HELP, domains not resolving

39 posts / 0 new
Last post
#1 Sat, 03/17/2012 - 11:43

HELP, domains not resolving

Hello I have installed WebMin and Virtualmin, I have created virtual servers, the BIND server is up and running without errors, I have the following DNS records $ttl 38400 @ IN SOA ( 1332001831 10800 3600 604800 38400 ) @ IN NS IN NS IN A IN A IN A IN A IN A IN A IN A IN A IN A IN TXT "v=spf1 a mx ip4: ?all"

but the domain is not resolving I don't know what I am missing?

Any help will be GREATLY appreciated

Sat, 03/17/2012 - 14:17


It looks like the nameservers for your domain are pointed to your registrar.

That's okay, but that means you would need to manually setup your DNS records at your registrar.

If you'd like to use your own server as a nameserver, there's some details on that here in the section named "How do I setup nameservers for my server":

Sat, 03/17/2012 - 17:16

Hello and thank you for your comment, however the current setup is what I switched to after failing to use my own server as a nameserver. I did follow those steps, assigned IP's to the NS records, as you can see from the data I originally pasted above, edited template as per attachment (well seems attaching a file keeps timing out on me so no attachment) , but still it would not resolve, so I am wondering what could I possibly have done wrong?


Sat, 03/17/2012 - 18:42

Well, it's difficult to say why your previous setup didn't work; and if you wanted to point your nameservers back to your Virtualmin server, we can certainly run some diagnostics and see if we can figure out what's awry.

However, what I can offer is that, with the setup you have now -- your domain's nameservers are pointing to your registrar, and your DNS records aren't setup there.

So if you wish to use your registrar as your nameserver, no problem, but you'd need to setup your records there.

If instead you wish to use your Virtualmin server, you're welcome to change your nameservers to point there, and we can do some troubleshooting to try and figure out why it's not working for you.


Sat, 03/17/2012 - 19:29

In addition to what Eric correctly said:

The authoritative nameservers for indeed are configured to be thru dns5.... For me though, the domain (and subdomain www.) correctly resolves to the IP address you mentioned, as returned by all 5 authoritative servers.

Maybe a recently performed zone change needed time to propagate.

Sun, 03/18/2012 - 04:52

Thanks all for your help

The point is that the NS may appear to resolve and point correctly, however when I create a new virtual server and try to use those NS records, the new domain won't resolve. Propagation should not be an issue as those domains have been using the very same DNS and very same IP on the very same machine for about 2 years, except I now decided to switch from CPanel to Virtualmin/Webmin and all at a sudden I am facing all those problems.

@andreychek , I have no problem in switching back the NS servers and have them point to the Virtualmin server to test, just let me know when would be a good time for you , as to reduce downtime

If acceptable I can even PM you the credentials?


Sun, 03/18/2012 - 06:52

Check for example it is correctly showing and as the assigned NS , it is showing the below in Virtualmin Server Configuration->DNS Records

$ttl Default Cache Time 38400 SOA - Start Of Domain 1332066455 10800 3 ... NS - Name Server NS - Name Server A - IPv4 Address
www A - IPv4 Address
ftp A - IPv4 Address
m A - IPv4 Address
localhost A - IPv4 Address
webmail A - IPv4 Address
admin A - IPv4 Address SPF - Sender Permitted From v=spf1 a mx ip4: ?all

I ran the validate virtual servers tool for BIND DNS domain on Virtualmin and no errors were returned

I am really at a loss here, I am sure it is something silly but it seems the only option I have is to uninstall and start form scratch?

Sun, 03/18/2012 - 08:40
ronald's picture

Why uninstall and restart from scratch? This is not how Linux works..on windows machines that would likely be applicable but not with Linux.
Linux is great because you can change some settings and then it will do as you expect.

If you have no A records for your nameservers then you will have problems. So start with adding those.
If you do have A records, it might happen that your nameservers cant respond due to a setting in the BIND module.
You will have to overlook those settings and correct them until your nameservers will respond to outside queries.

Sun, 03/18/2012 - 08:44

Thanks ronald, however I DO have glue records created for both and (I have had then since early 2010 and nothing changed since then..) and I have assigned an IP address to each one of them (same as the glue record of course ;) ) , but it seems they are not responding, so I think that , as you say there is some setting in the BIND module but that is eaxctly where my problem lies... WHAT exactly should I look for?

Sun, 03/18/2012 - 09:16
ronald's picture

so in webmin-servers-bind dns server look into "Miscellaneous Options" and set Do full recursive lookups for clients? to Yes. Also set "Fetch glue records?" to default or to yes
Then under "Addresses and Topology" set "Allow recursive queries from" to listed and then list in the box below: localhost and must be listed as a nameserver in the Webmin - networking - Network configuration - Hostname and DNS Client
Then restart BIND

after retsrting BIND:
IF this is by any chance Centos 6, look inside the /etc/named.conf and see to it that it looks like below.
Important is the recursion yes and fetch-glue to yes under the options section..

options {
    listen-on port 53 {
    listen-on-v6 port 53 {
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
    fetch-glue yes;
Sun, 03/18/2012 - 09:24

Ok, I have done that and yes I have CenOS 6 and the only difference with the lines you posted seems to be the following:

/* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; fetch-glue yes; allow-recursion { localhost;; };

Does it make any difference?

Thanks again for all your help!

Sun, 03/18/2012 - 09:45
ronald's picture

that seems right. Centos 6 is doing things a little bit different than previous editions.
Your nameservers still do not respond at this moment. I remember I had the same troubles when I started with Centos 6.

In the /etc/named.conf have your IP's listed

options {
   listen-on port 53 {;;;

Look in the webmin-networking-network configuration- host addresses and that you have entries there , ns2 , ns1

Sun, 03/18/2012 - 10:02

Allright, I have edited the /etc/named.conf as per your suggestion however I am not sure how to create the entries you suggested in webmin-networking-network configuration- host addresses ?

I enter in the IP address box, then in the hostnames I type , ns1 on one line but get an error message ',' is not a valid hostname


Sun, 03/18/2012 - 10:04

Figured the part about adding hostnames, let's see what happens now, still not resolving

Sun, 03/18/2012 - 10:39
ronald's picture

Here is a thread that I contributed to. centos 6 and bind

per haps it mentions some steps that you will need to do still..

Sun, 03/18/2012 - 10:54

Thanks, I actually already have the situation suggested in post15 in that thread: I had previosuly changed the Chroot directory to run BIND under from whatever it was there to / , however I have now modified it to 'None' as per your suggestion and edited the location of named.conf although from what I can see it was already the right file /etc/named.conf that was being used and edited

Now let's see what happens..

ronald maybe I could create and amin login for you if you would be so kind? possibly it is something encredibly easy and silly for somebody who knows where to look?

Thx a million again

Sun, 03/18/2012 - 11:30

I just ran this check and it seems there is definitively something wrong with the NS setup? NS not responding?

Sun, 03/18/2012 - 13:55 (Reply to #17)
ronald's picture

this afternoon the error was: query timed out
this is no longer the case
now it gives the refused code which is 1 step forwards

50.0% of queries will end in failure at ( - returned REFUSED code
50.0% of queries will end in failure at ( - returned REFUSED code

it means there is one little step to take but I dont know this setting by heart.

Sun, 03/18/2012 - 11:59

Well, I have been trying all possible combinations, reading forums, searching Google and then more yet my domains are note resolving, it looks like after all I may be better off spending money on Cpanel, I just wasted 2 days trying tofix something that is a basic essential function, so I am worried about what woudl happen with more sophisticated needs/requests.

Thanks ronald for all your help, but it looks like I am not the right person for Virtualmin, I am looking for something that would 'work' not force me to spend 2 days 'researching' it

Sun, 03/18/2012 - 13:38
ronald's picture

I dont think this is a virtualmin issue.
Centos 6 has some differences to previous editions that made me also dive into it deeper then I wanted.

If you want I can have a look and compare it to my Centos 6 installation. Once its running you will be glad you'd switch from cpanel to virtualmin.

Some stuff could be as easy as a firewall blocking port 53
anyway you can email me if you want at helpdesk @ stichtingizi . nl

I can probably look at it tomorrow evening as I am in transit at the moment and flying home tomorrow afternoon

Mon, 03/19/2012 - 16:01

I want to publicly thank ronald for being so patient and helpful with me, despite my bad attitude about Virtualmin he contacted me personally and got my install up and running 100%!!

Thanks Ronald


Mon, 03/19/2012 - 18:40
ronald's picture

No problem Marco.

After resolving the "query time out" issue, there was a small "refuse" issue left.
The issue was that the allow-query (in named.conf) was set to localhost, this needed to change to either "any" or delete the entry all together.
After that the domains resolved immediately.

Tue, 03/20/2012 - 05:31

Well the plot thickens now..

I have added 2 more domains using the template, all the data seems correct, the DNS has propagated and appears to show correctly however I get the following when running for example

WARNING: One or more of your nameservers did not return any of your NS records.

What could be causing them? The domain has the exact same setup as which is working and resolving, as you acn see at

Tue, 03/20/2012 - 08:35
ronald's picture [''] [TTL=172800] [''] [TTL=172800]

these are non existing nameservers, that is a problem at the registrar.

Also some sites have been created on different IP's which were not allowed in the /etc/named.conf
You can add all the IP's you are using or change it to 'any' like so

options {
    listen-on port 53 {
Tue, 03/20/2012 - 09:02

those 2 nameservers are actually existing at namecheap,, they have been created and are actually resolving to the right IP

Ok, so named.conf has to be edited manaully? I thought it would be enough to add the additional IP's from the Network Interfaces section of Network Configuration Module?

thanks for your help

Wed, 03/21/2012 - 03:22

It seems that there is some fundamental bug/issue that it is most definitively beyond my very limited ability. Even with the help of Ronald, we can get a domain up and to resolve fine, then the next one that gets added again has the same issue. Just added and again I have the issue of the 'refused' error the issue seemed to be named.conf so we added all individual ip's to listen to on port 53, that appeared to be the problem, but the next domain added got the same trouble again..

I am really at a loss here

Wed, 03/21/2012 - 10:00

Any suggestions anybody?

Wed, 03/21/2012 - 10:23

Without reading thru this lengthy thread (and retrace what you did, for which I lack the time at the moment), a hint: If existing domains work and new ones don't, there must be an issue with the config/zone of newly created domains. In the server template, section BIND DNS Domain, near the bottom you can add named.conf directives that are to be added for new domains, maybe that helps if you need to allow something specific for each domain.

If that does not help, I can try to help if you can summarize the problem and the solutions you implemented so far.

Wed, 03/21/2012 - 10:31

Thnaks, essentially it was ronald who fixed ( we thought) the issue for me as the named.conf did not have all IP's on port 53 so he did the following edit as pasted below options { listen-on port 53 {;;;;;;;;;;


we went ahead and created a new domain and it seemed to work. Then nothing was changed in the template or anywhere else, I proceeded to create an additional domain, same template, same IP, and it's getting the refused error ( if you would like to check, the domain is ) So, while the same setup works on , it is getting the following for Error: ( Returned REFUSED error for (A). Error: ( Returned REFUSED error for (A).

Wed, 03/21/2012 - 10:45

When I try to resolve those two domains at your ns1 and ns2, I get a SERVFAIL and not REFUSED. You might want to check your syslog (or wherever your BIND logs to) for details about what went wrong.

As for the IP addresses: It's probably not the best way, if you use private IP addresses for so many of your vservers, to add them all manually. Did you try the syntax listen-on { any; }; instead? That should cause BIND to listen on all addresses, and default port 53.

Actually, I don't have ANY listen-on directive in my config, and BIND works with any IP. That's because the default is, according to BIND manual:

If no listen-on is specified, the server will listen on port 53 on all interfaces.

Wed, 03/21/2012 - 11:12

well, works fine and resolves fine according to all the tools I tried, ( I am using as per suggestion from ronald and you may also see

Please understand I am by no means a sysadmin so it is possible I am doing something wrong, however ronald helped me and was able to get the to resolve after the initial virtual server creation was giving and told me he had found some errors and misconfigs that were now solved, like the named.conf not listening

I have now removed the listen-on directinve from named conf and the ones that were working are still working ok, however the is still giving the refused error...

Wed, 03/21/2012 - 14:25

If anybody can help I am more than happy to provide access to my Virtualmin install, I would like to get this sorted please

Wed, 03/21/2012 - 16:16

Or if you could tell me what are the files /configs that could be causing this, I will post them here


Wed, 03/21/2012 - 16:16

Or if you could tell me what are the files /configs that could be causing this, I will post them here


Wed, 03/21/2012 - 16:28

I could take a look around on your system, sure. Are you using an instant messenger?

(I'm also getting a REFUSED now for blog-dating. The logs should contain information why the query was refused.)

Wed, 03/21/2012 - 16:32

skype marcolavanna ICQ 7314031 Thanks!

Wed, 03/21/2012 - 17:34

A little summary from me after a debugging session:

Reason for the REFUSED was that Virtualmin failed to restart/reload BIND to apply the newly created zone. After a manual restart, the zone resolved correctly.

We then changed the command Webmin uses to apply BIND changes from "Stop and restart" to "Command: rdnc reload", after setting up RNDC. With that change, Virtualmin then succeeded in applying BIND changes.

We also tried to find out why applying changes failed with the old setting, but unfortunately I could not find in the Webmin debug log which commands Webmin executes to apply changes. Virtualmin staff will probably need to take a look at this.

Wed, 03/21/2012 - 18:01

And a big thank you from me to Locutus who solved my troubles!

Wed, 03/21/2012 - 18:16

There is a bug report filed for this here:

Topic locked