Nameserver (Again)

24 posts / 0 new
Last post
#1 Sun, 10/02/2016 - 11:57
Miker1029

Nameserver (Again)

Sorry to bring this up again, but I did some reading here: http://www.tldp.org/HOWTO/DNS-HOWTO-3.html and did the tests mentioned on the page, that resulted in this:

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46671
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.                IN      PTR
 
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400   IN      PTR     localhost.
 
;; AUTHORITY SECTION:
127.in-addr.arpa.       86400   IN      NS      localhost.
 
;; ADDITIONAL SECTION:
localhost.              604800  IN      A       127.0.0.1
localhost.              604800  IN      AAAA    ::1
 
;; Query time: 0 msec
;; SERVER: 116.93.119.119#53(116.93.119.119)
;; WHEN: Sun Oct 02 11:38:46 CDT 2016
;; MSG SIZE  rcvd: 132

And this ";; SERVER: 116.93.119.119#53(116.93.119.119)" is my Public IP not used (I thought) according to Virtualmin...

[root@ns1 ~]# dig pat.uio.no
 
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> pat.uio.no
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26462
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pat.uio.no.                    IN      A
 
;; ANSWER SECTION:
pat.uio.no.             21599   IN      A       129.240.6.150
 
;; AUTHORITY SECTION:
.                       207     IN      NS      j.root-servers.net.
.                       207     IN      NS      l.root-servers.net.
.                       207     IN      NS      k.root-servers.net.
.                       207     IN      NS      i.root-servers.net.
.                       207     IN      NS      a.root-servers.net.
.                       207     IN      NS      f.root-servers.net.
.                       207     IN      NS      c.root-servers.net.
.                       207     IN      NS      h.root-servers.net.
.                       207     IN      NS      e.root-servers.net.
.                       207     IN      NS      b.root-servers.net.
.                       207     IN      NS      g.root-servers.net.
.                       207     IN      NS      m.root-servers.net.
.                       207     IN      NS      d.root-servers.net.
 
;; Query time: 375 msec
;; SERVER: 116.93.119.119#53(116.93.119.119)
;; WHEN: Sun Oct 02 11:39:49 CDT 2016
;; MSG SIZE  rcvd: 266

Now that site says If I get the above responses it's working as a Nameserver....

And Out of curiosity I did my IP for my server (Forum) and got this:

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 116.93.120.121
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2944
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 7, ADDITIONAL: 8
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;121.120.93.116.in-addr.arpa.   IN      PTR
 
;; ANSWER SECTION:
121.120.93.116.in-addr.arpa. 2285 IN    PTR     ns1.android-x86.net.
 
;; AUTHORITY SECTION:
116.in-addr.arpa.       48360   IN      NS      tinnie.arin.net.
116.in-addr.arpa.       48360   IN      NS      apnic1.dnsnode.net.
116.in-addr.arpa.       48360   IN      NS      ns3.apnic.net.
116.in-addr.arpa.       48360   IN      NS      ns1.apnic.net.
116.in-addr.arpa.       48360   IN      NS      apnic.authdns.ripe.net.
116.in-addr.arpa.       48360   IN      NS      ns4.apnic.net.
116.in-addr.arpa.       48360   IN      NS      ns2.lacnic.net.
 
;; ADDITIONAL SECTION:
ns1.apnic.net.          519     IN      A       202.12.29.25
ns2.lacnic.net.         1135    IN      A       200.3.13.11
ns3.apnic.net.          106     IN      A       202.12.28.131
ns4.apnic.net.          695     IN      A       202.12.31.140
apnic.authdns.ripe.net. 367     IN      A       193.0.9.9
apnic1.dnsnode.net.     1480    IN      A       194.146.106.106
tinnie.arin.net.        37209   IN      A       199.212.0.53
 
;; Query time: 0 msec
;; SERVER: 116.93.119.119#53(116.93.119.119)
;; WHEN: Sun Oct 02 11:45:08 CDT 2016
;; MSG SIZE  rcvd: 374

Now my question is, Is this the correct (current) way to test the Nameserver, and if not can someone tell me the commands I can use on the server to test it?

The reason I'm asking, and I've been thinking this since I started trying to get the Nameserver working, Is I believe my registrar is "BSing" me telling me it's not working, and need to know before I get on them about it...

Thanks, Mike

Sun, 10/02/2016 - 15:32
Miker1029

Ok I have an Update to this, I found 2 Really useful websites, I setup DNSSEC, and all is well there here are the 2 Sites for anyone else:

http://network-tools.com/ http://dnsviz.net/

NOW, According to Network-Tools my Forum "android-x86.net" IS Authoritative!!!! And "ns1.android-x86.net" isn't, I'm assuming this means that my actual forum address is the "Nameserver"?!??!

[116.93.120.121] returned an authoritative response in 234 ms:
 
 
Header
 
rcode:  Success
id: 0   opcode: Standard query
is a response:  True    authoritative:  True
recursion desired:  False   recursion avail:    False
truncated:  True
questions:  1   answers:    3
authority recs: 0   additional recs:    0

SO if it is, how do I switch it to NS1?? I feel like I'm getting close to getting this working, finally!!

Mike

Wed, 01/04/2017 - 10:56
Miker1029

New Question On This.

My Domain Name Is Coming up for Renewal Next month, For One I plan On switching to NameCheap as I've heard good things...

My Question is Now, Should I change my domain Name to "NS1.DOMAINNAME.NET" or should I leave it as "DOMAINNAME.NET"

The reason I'm asking is, from what I've read, I "SHOULD": be able to use and "A" Record for My NS "NS1." but it's not working that way in CentOs 7, It sesolves to my forum "NS1.Domainname.net", and when I had Ubuntu 16.X Installed it actually resolved to the Apache "It Works Page" Not the Forum Directly...

So What I want to know, Does anyone know what the Simplest way for me to get this working would be??

I've Read, Do the "NS1" at the Registrar, Then Have my DNS records in Virtualmin Point to the Actual Forum, I.E. "www.domainname.net"

Would this information be correct?? Right Now I'm just looking for the Simplest way to get this done...

Thanks For any info.

Mike

Wed, 01/04/2017 - 12:26
Diabolico
Diabolico's picture

To be honest i have hard time to understand your post. Can you post the content of your "/etc/named.conf" and "/var/named/domain.zone" (or "domain.hosts") files. If you want edit your domain and IP but i would like to see this files as i suspect there is some miss-configuration in your Bind.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 01/04/2017 - 13:35
Miker1029

Ok Here you go, Thanks for the fast response!!

The **** Are either Edited for public viewing, or a comment as I'm in the middle of getting "DESSEC" Up and running....

NAMED.CONF

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
 
options {
    listen-on port 53 {
        any;
        };
    listen-on-v6 port 53 {
        any;
        };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
 
    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
 
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;   ******** ADDED WORKING ON DSSEC *******
 
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
 
    managed-keys-directory "/var/named/dynamic";
 
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    dnssec-lookaside . trust-anchor dlv.isc.org.;
};
 
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
 
zone "." IN {
    type hint;
    file "named.ca";
};
 
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
 
zone "android-x86.net" {
    type master;
    file "/var/named/android-x86.net.hosts.signed";   ****** ADDED ".signed WORKING ON DSSSEC"
    allow-transfer {
        127.0.0.1;
        localnets;
        };
    };
trusted-keys {
    dlv.isc.org. 257 3 5 "*****************************";
    };

ANDROID-X86.NET.HOSTS

$ttl 38400
@   IN  SOA ns1.android-x86.net. root.ns1.android-x86.net. (
            1481465495
            10800
            3600
            604800
            38400 )
@   IN  NS  ns1.android-x86.net.
android-x86.net.    IN  A   1.2.3.4
www.android-x86.net.    IN  A   1.2.3.4
ftp.android-x86.net.    IN  A   1.2.3.4
m.android-x86.net.  IN  A   1.2.3.4
ns1.android-x86.net.    IN  A   1.2.3.4
localhost.android-x86.net.  IN  A   127.0.0.1
ns1.android-x86.net.    IN  A   1.2.3.4
webmail.android-x86.net.    IN  A   1.2.3.4
admin.android-x86.net.  IN  A   1.2.3.4
mail.android-x86.net.   IN  A   1.2.3.4
android-x86.net.    IN  MX  5 mail.android-x86.net.
android-x86.net     IN  PTR 4.3.2.1.in-addr.arpa.
ns1.andriod-x86.net IN  PTR 4.3.2.1.in-addr.arpa.
android-x86.net.    IN  TXT "v=spf1 a mx a:android-x86.net a:www.android-x86.net a:ns1.android-x86.net ip4:1.2.3.4 ip6:******************** -all"
_dmarc.android-x86.net. IN  TXT "v=DMARC1; pct=100; ruf=mailto:miker1029@android-x86.net; rua=mailto:miker1029@android-x86.net; p=reject; sp=none; rf=afrf; ri=86400"
2017._domainkey.android-x86.net.    IN  TXT ( "v=DKIM1; k=rsa; t=s; p="*************" )
$INCLUDE Kandroid-x86.net.+***+****.key   ***** DSSEC WIP ****
$INCLUDE Kandroid-x86.net.+***.****.key ***** DSSEC WIP ****

I haven't changed these files since clean install of Centos 7 Server (minimal), and Clean Install of Virtualmin, about a month ago, The **** Are from today working on getting DESSEC=*DNSSEC Up and Running....

Thanks,

Mike

Wed, 01/04/2017 - 16:20
Miker1029

And to Clarify a Little.....

My OS (Server?) Is named NS1.ANDROID-X86.NET, My Domain (In The Registrar) is "android-x86.net", I have Virtualmin Set for NS1.ANDROID_X86.NET as the HOST, and the Virtual Server is "android-x86.net"

Dunno If that is confusing, but, really, everything I've read says, the Server (Operating System) should be NS1.DOMAINNAME.NET and virtualmin installs fineas that being a FQDN....

Not trying to act as if you don't know, trying t clarify my own stupidity.... LOL

Mike

Wed, 01/04/2017 - 19:23
Diabolico
Diabolico's picture

Is this a mistake "www.android-x86.net"?

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Wed, 01/04/2017 - 19:24
Diabolico
Diabolico's picture

Is this a mistake "www.android-x86.net" or did you use this to mask your domain?

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 01/08/2017 - 12:28 (Reply to #8)
Miker1029

No, it's actually "android-x86.net" as it seems everywhere I've tried to append the "www" it get's omitted, even at the registrar, I have the "CNAME" set for "www".

Really not sure, It just is that way....Even a ways back, google analytics suggested moving away from the "www", So not sure, In everything I do related to associating the Domain with things I do both....

Now in my Registrar I have:

ns1.android-x86.net pointed to the new IP, Which in Virtualmin I added "ns1.android-x86.net" and the NEW IP to Bind...And My HOSTS and HOSTNAME Files (Minimally), I didn't go Nuts with edits...

Now I was reading yesterday, Would I possible need to make a "Master" server "ns1.android-x86.net" and make my Domain a Slave (It's set to Master Now, By Virtualmin Install)??

From what I read that would be for an NS1 - Master and NS2 for the slave....

Really I just want to be able to ADD NS1 to the nameserver at the registrar and it accept it, Really not sure WHY it's not, I've checked internally, And short of Doing everything Advised in the 3rd link above, I'm not sure what else to do inside virtualmin, From reading the DOCS on it, It seems it should be a simple process for Virtualmin...

Mike

Sat, 01/07/2017 - 09:14
Miker1029

Are those the correct files you needed??

If you need anymore info let me know.... I just really need to know what I need to point to from the Registrar to have Virtualmin Handle MY OWN DNS Requests....

The server is Called ns1.android-x86.net....

The Served Pages are at http://android-x86.net/

So the simple question is, do I register ns1.android-x86.net at the registrar, then have the DNS records forward to the actual pages to be served???

The problem seems to be, that Virtualmin IS NOT handling ANY DNS tasks, As When I try to add it to the Nameservers list at my Registrar it says it doesn't exist...

I believe I have Virtualmin setup correctly, I've done what has been advised, and I've read across many different sites looking for an answer...

I will say, ALOT of them are "Setups" from the Beginning, I.E. Installing the files and configuring them, Which I'm really wary of as, I want to keep Virtualmin in control of things, and I really don't want to break anything...

Thanks,

Mkke

Sun, 01/08/2017 - 17:18
Miker1029

I have an Update to this.

With All the time spread over months of trying to get this to work, I believe I was confusing setting up a single IP DNS Nameserver.

I now have one IP for the HOST (NS1.ANDROID-X86.NET) and one IP for the Virtual Server (HTTP://ANDROID-X86.NET)

The IP for NS1.ANDROID-X86.NET Resolves through the "A" Record at My Registrar, My Registrar STILL Says that NS1.ANDROID-X86.NET IS NOT A NAMESERVER... When I enter the Address (OR IP) in the Address Bar I get:

Index of /

[ICO] Name Last modified Size Description

This Is My HOSTS FIle

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 NEW.IP.0.0 ns1.anddroid-x86.net ns1

This Is Local HOSTSNAME:

ns1

changed from NS1.ANDROID-X86.NET

This is my RESOLV.CONF

Generated by NetworkManager
search android-x86.net
nameserver NEW.IP.0.0
nameserver 162.213.38.38   Virtualmin Did this on install Dunno where they come from
nameserver 178.22.66.167   Virtualmin Did this on install Dunno where they come from
nameserver 127.0.01 

I added the ENS4 - New IP, In Network Config. I added the IP's In Bind

Not sure what else to do, I checked with INTERNIC and It's not resolving, But I assume as long as my Registrar Isn't allowing me to add it to nameserver that it won't resolve....

I used these 2 Links and read alot on the last Link, But it killed my connection on server reboot....

https://www.virtualmin.com/node/18463 https://www.virtualmin.com/documentation/dns/faq

https://www.unixmen.com/setting-dns-server-centos-7/

Is there a way to just check the proper settings locally, Like not through "dig" as that reports the same dnsowl, which is my registrar nameservers....

Hope this clarifies a little the problems I'm having...

Mike

Edited:Copy/Paste Mangled in the display

Sun, 01/08/2017 - 14:15 (Reply to #11)
Joe
Joe's picture

Hey Mike,

I'm only dropping in on this, and haven't had a chance to read through this whole thing, but I wrote up the steps for spinning up a domain from nothing a while back on our blog here: http://inthebox.webmin.com/dns-for-web-hosting-glue-records

It sounds like the glue records are the remaining problem, maybe?

Edit: Also note that most of those steps are automated by Virtualmin; you wouldn't need to do most of the local BIND stuff, but the stuff at the registrar has to happen for your domains to work.

--

Check out the forum guidelines!

Sun, 01/08/2017 - 16:43 (Reply to #12)
Miker1029

Hey, Okay I went through the BLOG, and Everything on the Local End Reports Correct:

[root@ns1 named]# host android-x86.net
android-x86.net has address {CORRECT IP}
android-x86.net mail is handled by 5 mail.android-x86.net.
 
[root@ns1 named]# nslookup android-x86.net
Server:        {CORRECT NS1 IP}
Address:        {CORRECT NS1 IP}#53
 
Name:   android-x86.net
Address: {CORRECT DOMAIN IP}
 
[root@ns1 named]# host android-x86.net localhost
Using domain server:
Name: localhost
Address: 127.0.0.1#53
Aliases:
 
android-x86.net has address {CORRECT DOMAIN IP)
android-x86.net mail is handled by 5 mail.android-x86.net.

And the Results:

There was a problem with the NameServers you entered for the following domains:
android-x86.net
This is likely caused by the entered NameServers not being created yet. Please check the spelling of the NameServers you
entered as well as checking to make sure they have been created at the applicable registry.

And I will say that NameSilo (Registrar) DOESN'T allow an IP for the Nameserver, I have to use "ns1.android-x86.net".... Also They say support just adding the nameserver, I just noticed the "applicable registry" in the error statement...

Which I thought WAS the "A" Record I was supposed to add for ns1.android-x86.net IN A {NS1 IP ADDRESS} in my Registrar DNS Records..(NameSilo), BUT when I add the "A" record, Typing "ns1.android-x86.net" in the Address bar, Gives me the "Index" of the site (Blank, But says Index, File, File Type) and I still get the Nameserver error from them...

REALLY Started to think it's them, not me.... I contacted my Server provider today to TRIPLE CHeck TCP/UDP 53 was open and it is.

And thanks everyone for taking the time to help me out with this!!!

Mike

Sun, 01/08/2017 - 16:55
Miker1029

Sorry to Re-Post I'm being moderated and can't edit, lol, But I forgot the last 2 checks on the list....

[root@ns1 ~]# host -t ns android-x86.net android-x86.net name server ns1.android-x86.net.

[root@ns1 ~]# host android-x86.net ns1.android-x86.net Using domain server: Name: ns1.android-x86.net Address: {CORRECT NS1 IP}#53 Aliases:

android-x86.net has address {CORRECT DOMAIN IP} android-x86.net mail is handled by 5 mail.android-x86.net. [root@ns1 ~]#

All As it seems it should be....

Mike

Sun, 01/08/2017 - 17:23
Miker1029

Also Anything posted before Wed, 01/04/2017 - 10:56 on this thread is Dead info.... I just came back here as I didn't want to clutter the forums.....

mIKE

Sun, 01/08/2017 - 17:49
Miker1029

Ok all, I got it.....

It's bad when you have a not so savy linux user as myself, and worse when the services you pay for don't know what they're doing......TILL

You hit the right REP! I registered the name server, and added it to the NameServer List, Replaced the NS1.DNSOWL.COM, With NS!.ANDROID-X86.NET, And it work with the Registrar, Told them I was going to be leaving, Still Might after a year of fighting with this, and multiple emails to them...

I'm NOT gonna say solved right now, as I went in and Removed hosts "::1" as I think that was IP6 and my server doesn't support it, and one of the test commands came back with that as the IP, So I removed it and The IP went to localhost, I also changed the RESOLV.CONF to My NS1 IP, and Not localhost as it was set for...

I have a snap shot of the server and can restore no problem, BUT now that it's registered and done, I'll Play Around more, Unless ADVISED OTHERWISE HERE!!! LoL!!!!

But it says 1-48 Hours to Propagate, And as long as the forum keeps running I'll let it go.... And do the tests....

Thanks everyone I'll report back on this!

Mike

Sun, 01/08/2017 - 17:57
Miker1029

Well Good Start....

Los Angeles CA, United States

ns1.android-x86.net

Dallas TX, United States

ns1.android-x86.net

Mountain View CA, United States

ns1.dnsowl.com ns2.dnsowl.com ns3.dnsowl.com

Sun, 01/08/2017 - 18:27
Miker1029

iNTERNIC

Domain Name: ANDROID-X86.NET Registrar: ********, LLC Sponsoring Registrar IANA ID: ***** Whois Server: whois.********.com Referral URL: http://www.*********.com Name Server: NS1.ANDROID-X86.NET Name Server: NS2.DNSOWL.COM *** Guess I Already Posted this...... Name Server: NS3.DNSOWL.COM Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Updated Date: 08-jan-2017 Creation Date: 27-feb-2015 Expiration Date: 27-feb-2017

Guess Gonna have to Invest in a 3rd IP, To get rid of DNSOWL (Registrar) totally, but Gonna leave as a BackUp....

Any Advice Now that I have it working, I'm Only serving my One Domain..... But if I can Get Away from Anything to do with the "Registrar" I'd like to.

Mike

Sun, 01/08/2017 - 21:38 (Reply to #18)
Joe
Joe's picture

You only need two IP addresses for DNS service redundancy (ideally they'd be on two different servers on two different networks, but if all of your services are on one system, anyway, having redundancy is not so important).

Registrars are a necessary evil; you'll have to get comfortable dealing with glue records, if you want to manage DNS records (or if you want to let Virtualmin do it for you). If you want to handle DNS through the registrar (most allow you to host your DNS records on their name servers for free), that won't require glue records. But, good registrars make it pretty easy...I just poked around the namecheap interface today and see they have changed it a bunch...so my old blog post doesn't really match their UI, anymore, though the principles will always be the same. But, if it makes you feel any better about it, once you understand how DNS works, it becomes pretty easy to get the basics going. Even though I only do it every six months or so and forget all the specifics in the meantime, I am usually able to do it in a few minutes.

Also, there's a truism about problems with any networked service (web, mail, whatever): It's always DNS. Even if you think it isn't DNS, it's probably DNS. (Not because DNS is unreliable, but because it is complex and people often get it wrong.)

--

Check out the forum guidelines!

Mon, 01/09/2017 - 08:11
Miker1029

Lol, Ya I agree! Basically the reason I want to manage them is, well, one for the learning experience, and two, The service really doesn't provide everything needed for today settings, I mean, Ya, you can get by just fine with them, But Coming from "A FREE HOST", What I started with in the VERY Beginning, To where I Am Today, I've learned, that, If "I" have the control "I" can fix it when needed, NOT, A Trouble Ticket, Not a REP who knows less then me, and that's REAL BAD!! LOL

And Ya I'm sure If I paid more, I'd get what I want, But as it stands, I'm hoping to upgrade to the Virtualmin Pro, Not that I need PRO, But, The Creators of this piece of programming well deserve more then my $6 a Month, After I've learned the interface a little, and got over the "SHELL SHOCK" of C-Panel and a Paid host, I love it!!

And learning the proper use of back-ups, and when to do it, and all that, Example: I STILL haven't rebooted the server, LOL, And I've found that's the END all BE ALL of a working system, I know I don't need to, But that's my test on a working server, I still have the Snapshot before I started all this.. AND I might restore it, just to see if I needed to make the changes I did....

So as It stands now, the Propagation Is Bouncing ALL OVER THE PLACE, yesterday before bed My Nameserver Propagated to about 7 of 20 Checks, now it's on 2 of 20, Just gonna leave it be for a couple days, see how it settles out and report back here...

Then On to DNSSEC, And a couple other things...

Question tho, Would it be Better (Although I'd assume Pretty Useless in the long run) to have a second NS (NS2) that basically just points to the same IP, I'd much rather have NS1/NS2 For my Name servers, and say the registrars NS3 as A Fallback...

And as I said, as of right now the propagation is jumping around, so I've got a couple days to sit back and wait on it before doing anything else....

And again let me thank all of you for your input, I wouldn't have gotten this done without the help/links, That finally got my head rapped around what I needed to get done!!!

Mike

Mon, 01/09/2017 - 13:59
Miker1029

OK one last Update and One Last Question (For Now 8-) )

Ok, I did the server reboot, all went fine, and actually pages coming up faster then before....

I used a Global Propagation Checker for the NS (Multiple Location Check), and Internic has it exactly as I want it, So I'm just going to leave that be, As It seems correct...

Can one of you check this, My RESOLV.CONF and Verify I'm not on any other NS then my own, I mean, Not on the Global Internet, To serve other Sites....

This Part:

If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 

I only want to serve my forum pages..... I Believe it's right, I just want to verify.. Thanks

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
 
options {
    listen-on port 53 {
        any;
        };
    listen-on-v6 port 53 {
        any;
        };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
 
    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
 
    dnssec-enable yes;
    dnssec-validation yes;
 
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
 
    managed-keys-directory "/var/named/dynamic";
 
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};
 
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
 
zone "." IN {
    type hint;
    file "named.ca";
};
 
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
 
zone "android-x86.net" {
    type master;
    file "/var/named/android-x86.net.hosts";
     also-notify {
    ***.**.***.***; (**** NS1 IP CORRECT
  };
  allow-transfer {
    ***.**.***.***; **** NS! IP CORRECT
  };
  notify yes;
};

Thanks, I think, That'd handle this for now, I'll check back later (Couple Days) to put in a final word on this but as of now it all looks good....

Mike

Mon, 01/09/2017 - 14:07 (Reply to #21)
Joe
Joe's picture

You need to be more specific about allowing recursion.

Something like:

acl "trustednets" {
        localhost;
        127.0.0.1;
        192.168.1.0/24;
};

options {
    allow-recursion { trustednets; };
    recursion yes;
    ...other options here...
};

--

Check out the forum guidelines!

Mon, 01/09/2017 - 14:23 (Reply to #22)
Miker1029

Ok on the 192.168.1.0/24, I actually know what the 0/24 Means Blocking IPs In HTACCESS, But should I use that for my Single Name Server IP?? I'm Guessing here, it's just to span the IP?? Or should I use it as you posted, and Put my NS server IP In?? Sorry, I AM Learning LOL

And I Get the Allow-recursion , Makes Sense!

Mike

And actually isn't:

1.1.1.0/8 1.1.0.0/016 1.0.0.0/32 1.1.1.1.0//64

N/M I forgot the span for the IP's, Oldtimers sucks guys, I'll get back in the morning, Seems Clearer with a good cup of coffee.. 8-)

Or am I wrong again?? Really don't like to Expound my stupid'ness,

Wed, 01/11/2017 - 08:38
Miker1029

Ok, I messed up, I thought I had purchased the IP, But apparently not, As The Server Reboot Changed the IP, I've fixed that, But since I had to Redo Everything, I decided to go Back to the Pre-Namserver Settings Image and redo everything with the New IP, And Less Edits...

Would "allow-query" work the same as your post?? Or both or just what you said above??

Thanks, Mike

UPDATE:

Ok Done again, and propagating, With ALOT less edits to the files, just what was advised on your blog, Feel better about it that way...

I didn't add the above "acl" stuff, as I was thinking the:

allow-query { localhost; 116.NS1 IP ADDRESS;}; type master; file "/var/named/android-x86.net.hosts"; also-notify { 116.NS1 IP ADDRESS; }; allow-transfer { 127.0.0.1; localnets; }; notify yes; };

If you still advise adding it I will, I didn't realize that that IP range you have is local....

Mike

Topic locked