Hello,
Am running Bind 9 in Cent OS 5.1. I have a DNS server, that:
- DNS server to hosts in lab.company.com - 192.168.17.x - forwards query to company.com - 10.100.x.x.
Problem:
1. FQDN and by-IP-address ping and nslookup is successful.
2. ping/nslookup by host-name-only --- from any 192.168.17.x hosts to any 10.100.x.x hosts fail and vice versa.
I have setup the DNS of lab.company.com - to forward query to the DNS server of 10.100.x.x.hosts through the /etc/named.conf -
options { listen-on port 53 { 127.0.0.1; 10.100.1.5; }; forwarders { 10.100.1.5 port 53; };
What tools/logs can I check to troubleshoot this? should I be configuring this as a forwarder or should I configure my DNS as a subdomain to the company.com DNS?
pls advise.
On Tue, Apr 1, 2008 at 3:37 PM, vincenzo romero new2xen@gmail.com wrote:
Am running Bind 9 in Cent OS 5.1. I have a DNS server, that:
- DNS server to hosts in lab.company.com - 192.168.17.x
- forwards query to company.com - 10.100.x.x.
What is the IP address of your DNS server? What is the IP adress of the DNS server for company.com? What are the contents of the resolv.conf file on the machine you're testing?
Basically on your server (the one for lab.company.com) you should have a forwarders entry pointing to the IP of the DNS server for company.com.
In the other DNS server, the one that handles company.com, you should have in the company.com zone an NS entry for the "lab" name pointing to the IP of your DNS server, the one for lab.company.com.
HTH, Filipe
Felipe,
Thank you for your response. Let me clarify further:
On Tue, Apr 1, 2008 at 1:41 PM, Filipe Brandenburger filbranden@gmail.com wrote:
What is the IP address of your DNS server? What is the IP adress of the DNS server for company.com? What are the contents of the resolv.conf file on the machine you're testing?
DNS server (myhost.lab.company.com) - 192.168.17.2 DNS server (ns.company.com) - 10.100.1.24
1. ping/nslookup from myhost.lab.company.com - /etc/resolv.conf --> search lab.company.com nameserver 127.0.0.1 ping ns ping: unknown host ns [root@myhost named]# ping ns.company.com PING ns.company.com (10.100.1.24) 56(84) bytes of data. 64 bytes from 10.100.1.24: icmp_seq=1 ttl=127 time=0.123 ms 64 bytes from 10.100.1.24: icmp_seq=2 ttl=127 time=0.136 ms
2. ping/nslookup from workstation in company.com - /etc/resolv.conf --> search company.com nameserver 10.100.1.24
ping myhost ping: unknown host myhost png myhost.lab.company.com PING myhost.lab.company.com (192.168.17.2)56(84) bytes of data. 64 bytes from 10.100.1.24: icmp_seq=1 ttl=127 time=0.123 ms 64 bytes from 10.100.1.24: icmp_seq=2 ttl=127 time=0.136 ms
Basically on your server (the one for lab.company.com) you should have a forwarders entry pointing to the IP of the DNS server for company.com.
i have created a FORWARD zone for "mycompany.com" ... snippet of /etc/named.conf:
zone "mycompany.com." IN { type forward; forwarders { 10.100.1.24 port 53; };
In the other DNS server, the one that handles company.com, you should have in the company.com zone an NS entry for the "lab" name pointing to the IP of your DNS server, the one for lab.company.com.
The Corporate system administrator has added a zone for lab.company.com and even a reverse zone .... ............. After I reviewed all my configuration based on your note ... I retried the pinging/nslookup, the following is the error I have noticed in my /var/log/messages:
NetworkManager: <WARNING> add_ip4_config_to_named (): Could not set forwarders for zone '.'. Error: 'Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.'.
.... Could this mean that the "company.com" DNS server is not configured properly?
thanks in advance!
HTH, Filipe _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
vincenzo romero wrote:
- ping/nslookup from myhost.lab.company.com
- /etc/resolv.conf -->
search lab.company.com nameserver 127.0.0.1 ping ns ping: unknown host ns [root@myhost named]# ping ns.company.com
But your resolv.conf says to look for ns.lab.company.com.
- ping/nslookup from workstation in company.com
- /etc/resolv.conf -->
search company.com nameserver 10.100.1.24
ping myhost ping: unknown host myhost png myhost.lab.company.com PING myhost.lab.company.com (192.168.17.2)56(84) bytes of data.
And this is the other way around. resolv.conf say to add company.com but you are adding lab.company.com.
i have created a FORWARD zone for "mycompany.com" ... snippet of /etc/named.conf:
zone "mycompany.com." IN { type forward; forwarders { 10.100.1.24 port 53; };
Is this supposed to have something to do with either company.com or lab.company.com? It doesn't. And is there some reason you only want the forwarder to only handle one zone?
thanks for the response!
On Tue, Apr 1, 2008 at 3:09 PM, Les Mikesell lesmikesell@gmail.com wrote:
Is this supposed to have something to do with either company.com or lab.company.com? It doesn't. And is there some reason you only want the forwarder to only handle one zone?
my bad a typo .. it is :
zone "company.com." IN { type forward; forwarders { 10.100.1.24 port 53; };
...
I want any other queries that lab.company.com is not authoritative for, to go to the Name Server of company.com.
...
I did try now to edit a test machine so that its resolv.conf file shows:
search lab.company.com company.com nameserver 192.168.17.2 nameserver 10.100.1.24
1. I can ping, and do host <hostname> and ip address 2. nslookup <hostname> resolves .. 3. but nslookup IPaddress returns with a listing of ROOT servers:
nslookup 10.100.1.24 Server: 192.168.17.2 Address: 192.168.17.2#53
Non-authoritative answer: 24.1.100.10.in-addr.arpa name = ns.company.com.
Authoritative answers can be found from: . nameserver = l.root-servers.net. . nameserver = m.root-servers.net. . nameserver = a.root-servers.net. . nameserver = b.root-servers.net. . nameserver = c.root-servers.net. . nameserver = d.root-servers.net. . nameserver = e.root-servers.net. . nameserver = f.root-servers.net. . nameserver = g.root-servers.net. . nameserver = h.root-servers.net. . nameserver = i.root-servers.net. . nameserver = j.root-servers.net. . nameserver = k.root-servers.net.
i think i'm almost there ..
-thanks again in advance.
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, Apr 1, 2008 at 6:22 PM, vincenzo romero new2xen@gmail.com wrote:
zone "company.com." IN { type forward; forwarders { 10.100.1.24 port 53; };
In myhost.lab.company.com you probably want to do a forward of all requests to ns.company.com, that would be the "canonical" way of cascading name servers.
I want any other queries that lab.company.com is not authoritative for, to go to the Name Server of company.com.
Exactly, you need a global "forwarders" section in your named.conf (have a look at the man pages).
I did try now to edit a test machine so that its resolv.conf file shows:
search lab.company.com company.com nameserver 192.168.17.2 nameserver 10.100.1.24
You probably don't want both nameservers in resolv.conf, for the machines in "lab.company.com" you'll want only 192.168.17.2, and for the ones in "company.com" you don't want them querying your nameserver too. Maybe for backup, but then you'd better have two at 192.168.17 and two or more at 10.100.1 network.
- I can ping, and do host <hostname> and ip address
- nslookup <hostname> resolves ..
- but nslookup IPaddress returns with a listing of ROOT servers:
You need to create authoritative zones for the reverse, like 17.168.192.in-addr.arpa.
Your questions are starting to go too much DNS and BIND specific. In this case, I would suggest you to either: 1) Read the DNS and BIND book, which is excellent!!! 2) Look for a mailing list/forum specific to DNS and BIND.
If you're going to run name servers, you should try to improve your knowledge of DNS. It's not a very simple protocol, and reading a book such as DNS and BIND will bring you valuable knowledge that will serve you if you'll ever need to troubleshoot your server.
HTH, Filipe
vincenzo romero wrote:
thanks for the response!
On Tue, Apr 1, 2008 at 3:09 PM, Les Mikesell lesmikesell@gmail.com wrote:
Is this supposed to have something to do with either company.com or lab.company.com? It doesn't. And is there some reason you only want the forwarder to only handle one zone?
my bad a typo .. it is :
zone "company.com." IN { type forward; forwarders { 10.100.1.24 port 53; };
...
I want any other queries that lab.company.com is not authoritative for, to go to the Name Server of company.com.
That happens anyway if the forwarder is not authoritative - that is, the forwarder will act as a caching proxy.
...
I did try now to edit a test machine so that its resolv.conf file shows:
search lab.company.com company.com nameserver 192.168.17.2 nameserver 10.100.1.24
- I can ping, and do host <hostname> and ip address
- nslookup <hostname> resolves ..
- but nslookup IPaddress returns with a listing of ROOT servers:
nslookup 10.100.1.24 Server: 192.168.17.2 Address: 192.168.17.2#53
Non-authoritative answer: 24.1.100.10.in-addr.arpa name = ns.company.com.
Does this zone file have an NS record for the server that answers?
Authoritative answers can be found from: . nameserver = l.root-servers.net. . nameserver = m.root-servers.net. . nameserver = a.root-servers.net. . nameserver = b.root-servers.net. . nameserver = c.root-servers.net. . nameserver = d.root-servers.net. . nameserver = e.root-servers.net. . nameserver = f.root-servers.net. . nameserver = g.root-servers.net. . nameserver = h.root-servers.net. . nameserver = i.root-servers.net. . nameserver = j.root-servers.net. . nameserver = k.root-servers.net.
It's not really polite to send private IP reverse lookups to the public root servers, but I suppose millions of places do...
thank you again, more clarification, if anyone can pls shed light ...
That happens anyway if the forwarder is not authoritative - that is, the forwarder will act as a caching proxy.
ok - so my lab.company.com is authoritative, so it should keep a copy of company.com's information then and be able to respond to queries even within the domain of company.com?
It's not really polite to send private IP reverse lookups to the public root servers, but I suppose millions of places do...
i'm sorry, but how do i configure (or any pointer pls?) so that I do not point to the public root servers? i just followed templates; whereas, the company.com DNS, I was not the one who configured it.
I think the issues I have encountered are less now.... My questions.
1. From my lab.company.com DNS server - do I need to update my /etc/resolv.conf file so that it shows:
search lab.company.com company.com nameserver 192.168.17.2 nameserver 10.100.1.24
2. With the above /etc/resolv.conf I can ping forward and backwards hosts, except - reverse lookup to host within company.com's domain still shows the root servers .. :(
3. Strangest and confusing, is performing nslookup FROM lab.company.com's DNS server :
a. responds to nslookup company.com: nslookup 192.168.17.1 Server: 127.0.0.1 Address: 127.0.0.1#53
1.17.168.192.in-addr.arpa name = qatest1.lab.maxiscale.com.
[root@myhost named]# nslookup maxiscale.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: company.com Address: 10.100.1.24
BUT it can't find an answer for ITS OWN domain:
nslookup lab.company.com Server: 127.0.0.1 Address: 127.0.0.1#53
*** Can't find lab.company.com: No answer
.... I must be missing something in my /var/named configuration files? Please advise.
thanks in advance,
from my lab.company.com DNS server
1. ping/nslookup
--
Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
vincenzo romero wrote:
thank you again, more clarification, if anyone can pls shed light ...
That happens anyway if the forwarder is not authoritative - that is, the forwarder will act as a caching proxy.
ok - so my lab.company.com is authoritative, so it should keep a copy of company.com's information then and be able to respond to queries even within the domain of company.com?
Yes, if a server is configured as primary or seconday for a zone it will reply directly without asking anyone else.
It's not really polite to send private IP reverse lookups to the public root servers, but I suppose millions of places do...
i'm sorry, but how do i configure (or any pointer pls?) so that I do not point to the public root servers? i just followed templates; whereas, the company.com DNS, I was not the one who configured it.
Configure your servers as primary or secondary for the reverse zones of all the private ranges you use (nn.nn.nn.IN-ADDR.ARPA).
I think the issues I have encountered are less now.... My questions.
- From my lab.company.com DNS server - do I need to update my
/etc/resolv.conf file so that it shows:
search lab.company.com company.com nameserver 192.168.17.2 nameserver 10.100.1.24
The 'search' applies to lookups from clients on that particular machine where a bare host name is requested.
- With the above /etc/resolv.conf I can ping forward and backwards
hosts, except - reverse lookup to host within company.com's domain still shows the root servers .. :(
If you aren't primary/secondary, it walks down following referrals from the root servers. For private ranges you won't get the right answer because they aren't delegated.
- Strangest and confusing, is performing nslookup FROM
lab.company.com's DNS server :
a. responds to nslookup company.com: nslookup 192.168.17.1 Server: 127.0.0.1 Address: 127.0.0.1#53
1.17.168.192.in-addr.arpa name = qatest1.lab.maxiscale.com.
[root@myhost named]# nslookup maxiscale.com Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: company.com Address: 10.100.1.24
BUT it can't find an answer for ITS OWN domain:
nslookup lab.company.com Server: 127.0.0.1 Address: 127.0.0.1#53
*** Can't find lab.company.com: No answer
Usually the origin of the zone has A and NS records in the parent zone.
-
Filipe Brandenburger -
Les Mikesell -
vincenzo romero