Setting up nameserver

23 posts / 0 new
Last post
#1 Sat, 03/26/2011 - 04:27
firestar

Setting up nameserver

Guys. I have searched far and wide for the answers, and have done changes to the server templates..and BIND nameserver configuration..and ns1 shows up in the etc/config file. I have made host name changes at the registrar also. Still get the following error:

Referral ns1.domain.com

Asking ns1.domain.com (IP address) for rchobby-shop.com (type NS)

Error: ns1.domain.com (IP address): Returned REFUSED error for domain.com. (NS).

And the same for ns2.

Any idea what is wrong? Is it because I have IPs from the group? Do I need to make a slave server?

Thanks :(

I am using Centos 5.4 - and Virtual Min 3.83.

Sat, 03/26/2011 - 05:42
Locutus

Unfortunately I can't follow all of what you reported there... So before I make a lot of guesses what might be wrong and what your setup might be, you could check out this DNS verification site:

http://www.intodns.com/rchobby-shop.com

To me, there does not seem to be anything wrong with your domain. Maybe the output of that site can give you a hint for misconfigurations.

Additionally, what you should tell us here is a) from where and when do you get this error your reported? and b) what are the exact domain names and IPs you queried and reported?

Trying to obfuscate them by replacing them with "domain" and "IP" does not help to solve problems in this case. ;) Hostnames and IP addresses of nameservers are no secret anyway. You want Internet users to be able to reach them, so there's no need to obfuscate them here.

Sat, 03/26/2011 - 06:18
firestar

Hi again.

Thanks for the comments. Just changed the nameserver at registrar - so hopefully intodns would come up with something and it has - and I am clueless as to what to do.

The IP is 173.0.58.59 for ns1. and 173.0.58.60 for ns2. Do I have to set up a different server for nameserver?

I was getting that error from http://www.squish.net.

Thanks.

Sat, 03/26/2011 - 10:11
Locutus

IntoDNS and my dig test indicates that your nameservers 173.0.58.59/.60 are not responding to DNS queries (while they reply to ping/traceroute, so they seem to be basically operational).

Is BIND running on those servers? Is it configured to listen on the external interface? Are firewalls/routers configured to allow UDP packets to port 53?

Sat, 03/26/2011 - 11:50
firestar

Hi again.

I am a complete noob..so I have setup one server..(should there be a slave server also?). How do I configure it to listen to an external interface? I dont think there is a firewall or router.. how do I allow UDP packets to port 53?

Thanks.

Sat, 03/26/2011 - 12:26
Locutus

Well, I'm using Ubuntu 10.04 myself, and configuration/related commands differ from system to system. For me, the commands would be:

ps aux | grep named to see if BIND is running

netstat -aun | grep :53 to see if it's listening on port 53 and all interfaces

iptables -v -L to see if there are any filtering rules in place.

Then, you should know if the system you're using is behind some external firewall/router. If not, ask your hoster.

Otherwise, maybe someone who's using CentOS like you is reading along can take over help from here. :)

Sun, 03/27/2011 - 06:42
firestar

Locutus.

Thanks for the help. The same commands seem to work for me too. The following is what I got:

[root@rchobby-shop ~]# ps aux | grep named named 12056 0.0 0.1 111808 3948 ? Ssl Mar26 0:00 /usr/sbin/named -u named root 24315 0.0 0.0 3004 628 pts/0 D+ 15:39 0:00 grep named [root@rchobby-shop ~]# netstat -aun | grep :53 udp 0 0 173.0.58.60:53 0.0.0.0:*
udp 0 0 173.0.58.7:53 0.0.0.0:*
udp 0 0 173.0.58.59:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
[root@rchobby-shop ~]# iptables -v -L Chain INPUT (policy ACCEPT 182K packets, 98M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ftp-data 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ftp 5197 375K ACCEPT udp -- any any anywhere anywhere udp dpt:domain 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:dnp 2888 356K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ndmp 47 5141 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 19867 1900K ACCEPT tcp -- any any anywhere anywhere tcp dpt:http 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imaps 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3s 7603 406K ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3 54 7873 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp-data 43926 2519K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp 1342 81592 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain 5773 468K ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp 120K 12M ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 404K packets, 49M bytes) pkts bytes target prot opt in out source destination

Sun, 03/27/2011 - 08:28
Locutus

What did you change since last time I checked? IntoDNS now reports that ns53/54.domaincontrol.com are the responsible nameservers again for your domain.

Your IPs now react to DNS queries, but give me a "refused" when querying your domain. I suppose the zone files are not loaded / are not correct.

Check the logfiles in /var/log for BIND errors which might indicate what's wrong with the zone. You can also use Webmin's BIND module to verify BIND's config and zone files.

Sun, 03/27/2011 - 08:39
firestar

Hi again.

Apologies I thought that the above results from the commands would suffice and changed back to nameserver at the registrar.

Reverted back to the nameserver details at my VPS. Let me know if I need to put up the log files from the BIND module.

Thanks.

Sun, 03/27/2011 - 08:45
Locutus

Well as I said, you should check the logfiles, and Webmin's BIND module, if they show any errors with your zone.

Sun, 03/27/2011 - 09:00
firestar

Hi again. Thanks for the help. The following are the errors in the log file:

Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#23556: query (cache) 'rchobby-shop.com/TXT/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#46771: query (cache) 'rchobby-shop.com/TXT/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#28640: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#65058: query (cache) 'rchobby-shop.com/TXT/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#22016: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#43036: query (cache) 'rchobby-shop.com/TXT/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#18979: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#63716: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#49836: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#44990: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#11370: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#3887: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied Mar 27 17:51:31 rchobby-shop named[12056]: client 173.244.206.26#21486: query (cache) 'rchobby-shop.com/SOA/IN' denied

Sun, 03/27/2011 - 10:44
Locutus

Can you please enclose the message text block in   tags? They'll be much better readable then (with linebreaks and monospaced font).

Sun, 03/27/2011 - 11:15
firestar

Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#23556: query (cache) 'rchobby-shop.com/TXT/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#46771: query (cache) 'rchobby-shop.com/TXT/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#28640: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#65058: query (cache) 'rchobby-shop.com/TXT/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#22016: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#43036: query (cache) 'rchobby-shop.com/TXT/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#18979: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#63716: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#49836: query (cache) 'ns1.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#44990: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#11370: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:29 rchobby-shop named[12056]: client 64.12.139.84#3887: query (cache) 'ns2.rchobby-shop.com/AAAA/IN' denied
Mar 27 17:51:31 rchobby-shop named[12056]: client 173.244.206.26#21486: query (cache) 'rchobby-shop.com/SOA/IN' denied

Sun, 03/27/2011 - 11:37
Locutus

Okay, once again, please use the Webmin BIND module to verify BIND's config and zone files. Also watch the logs for possible error messages when BIND starts.

(And this time, please do BOTH things that I ask you to do. :P )

Mon, 03/28/2011 - 03:49
firestar

Thanks for the help so far.. you make it sound so easy ;) As if I knew how to verify BIND's config and zone files..

I restarted BIND - and getting the same errors as posted before in the var/log files. Btw - the queries I did on udp etc. does that tell us anything?

Mon, 03/28/2011 - 04:57
Locutus

Well, actually it IS rather easy: You fire up your browser, load Virtualmin, and as I said, use the Webmin BIND module. :) Click Webmin -> Servers -> BIND -> Check BIND Config.

The error messages in the log tell us that the zone probably isn't loaded correctly, hence BIND refuses the queries. That's why I'd like you to check the config files.

To make things easier, I have a suggestion and a consideration. The latter first: Given your "level of expertise", are you sure that operating a web hosting server of your own is the right thing for you, at this time? You do need a certain level of knowledge to keep things running and secure and working, and interpreting logs and checking BIND config is surely one of those. :) You might want to invest a little tine to read up on the subjects using web tutorials, browsing through forums, querying the Wikipedia and stuff. And you definitely need to be willing to learn and experiment and try stuff out, preferably on a virtual machine for testing.

Then, if you feel confident you wish to continue, my suggestion and offer would be that I take a look myself at your server. That's probably faster than throwing messages back and forth here. :) I'd need SSH and Virtualmin access to your site to do that. Please let me know if you wish to do that.

Mon, 03/28/2011 - 04:59
firestar

Thanks for the quick reply again :) Actually I had checked the area you mention - and there are no errors.

I had read quite a bit and it still isn't working, hence the comment about it not being so easy any more. Another thought - I had named the domain server1.rchobby-shop.com is that correct? Should it be rchobby-shop.com only?

How would you like to proceed with the SSH and virtualmin access? Do I email/skype the details?

Mon, 03/28/2011 - 05:05
Locutus

I don't know exactly what you're setting up, but a domain would be "rchobby-shop.com", and "server1.rchobby-shop.com" would be a hostname in that domain.

And yep, you can contact me on Skype (messages only) or other IMs, in decreasing order of preference:

Jabber, Trillian Astra, ICQ, MSN, Yahoo, AIM, IRC, Skype.

Take your pick, then I'll tell you my username. ;)

Mon, 03/28/2011 - 05:07
firestar

Hi..again.. I feel bad looking at the order of preferences.. can we go for skype please? :)

Mon, 03/28/2011 - 05:09
Locutus

:D Yep we can. Username "Loc2262".

Skype has the lowest rank in preference there cause it is a closed-source and proprietary software and protocol, and requires my Trillian to additionally load the Skype client, which I don't really trust and only start when necessary.

Mon, 03/28/2011 - 05:12
firestar

Sent a request.. thanks :)

Mon, 03/28/2011 - 06:57
firestar

After trying for around a month - with major conceptual and technical issues - this has been patiently resolved by Locutus.

Thanks a lot for the help!

Mon, 03/28/2011 - 07:48
Locutus

You're welcome! :)

Topic locked