#30053 (101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph): query: 101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph IN A + (192.168.1.191)
    Oct 21 02:31:26 ns1 named[758]: client @0x7fc570ea9be0 111.200.195.67#30053 (101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph): query (cache) '101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph/A/IN' denied
    Oct 21 02:31:26 ns1 named[758]: client @0x7fc570ea9be0 111.200.195.67#30053 (101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph): query failed (REFUSED) for 101773930dot12dot10211431dot89dot165dot65dot225q1w2e3rty.upd.edu.ph/IN/A at ../../../bin/named/query.c:7144
    Oct 21 02:32:52 ns1 named[758]: client @0x7fc57045fd30 14.18.16.157#33151 (vpn.sontan.net): query: vpn.sontan.net IN A - (192.168.1.191)
    Oct 21 02:32:52 ns1 named[758]: client @0x7fc57045fd30 14.18.16.157#33151 (vpn.sontan.net): query (cache) 'vpn.sontan.net/A/IN' denied
    Oct 21 02:32:52 ns1 named[758]: client @0x7fc57045fd30 14.18.16.157#33151 (vpn.sontan.net): query failed (REFUSED) for vpn.sontan.net/IN/A at ../../../bin/named/query.c:7144
    Oct 21 04:21:01 ns1 named[19675]: starting BIND 9.11.5-P4-5.1+deb10u2-Debian (Extended Support Version) <id:998753c>
    Oct 21 04:21:01 ns1 named[19675]: running on Linux x86_64 4.19.0-11-amd64 #1 SMP Debian 4.19.146-1 (2020-09-17)
    Oct 21 04:21:01 ns1 named[19675]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--enable-native-pkcs11' '--with-pkcs11=/usr/lib/softhsm/libsofthsm2.so' '--with-randomdev=/dev/urandom' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-pbRECD/bind9-9.11.5.P4+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
    
    Oct 21 04:28:46 ns1 named[19675]: client @0x7fc9c8451720 172.253.14.1#55214 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:28:51 ns1 named[19675]: client @0x7fc9c847cdd0 172.253.14.5#65385 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:28:51 ns1 named[19675]: client @0x7fc9c847cdd0 172.253.11.5#37245 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:31:01 ns1 named[19675]: received control channel command 'reload'
    Oct 21 04:31:01 ns1 named[19675]: loading configuration from '/etc/bind/named.conf'
    Oct 21 04:31:01 ns1 named[19675]: /etc/bind/named.conf.options:23: dnssec-lookaside 'auto' is no longer supported
    Oct 21 04:31:01 ns1 named[19675]: reading built-in trust anchors from file '/etc/bind/bind.keys'
    Oct 21 04:31:01 ns1 named[19675]: initializing GeoIP Country (IPv4) (type 1) DB
    Oct 21 04:31:01 ns1 named[19675]: GEO-106FREE 20181108 Build
    Oct 21 04:31:01 ns1 named[19675]: initializing GeoIP Country (IPv6) (type 12) DB
    Oct 21 04:31:01 ns1 named[19675]: GEO-106FREE 20181108 Build
    
    Oct 21 04:31:02 ns1 named[19675]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
    Oct 21 04:31:02 ns1 named[19675]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    Oct 21 04:31:02 ns1 named[19675]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
    Oct 21 04:31:02 ns1 named[19675]: automatic empty zone: D.F.IP6.ARPA
    Oct 21 04:32:36 ns1 named[19675]: client @0x7fc9c83b23f0 192.221.146.128#21670 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:32:36 ns1 named[19675]: client @0x7fc9c83b23f0 172.253.14.5#54792 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:32:36 ns1 named[19675]: client @0x7fc9c83ec230 192.221.146.138#28303 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:32:36 ns1 named[19675]: client @0x7fc9c83ec230 172.253.14.3#54204 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    Oct 21 04:32:36 ns1 named[19675]: client @0x7fc9c83b23f0 192.221.146.140#26461 (ns1.x37.ir): query (cache) 'ns1.x37.ir/A/IN' denied
    

    upload_2020-10-21_12-43-14.png

    upload_2020-10-21_12-44-9.png


    Please help me to figure out this issue.
    Thanks and appreciate in advance.
     
  2. ahrasis

    ahrasis Well-Known Member

    @Taleman wrote a tutorial on this, which is in his signature, so do refer to it. So far that I know, ISPConfig 3.1 and 3.2 should be fine for dns server.
     
  3. nhybgtvfr

    nhybgtvfr Active Member

    all those records in your dns, the ones ending in x37.ir in the name and data columns, add a trailing . to them
    should be eg: web.x37.ir. ns1.x37.ir. mail.x37.ir.

    otherwise they'll be resolving as eg web.x37.ir.x37.ir
     
    Th0m likes this.
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have moved your thread to the ISPConfig 3 board.
     
  5. asgare

    asgare Member

    would you please give me a link
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think you misunderstood. You posted in the Linux board. If you scroll a little further, we have a separate board for ISPConfig 3 threads.
     
  7. asgare

    asgare Member

    I changed as you provided to me but not solved my problem.
    upload_2020-10-21_14-47-5.png
     
  8. asgare

    asgare Member

    is there a way to change it to the ISPConfig category?
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I told you I moved it ;)
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You have to add a . (dot) after the hostname x37.ir aswell. Then wait for it to propagate which can take some.
     
  11. nhybgtvfr

    nhybgtvfr Active Member

    also, another point not mentioned yet, since you're using nameservers that are part of the same domain zone they are serving, you need to provide glue records for them with your domain registration provider.
     
    Th0m likes this.
  12. asgare

    asgare Member

    gladiator friends
    Thanks a ton
    it solved. I put dots after the domain name and it solved my issue.
    :)
     
    ahrasis likes this.
  13. asgare

    asgare Member

    how ?
    can you make an example!
     
  14. nhybgtvfr

    nhybgtvfr Active Member

    can't really give an example. depends on the domain registrars control panel, location and format are different for each one.
    put simply, they need to be told the ip addresses for each nameserver for that domain.
    wouldn't worry about it now though, if dns resolution is working ok, which it appears to be, then the glue records should already be setup.

    also, based on those screen shots, and nslookup results, you still need to create an A record for your mailserver ( mail or mail.x37.ir. )
     
  15. asgare

    asgare Member

    I did for "mail.x37.ir." once again thanks.
    One more question, whatsoever I build A record until here, I made for both IPs. I mean server local IP and server public IP. Is it okey?
     
  16. nhybgtvfr

    nhybgtvfr Active Member

    no. private ip's are not internet routable. they should not be included in a public dns scope.
    you can have split dns, and have the private ip's in a different scope so they can be used only from the local lan. probably best to avoid the extra complication until you're very familiar with dns/bind configuration and management.

    if you have both like this, when dns queries are made, they'll use one or the other of those ip's for the subsequent service connection, and any attempt to use the private ip from the internet will fail. should be on a round-robin basis, but you'll get a failure on roughly 50% of connection attempts.

    if you want servers to find each other on a local lan, without dns lookups, or when dns is broken, or to avoid traversing the firewall out and back in again, then put the private ip's into the local hosts file on each server.
     
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Looks like @asgare did not read my DNS tutorial?
     
    ahrasis likes this.
  18. asgare

    asgare Member

    Hi Taleman
    How are you, buddy! Thanks for everything, really.
    You mean this link? https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/

    I almost read it 10 times. I didn't notice "dots" at the end of DNS's and moreover, I didn't understand this built for those who have public IP or not. But, this article has done many things for me only few mistakes remained and resolved it by friends.
    You knew sometimes some points need to be told in some way to be understood.
     
    Th0m likes this.
  19. asgare

    asgare Member

    Thanks, I removed private IP's and test out, and now is fine.
     

Share This Page