Setting up Nameservers Issue

[Ishtumba]

I'm just about at the end of my rope.. I tried everything I have the knowledge to try, but I just can't seem to get name servers to work.

Here is the scenario:

Fedora Core 6 + cPanel 11

My server has 2 IP addresses. One is being used for all my vhosts and name server 1, and the other one is used for name server only. I have both ns1.ishlive.com and ns2.ishlive.com routing to the correct IP addresses (the A records resolve). I then went into Basic cPanel/WHM Setup and entered ns1.ishlive.com and ns2.ishlive.com in their respective fields. I assigned my first ip adddress to ns1.ishlive.com and then added an A entry for that name server. I did the same for ns2.ishlive.com with the other IP. No errors. I saved the configuration.

Next, I went to Nameserver Setup under Service Configuration. I clicked "Proceed >>" Here is the output:

Name Server Activated
Ensuring caching-nameserver is installed
Loading "installonlyn" plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Nothing to do
Activating name server monitoring (chkservd)
Setting up rndc configuration
Checking in /etc/named.conf to rcs system
Restarting Bind
Starting named: [  OK  ]
Restarting Nameserver
Starting named: [  OK  ]
Restarting chkservd
Stopping chkservd: [  OK  ]
Starting chkservd: [  OK  ]

After that, I checked the /etc/wwwacct.conf file and it had the information correct for both name servers. Just to be sure, I restarted named again via SSH.. success.

Now, I have a domain "bollingerweb.com" with name servers ns1.ishlive.com and ns2.ishlive.com.

This is the output I get from dnsstuff:

ns2.ishlive.com [64.251.21.23]	 [Broken DNS server: Reports that it refuses to respond!]	44ms
ns1.ishlive.com [64.251.15.207]	[Broken DNS server: Reports that it refuses to respond!]	46ms

So, I'm obviously missing something here.. can anybody help? Or tell me where I could go read up?

Thanks a bunch,
Marc

 

[Stefaans]

When I dig your name servers they are responding. So Bind is running, and it is not a firewall blocking port 53. But from this point further, things are pretty vague for me...

I tried digging bollingerweb.com, ns1.ishlive.com and ns2.ishlive.com, and they all come up "empty". It is as if there are no DNS zones for these domains on your server. Things to check:

• The contents of /etc/named.con. Does it list the zones for all the domains your name servers are authorotative for?
• The listing of /var/name. Is there a .db file for each DNS zone?

If the problem persists, it may help if you paste the top part of your /etc/named.conf here. Especially the options directive.

I hope the above helps you in some way

 

[inalto]

Hello,

it seems that your dns server is up and running, also the proper firewall ports are open.
named just refuse everything.

if you try to dig:

dig bollingerweb.com @64.251.21.23

you get a status REFUSED.

but also if you dig a common, external site you get status refused.

dig google.com @64.251.21.23

(REFUSED)

so, everything up and running, but everything is refused.

I think there is a problem with your acl's in the /etc/named.conf
maybe you can post the options, acl (if you have it) and controls part of your named.conf

 

[lehels]

nslookup bollingerweb.com @ns1.ishlive.com
nslookup: couldn't get address for '@ns1.ishlive.com': failure

nslookup bollingerweb.com @ns2.ishlive.com
nslookup: couldn't get address for '@ns2.ishlive.com': failure

---

Your NS records at the parent servers are:

ns1.ishlive.com. [64.251.15.207] [TTL=172800] [US]
ns2.ishlive.com. [64.251.21.23] [TTL=172800] [US]
[These were obtained from j.gtld-servers.net]

---

Your NS records at your nameservers are:

[None of your nameservers returned your NS records; they could be down or unreachable, or could all be lame nameservers]

---

Check again your DNS zone,
Try to synchronize.. and watch the Logs,

 

[Ishtumba]

Hey, thanks for the responses! Instead of trying to guess where my problem might be, here is my named.conf:

include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};


options
{
    /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
    query-source    port 53;

    // Put files that named is allowed to write in the data/ directory:
    directory "/var/named"; // the default
    dump-file             "data/cache_dump.db";
    statistics-file     "data/named_stats.txt";
    memstatistics-file     "data/named_mem_stats.txt";
};

logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};


// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
    match-clients         { localhost; };
    match-destinations    { localhost; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    /* these are zones that contain definitions for all the localhost
     * names and addresses, as recommended in RFC1912 - these names should
     * ONLY be served to localhost clients:
     */
    include "/var/named/named.rfc1912.zones";
};

view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
   that connect via your directly attached LAN interfaces - "localnets" .
 */
    match-clients        { localnets; };
    match-destinations    { localnets; };
    recursion yes;

    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    // include "/var/named/named.rfc1912.zones";
    // you should not serve your rfc1912 names to non-localhost clients.

    // These are your "authoritative" internal zones, and would probably
    // also be included in the "localhost_resolver" view above :
};

view    "external"
{
/* This view will contain zones you want to serve only to "external" clients
 * that have addresses that are not on your directly attached LAN interface subnets:
 */
    match-clients        { !localnets; !localhost; };
    match-destinations    { !localnets; !localhost; };

    recursion no;
    // you'd probably want to deny recursion to external clients, so you don't
    // end up providing free DNS service to all takers

    // all views must contain the root hints zone:
    zone "." IN {
        type hint;
        file "/var/named/named.ca";
    };

    // These are your "authoritative" external zones, and would probably
    // contain entries for just your web and mail servers:

    // BEGIN external zone entries

        zone "ishlive.com" {
                type master;
                file "/var/named/ishlive.com.db";
        };

        zone "bollingerweb.com" {
                type master;
                file "/var/named/bollingerweb.com.db";
        };
};

And here is bollingerweb.com.db

; cPanel 11.6.0-BETA_15014
; Zone file for bollingerweb.com
$TTL 14400
@      86400    IN      SOA     ns1.ishlive.com. ishtumba.yahoo.com. (
                2007072101      ; serial, todays date+todays
                86400           ; refresh, seconds
                7200            ; retry, seconds
                3600000         ; expire, seconds
                86400 )         ; minimum, seconds

bollingerweb.com. 86400 IN NS ns1.ishlive.com.
bollingerweb.com. 86400 IN NS ns2.ishlive.com.


bollingerweb.com. IN A 64.251.15.207

localhost.bollingerweb.com. IN A 127.0.0.1

bollingerweb.com. IN MX 0 bollingerweb.com.

mail IN CNAME bollingerweb.com.
www IN CNAME bollingerweb.com.
ftp IN CNAME bollingerweb.com.

 

[inalto]

hello,

mhhh, seems the problem is not here. I have tried your named.conf on a fc7 i have and is working!

have you selinux enabled? (more /etc/selinux/config )

what is the result of

dig bollingerweb.com @127.0.0.1

also refused?

also check the permissions and ownership of /var/named directory shoul be 755 -> root:named

 

[Ishtumba]

selinux is disabled

# dig bollingerweb.com @127.0.0.1

; <<>> DiG 9.3.4 <<>> bollingerweb.com @127.0.0.1
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23458
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;bollingerweb.com.              IN      A

;; Query time: 222 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul 21 17:40:06 2007
;; MSG SIZE  rcvd: 34

So I don't get refused on that one.. just SERVFAIL

hmmmm

Ownership of /var/named is named:named and 755. I changed it to root:named, but didn't seem to change anything (after restarting service)

 

[inalto]

ok, seems that there a servfail.
this is a problem, seems that on localhost does not propery respond (servfail)

what is the result of

/etc/rc.d/init.d/named status

(maybe the path could change)

and do a

ps -A | grep named

you should have only one named process running.

i will try the config on a fc6

 

[inalto]

ok, i definitively checked the config on a fc6.
the servfail problem seems due to the "views" part of the named.conf
Seems that the caching nameserver has the priority over the local zones. so it respond with a servfail because is looking outside.

i have made another named.conf (make a backup and try this)

include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndckey"; };
};

acl "trusted" {
        127.0.0.1;
64.251.15.207;
64.251.21.23;

//put here your trusted ip's.
};


//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        version "n/a";

        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//

zone "." IN {
        type hint;
        file "/var/named/named.ca";
};

zone "localdomain" IN {
        type master;
        file "/var/named/localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "/var/named/localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "/var/named/named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN
 {
        type master;
        file "/var/named/named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "/var/named/named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "/var/named/named.zero";
        allow-update { none; };
};


//
//  Your zones.
//

zone "bollingerweb.com" {
        type master;
        file "/var/named/bollingerweb.com.db";
};

zone "ishlive.com" {
                type master;
                file "/var/named/ishlive.com.db";
};

/etc/rc.d/init.d/named restart

take also a look at the "rndc-key" in your named.conf (controls section), i have changed to "rndckey" in this config to make it work on my fc6. Look in the /etc/rndc.key to see what is the proper key name for you, should be the same as in the first line after key ("rndc-key" or "rndckey").

hope it helps.

 

[Ishtumba]

OH! You da man!

You're new named.conf did the trick.. everything is suddenly working now. I can't tell you how much I appreciate your time on this.

I hope this thread will also help others who are experiencing similar problems.

Thanks again,
Marc

 

[inalto]

I am happy to hear that now everything is working

 

[Genbushi]

OH! You da man!

You're new named.conf did the trick.. everything is suddenly working now. I can't tell you how much I appreciate your time on this.

I hope this thread will also help others who are experiencing similar problems.

Thanks again,
Marc

Just as a FYI, I had a similar issue yesterday with a new cPanel 11 / CentOS 5 server. I had googled and found a similar solution.

Seems the cPanel 11 named.conf file is not very good.

 

[innsites]

Excellent fix (named.conf) Thanks!

All sites on one of our cpanel servers using cpanel specific nameservers would not browse this morning after last night's automated cpanel/whm updates. This new named.conf fix worked. Thanks for the excellent details.

 

[nitaish]

Hello,

I am facing the same issue. Unfortunately the trick did not work for me. Any solution?

 

[kunta]

that worked perfectly with CentOS 5 (SElinux enabled) and CPanel11

 

[aww]

This new template also solved our named issues under cpanel 11.
Many thanks for creating/sharing it.

 

[aisagtr]

The issue is probably with the named/bind using port 953 instead of the default 53 setup with cpanel 11?

If you take a look at /etc/rndc.conf, you will see that its using 953.


# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "ZwaHqB9TmW+1rIl6QYeJvw==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "ZwaHqB9TmW+1rIl6QYeJvw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

Wonder if thats the cause?

 

[nicnicy]

helped me, thank you

(On 28 october 2007 )helped me after a new install from CentOS 4.5 to 5 with cpanel11

had no connection to website with my browser, via dnsstuf.com i found that the DNS was refusing the connection while i found my ns1. and ns2.

problem solved with this explenation!
thank you

I have come accross an issue with DNS in cpanel 11.x , where named.conf is badly configured by cpanel ,

Here is how a DNS report from dnsstuff.com would look because of this :

FAILS for SOA record
Fails for lame nameservers .

Here's how to fix it ,

SSH to server ,

Backup your named.conf file by

cp /etc/named.conf named.conf.back

then
pico /etc/named.conf

Replace

Code:

include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53; 

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};

logging 
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
}; 
};

// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the 
// "default" view, which matches all clients.
// 
// If named.conf contains any "view" clause, then all zones MUST be in a view; 
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.

view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;

zone "." IN {
type hint;
file "/var/named/named.ca";
};

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/var/named/named.rfc1912.zones";
};

view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;

zone "." IN {
type hint;
file "/var/named/named.ca";
};

// include "/var/named/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
};

view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { !localnets; !localhost; };
match-destinations { !localnets; !localhost; };

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// all views must contain the root hints zone:
zone "." IN {
type hint;
file "/var/named/named.ca";
};

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

// BEGIN external zone entries

With

Code:

include "/etc/rndc.key";

controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

And then goto bottom of the file and remove

}; at the bottom .

Save file and exit

then test config
service named configtest
if you have done this correctly , it should display something like this:

zone blue.xxx.com/IN: loaded serial 2007070901
zone xxx.com/IN: loaded serial 2007070906
zone ns1.xxx.com/IN: loaded serial 2007070901
zone server.xxx.com/IN: loaded serial 2007071001
zone xxx.net/IN: loaded serial 2007071001

Then restart named by

service named restart

Thats it! , your DNS should be working now .

This fix was provided by Tech4server.com


--------------------------------------------------------------------------------

 

[robb3369]

Another possible solution...

My specific issue was NOT with rndc, it was with the named refusing to answer ANY requests for DNS data. The error message was typically "Query refused" when testing from a windows workstation (remote of course) using nslookup specifically targeting the DNS server or from a DNS testing website like www.intodns.com or www.checkdns.net...

What I did was edit the /etc/named.conf file, specifically the view "external" section from this:

view "external" {
        // This view will contain zones you want to serve only to "external" clients
        // that have addresses that are not on your directly attached LAN interface subnets:
        match-clients           { !localnets; !localhost; };
        match-destinations      { !localnets; !localhost; };
        recursion no;
        zone "." IN {
                type hint;
                file "/var/named/named.ca";
        };
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
        // BEGIN external zone entries

To this:

view "external" {
        // This view will contain zones you want to serve only to "external" clients
        // that have addresses that are not on your directly attached LAN interface subnets:
        match-clients           { "any"; };
        recursion no;
        // These are your "authoritative" external zones, and would probably
        // contain entries for just your web and mail servers:
        // BEGIN external zone entries

Then from within WHM, goto "Service Configuration" > "Nameserver Setup" and click on the "Proceed" button...

Worked for me! Your milage may vary...

 

[Humbrol]

Stuck

still no server response when i tried this named.conf file

server name is thegeekhosting.com

checkdns says the dns servers are offline, but i restarted named and bind to no avail

ips assigned to the nameservers are 74.87.119.188 and 189

include "/etc/rndc.key";

controls {
        inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};

acl "trusted" {
        127.0.0.1;
64.251.15.207;
64.251.21.23;

//put here your trusted ip's.
};

//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        version "n/a";

        allow-recursion { trusted; };
        allow-notify { trusted; };
        allow-transfer { trusted; };

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//

zone "." IN {
        type hint;
        file "/var/named/named.ca";
};

zone "localdomain" IN {
        type master;
        file "/var/named/localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "/var/named/localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "/var/named/named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN
 {
        type master;
        file "/var/named/named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "/var/named/named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "/var/named/named.zero";
        allow-update { none; };
};

//
//  Your zones.
//

zone "thegeekhosting.com" {
        type master;
        file "/var/named/thegeekhosting.com.db";
};

now that ive changed it, its still pulling the old conf file somehow =(