DNS: Full domain names needed!
Matthias Braun
Help!
My DNS (bind 8.2.3) works fine if I make a query like
"nslookup asterix.idefix"
How can I configure my DNS so that I can make
"nslookup asterix" as well as "nslookup asterix.idefix.de"?
Additional: if I connected to the internet, how can I configure the
system so that
my local DNS server answer the quere of my local system?
Thanks,
Matthias
####################
# /etc/resolv.conf
domain idefix.de de
search idefix.de de
nameserver 192.168.17.42
####################
#/etc/named.conf
options {
directory "/var/named";
forwarders { 151.189.0.65; }; # External DNS Server for Internet
queries
};
zone "idefix" in {
type master;
notify no;
file "idefix.zone";
};
####################
# /var/named/idefix.zone
$TTL 2D
idefix.de. IN SOA asterix.idefix.de. root.localhost (
1999092901 ; serial (d. adams)
1D ; refresh
2H ; retry
1W ; expiry
2D ) ; minimum
IN NS asterix.idefix.de.
asterix IN A 192.168.17.42
####################
Kevin Darcy
To make "nslookup asterix" work, you'd need to configure your resolver
with a default domain, which would be the name of a domain containing an
"asterix" entry. E.g. you could put "domain idefix" or "domain
idefix.de" in /etc/resolv.conf.
To make "nslookup asterix.idefix.de" work, there would have to be an
"asterix" entry in the "idefix.de" zone, and your server would need to
somehow be able to resolve names in that zone, or
"asterix.idefix.de" would need to be a zone by itself, which your server
can resolve. If everything is strictly internal, then it's all quite
trivial: just create an "idefix.de" zone and add "asterix" to it. But,
if you want the name to resolve on the Internet, or only internally,
while still allowing your internal clients to resolve other names in
"idefix.de", then this calls for more complicated configuration and
possibly multiple nameserver instances.
- Kevin
Rafael Cruz M.
Hi....
I have configured a BIND 8.1.2 and when I execute or restart the daemon
named the console of the server just send a message that is ready to resolv
names, but I have some problems because it don't resolve some domains that
belong to another ISP.
What do you recomend me ???
Regards
Rafa
Kevin Darcy
Recommendation #1: Upgrade. BIND 8.1.2 is pretty old and has known security
problems.
Recommendation #2: Unless all you're looking for is wild speculation about
what the problem _might_ be, please provide a lot more detail about how your
nameserver is configured and what domains in particular aren't resolving.
- Kevin
Sam Wun
HI,
I have 3 domain names in my server, fastline.bidbid.com, mishi.bidbid.com
and www.sam.com, where www.sam.com is a virtual host. fastline.bidbid.com
is pointing at 192.168.1.1, mishi.bidbid.com is pointing at
172.16.1.1, and www.sam.com also pointing at 172.16.1.1, thus:
fastline.bidbid.com -> 192.168.1.1
mishi.bidbid.com -> 172.16.1.1
www.sam.com -> 172.16.1.1
when I do nslookup on the www.sam.com ( the virtural name), it shows:
swun@fastline ~ > nslookup www.sam.com
Server: fastline.bidbid.com
Address: 192.168.1.1
Name: www.sam.com
Address: 172.16.1.1
But the following may not be right?
swun@fastline ~ > nslookup 172.16.1.1
Server: fastline.bidbid.com
Address: 192.168.1.1
Name: mishi.bidbid.com
Address: 172.16.1.1
I would expect nslookup 172.16.1.1 should show me the Name www.sam.com as
well?
What may be wrong with my setting then?
Here is my db.sam zone file:
swun@fastline /etc/namedb > cat db.sam
$TTL 432000
@ IN SOA sam.sam.com. root.sam.sam.com. ( 2000090700 10800 3600 604800
86400 )
IN NS sam.sam.com.
localhost IN A 127.0.0.1
sam IN A 172.16.1.1
sam IN MX 10 sam.sam.com.
www.sam.com. IN A 172.16.1.1
And my db.172.16.1.1 file:
swun@fastline /etc/namedb > cat db.172.16.1
$TTL 432000
@ IN SOA fastline.bidbid.com. root.fastline.bidbid.com. ( 2000090700 10800
3600 604800 86400 )
IN NS fastline.bidbid.com.
IN NS mishi.bidbid.com.
1.1.16.172.IN-ADDR.ARPA. IN PTR mishi.bidbid.com.
200.1.16.172.IN-ADDR.ARPA. IN PTR db.bidbid.com.
1.1.16.172.IN-ADDR.ARPA. IN PTR www.sam.com.
1.1.16.172.IN-ADDR.ARPA. IN PTR www.rolandx.com.
1.1.16.172.IN-ADDR.ARPA. IN PTR www.fineworkx.com.
Thanks
Sam
Mark.A...@nominum.com
The other common problem is that there is a firewall between
the server and the internet as a whole and it isn't allowing
the DNS traffic through.
BIND 8 uses a random UDP port for its queries unless told
otherwise via query-source.
Mark
>
> oooppppssss..... where can I check it ???
>
> I just have configured this ...
>
> #####################################################################
> options {
> directory "/var/named";
> pid-file "/var/named/named.pid";
> named-xfer "/usr/sbin/named-xfer";
>
> transfers-in 10;
> forward only;
> fake-iquery yes;
> pollfd-chunk-size 20;
>
> //#ident "@(#)cmd-inet:var/named/named.boot 1.2"
> //
> //boot file for name server
> //
> //type domain source file or host
> //
>
> };
>
>
> zone "cetro-crece.org.mx" in {
> type master;
> file "/var/named/named.db";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> file "/var/named/named.local";
> };
>
> zone "147.38.200.in-addr.arpa" in {
> type master;
> file "/var/named/200.38.147.rev";
> };
>
> zone "." in {
> type hint;
> file "/var/named/named.ca";
> };
>
> ############################################################
>
> And the named.ca file I got this
>
> ##########################################################33
>
> ;
> ; This file holds the information on root name servers needed to
> ; initialize cache of Internet domain name servers
> ; e.g. reference this file in the cache file
> ; configuration file of BIND domain name servers.
> ;
> ; This file is made available by InterNIC registration services
> ; under anonymous FTP as
> ; file /domain/named.root
> ; on server FTP.RS.INTERNIC.NET
> ; -OR- under Gopher at RS.INTERNIC.NET
> ; under menu InterNIC Registration Services NSI
> ; submenu InterNIC Registration Archives
> ; file named.root
> ;
> ; last update: Nov 8, 1995
> ; related version of root zone: 1995110800
> ;
> ;
> ; formerly NS.INTERNIC.NET
> ;
> . 3600000 IN NS A.ROOT-SERVERS.NET.
> A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
> ;
> ; formerly NS1.ISI.EDU
> ;
> . 3600000 NS B.ROOT-SERVERS.NET.
> B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
> ;
> ; formerly C.PSI.NET
> ;
> . 3600000 NS C.ROOT-SERVERS.NET.
> C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
> ;
> ; formerly TERP.UMD.EDU
> ;
> . 3600000 NS D.ROOT-SERVERS.NET.
> D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
> ;
> ; formerly NS.NASA.GOV
> ;
> . 3600000 NS E.ROOT-SERVERS.NET.
> E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
> ;
> ; formerly NS.ISC.ORG
> ;
> . 3600000 NS F.ROOT-SERVERS.NET.
> F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
> ;
> ; formerly NS.NIC.DDN.MIL
> ;
> . 3600000 NS G.ROOT-SERVERS.NET.
> G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
> ;
> ; formerly AOS.ARL.ARMY.MIL
> ;
> . 3600000 NS H.ROOT-SERVERS.NET.
> H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
> ;
> ; formerly NIC.NORDU.NET
> ;
> . 3600000 NS I.ROOT-SERVERS.NET.
> I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
> ; End of File
>
> ######################################################
>
> Thanks for your help !!!!!
>
> Kevin sorry for dont send a copy of this previously
>
>
>
> Joseph S D Yao wrote:
>
> > On Tue, Sep 12, 2000 at 04:30:16PM -0500, Rafael Cruz M. wrote:
> > > I have configured a BIND 8.1.2 and when I execute or restart the daemon
> > > named the console of the server just send a message that is ready to reso
> lv
> > > names, but I have some problems because it don't resolve some domains tha
> t
> > > belong to another ISP.
> > >
> > > What do you recomend me ???
> >
> > Do you have the root servers configured into a "hints" zone?
> >
> > --
> > Joe Yao js...@cospo.osis.gov - Joseph S. D. Yao
> > COSPO/OSIS Computer Support EMT-B
> > -----------------------------------------------------------------------
> > This message is not an official statement of COSPO policies.
>
>
>
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.A...@nominum.com
Rafael Cruz M.
How can I resolve it Mark ???
Is there any way to force it to don't be random ???
Joseph S D Yao
You know, I just noticed [obviously I wasn't looking hard enough
earlier]:
On Thu, Sep 14, 2000 at 07:42:57AM +1100, Mark.A...@nominum.com wrote:
...
> > I just have configured this ...
> >
> > #####################################################################
> > options {
> > directory "/var/named";
> > pid-file "/var/named/named.pid";
> > named-xfer "/usr/sbin/named-xfer";
> >
> > transfers-in 10;
> > forward only;
> > fake-iquery yes;
> > pollfd-chunk-size 20;
> >
> > //#ident "@(#)cmd-inet:var/named/named.boot 1.2"
> > //
> > //boot file for name server
> > //
> > //type domain source file or host
> > //
> >
> > };
It says "forward only;". But no "forwarders {...};" statement.
If you are behind a firewall, please enter a "forwarders { X; };"
statement, where "X" is the IP address of your firewall [from the
inside].
If you are NOT in fact behind a firewall, take out the "forward only;"
line.
--
Joe Yao js...@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
PLEASE ... send or Cc: all "COSPO/OSIS Computer Support"
mail to sys...@cospo.osis.gov
Rafael Cruz M.
I have configures with "forward only" but in this case I got the internet
server with an IP valid in Internet, wich belong to a subnet assigned by my
ISP, but at the same time the subnet belong to a NAT IP pull configures
directly in the router.
Is ther any problem with this case for DNS ???
Joseph S D Yao wrote:
Kevin Darcy
Joseph S D Yao wrote:
> On Tue, Sep 12, 2000 at 04:42:13PM -0400, Kevin Darcy wrote:
> >
> > To make "nslookup asterix" work, you'd need to configure your resolver
> > with a default domain, which would be the name of a domain containing an
> > "asterix" entry. E.g. you could put "domain idefix" or "domain
> > idefix.de" in /etc/resolv.conf.
> ...
> > > ####################
> > > # /etc/resolv.conf
> > > domain idefix.de de
> > > search idefix.de de
> > > nameserver 192.168.17.42
> > > ####################
>
> More specifically, "domain" does not take two arguments - make it
> domain idefix.de
> I have heard it said that "search" is deprecated; but I find it
> sometimes useful, and so may you.
"search" is probably the biggest source of wasted nameserver resources behind
TTL=0 and, of course, moronic users. It's evil.
My opinion, of course...
> OBTW - "Asterix" is a cute little cartoon barbarian. "Asterisk" is
> '*'. ;-)
I think it was intentional, though. Remember that all of the characters had
"-ix" names -- Obelix, Getafix, Picanmix, etc. The name of the domain is
"idefix", so it all seems properly "theme"d...
- Kevin
Joseph S D Yao
On Wed, Sep 13, 2000 at 05:15:18PM -0500, Rafael Cruz M. wrote:
> I have configures with "forward only" but in this case I got the internet
> server with an IP valid in Internet, wich belong to a subnet assigned by my
> ISP, but at the same time the subnet belong to a NAT IP pull configures
> directly in the router.
I don't understand.
Try using simple sentences.
I got this:
The configuration contains "forward only".
There is an Internet server - no idea what it is serving.
The Internet server has a public Internet IP address.
This public Internet IP address is part of a subnet assigned
you by your ISP.
This same public Internet subnet belongs to something.
"Something" has to do with NAT, IP, and a router that has not
previously been mentioned.
> Is ther any problem with this case for DNS ???
The problem I was pointing out in your BIND configuration. If you
forward, you MUST tell 'named' the IP address of the server to which
you are forwarding! E.g., the firewall between your internal network
and the outside, or your ISP's name server.
--
Joe Yao js...@cospo.osis.gov - Joseph S. D. Yao
COSPO/OSIS Computer Support EMT-B
-----------------------------------------------------------------------
Mark.A...@nominum.com
>
> How can I resolve it Mark ???
>
> Is there any way to force it to don't be random ???
Why do people only read the first half of a answer? The
answer to your question is already in my original answer.
Mark
>
>
> Mark.A...@nominum.com wrote:
>
> > The other common problem is that there is a firewall between
> > the server and the internet as a whole and it isn't allowing
> > the DNS traffic through.
> >
> > BIND 8 uses a random UDP port for its queries unless told
> > otherwise via query-source.
> >
> > Mark
>
Joseph S D Yao
On Tue, Sep 12, 2000 at 04:42:13PM -0400, Kevin Darcy wrote:
>
> with a default domain, which would be the name of a domain containing an
> "asterix" entry. E.g. you could put "domain idefix" or "domain
> idefix.de" in /etc/resolv.conf.
> > ####################
> > # /etc/resolv.conf
> > domain idefix.de de
> > search idefix.de de
> > nameserver 192.168.17.42
> > ####################
More specifically, "domain" does not take two arguments - make it
domain idefix.de
I have heard it said that "search" is deprecated; but I find it
sometimes useful, and so may you.
OBTW - "Asterix" is a cute little cartoon barbarian. "Asterisk" is
'*'. ;-)
--
Joseph S D Yao
Do you have the root servers configured into a "hints" zone?
--
Rafael Cruz M.
oooppppssss..... where can I check it ???
I just have configured this ...
#####################################################################
options {
directory "/var/named";
pid-file "/var/named/named.pid";
named-xfer "/usr/sbin/named-xfer";
transfers-in 10;
forward only;
fake-iquery yes;
pollfd-chunk-size 20;
//#ident "@(#)cmd-inet:var/named/named.boot 1.2"
//
//boot file for name server
//
//type domain source file or host
//
};
############################################################
##########################################################33
######################################################
Rafael Cruz M.
Hi guys !!!!!
I send you some domains that don´t resolv
internet# nslookup
Default Server: localhost
Address: 127.0.0.1
> www.infocentro.com.mx
Server: localhost
Address: 127.0.0.1
*** localhost can't find www.infocentro.com.mx: Non-existent host/domain
> www.secofi.gob.mx
Server: localhost
Address: 127.0.0.1
*** localhost can't find www.secofi.gob.mx: Non-existent host/domain
> www.ccic.gov
Server: localhost
Address: 127.0.0.1
*** localhost can't find www.ccic.gov: Non-existent host/domain
Regards !!!
Joseph S D Yao
On Wed, Sep 13, 2000 at 09:02:35AM -0500, Rafael Cruz M. wrote:
> oooppppssss..... where can I check it ???
>
> I just have configured this ...
Looks fine to me. I don't think the named.conf file will complain
about the spaces before the word "zone". ;-)
Sam Wilson
<k...@daimlerchrysler.com> wrote:
>Joseph S D Yao wrote:
>
>> OBTW - "Asterix" is a cute little cartoon barbarian. "Asterisk" is
>> '*'. ;-)
>
>I think it was intentional, though. Remember that all of the characters had
>"-ix" names -- Obelix, Getafix, Picanmix, etc. The name of the domain is
>"idefix", so it all seems properly "theme"d...
Vitalstatistix etc. Idéfix (idée fixe) is the original French name of the
one we know as Dogmatix. <http://www.asterix.tm.fr/english/index.htm> then
select "Characters" and D for Dogmatix. Unfortunately the French name in
the English panel is wrong - it looks like it's wrong for all of them -
Getafix the Druid is Panoramix in French. If you look up Idéfix in the
French version it tells you his English name is Dogmatix.
--
Sam Wilson
Network Services Division, Computing Services
The University of Edinburgh
Edinburgh, Scotland, UK
Rafael Cruz M.
Hi Mark !!!!
I Really saw your answer but I just tried to check up if there is any way to
resolve the problem, all apologies if this disturb you.
Regards
Rafael Cruz M.
OK...
Do you know where I can to find a BIND 8.2.2 p5 ???
I need one for Solaris 2.7
Regards
Joseph S D Yao wrote:
> On Wed, Sep 13, 2000 at 09:14:05AM -0500, Rafael Cruz M. wrote:
> > I send you some domains that don´t resolv
> >
> > > www.infocentro.com.mx
>
> Name: www.infocentro.com.mx
> Address: 204.153.24.111
>
> infocentro.com.mx
> origin = ns.rtn.net.mx
> mail addr = dns.rtn.net.mx
> serial = 98081903
> refresh = 7600 (2 hours 6 mins 40 secs)
> retry = 3600 (1 hour)
> expire = 604800 (7 days)
> minimum ttl = 86400 (1 day)
>
> infocentro.com.mx nameserver = ns3.rtn.net.mx
> infocentro.com.mx nameserver = ns.rtn.net.mx
> infocentro.com.mx nameserver = ns2.rtn.net.mx
>
> ns3.rtn.net.mx internet address = 200.34.68.1
> ns.rtn.net.mx internet address = 204.153.24.1
> ns2.rtn.net.mx internet address = 148.207.38.1
>
> > > www.secofi.gob.mx
>
> Name: www.secofi.gob.mx
> Address: 207.248.164.4
>
> secofi.gob.mx
> origin = ns.rtn.net.mx
> mail addr = ns.rtn.net.mx
> serial = 20000218
> refresh = 7200 (2 hours)
> retry = 3600 (1 hour)
> expire = 604800 (7 days)
> minimum ttl = 86400 (1 day)
>
> secofi.gob.mx nameserver = ns2.rtn.net.mx
> secofi.gob.mx nameserver = ns.rtn.net.mx
>
> ns2.rtn.net.mx internet address = 148.207.38.1
> ns.rtn.net.mx internet address = 204.153.24.1
>
> > > www.ccic.gov
>
> Name: ccicpublic1.ccic.gov
> Address: 128.150.4.51
> Aliases: www.ccic.gov
>
> www.ccic.gov canonical name = ccicpublic1.ccic.gov
>
> ccic.gov
> origin = temper.nsf.gov
> mail addr = postm...@nsf.gov
> serial = 2000081101
> refresh = 28800 (8 hours)
> retry = 600 (10 mins)
> expire = 604800 (7 days)
> minimum ttl = 86400 (1 day)
>
> ccic.gov nameserver = rs0.netsol.com
> ccic.gov nameserver = sec1.dns.psi.net
> ccic.gov nameserver = sec2.dns.psi.net
> ccic.gov nameserver = temper.nsf.gov
>
> rs0.netsol.com internet address = 216.168.224.206
> sec1.dns.psi.net internet address = 38.8.92.2
> sec2.dns.psi.net internet address = 38.8.93.2
> temper.nsf.gov internet address = 206.235.18.5
>
> The first two have name servers from rtn.net.mx. the third one does
> not. I don't really see any other commonalities that might block them
> from you, and not other Internet addresses. Do you?
Quadri, Jay
http://www.isc.org/products/BIND/ for source
or http://www.sunfreeware.com for the Solaris binary version
Joseph S D Yao
On Thu, Sep 14, 2000 at 12:24:39PM -0500, Rafael Cruz M. wrote:
> OK...
>
> Do you know where I can to find a BIND 8.2.2 p5 ???
>
> I need one for Solaris 2.7
>
> Regards
Right where you find any others. www.isc.org. If you need to get a C
compiler to compile it, you can get gcc from the sunfreesoftware site,
or from any sunsite.
Mark.A...@nominum.com
> Hi Mark !!!!
>
> I Really saw your answer but I just tried to check up if there is any way to
> resolve the problem, all apologies if this disturb you.
There is,
options {
query-source address * port 53;
};
which is why I said to re-read my answer, "unless told otherwise