setting up bind

setting up bind

[joy]

Hi everyone,

Sorry for the long post , but I don't think I could've done it in less.....
I'm trying to setup a name server using bind 9 and have run into a 
peculiar problem:

The computers on my lan have hostnames like xxx.pcm.com and this 
nameserver is an internal one to
serve these machines.
so i wrote a zone for "pcm.com" and made my server the master for the zone.
the records look somthing like this:
xxx.pcm.com   IN   A   192.xx.xx.xx  (is this right?)

to test it ,I ran dig  for one of the hostnames and it appears that 
there is already a master for pcm.com somewhere else
which  (obviously) does not have a record for my machine.
To make my machine not query other nameservers, I made my nameserver the 
only one in resolv.conf.
and  made it a slave for queries on zone "com"  with the main NS outside 
as the master.
however this causes dig to give a timed out error.

Am I missing something here?

What I feel is that dig first tries to resolve  "."  (root)zone and is 
not able to because my NS does not hold any info on it.
Am I right in thinking so?

My  NS had  a different hostname before and  dig  could return a valid  
ip.However, my employer insists
that the  hostnames end with pcm.com (for  some administrtive reasons )

So, my question is,
how do I make dig search for xxx.pcm.com on my NS before forwarding it 
to the outside?

Also,
Do I need to to write the  PTR records for every A  record I add?

Thanx (a lot ) in advance,
Joy.M.M

Re: setting up bind

[Glynn Clements]

joy wrote:

> The computers on my lan have hostnames like xxx.pcm.com and this 
> nameserver is an internal one to
> serve these machines.
> so i wrote a zone for "pcm.com" and made my server the master for the zone.
> the records look somthing like this:
> xxx.pcm.com   IN   A   192.xx.xx.xx  (is this right?)

No. Fully-qualified domains must end in a dot, otherwise they will be
treated as relative to the root of the zone. E.g. if the above line
occured in a zone file for pcm.com, it would correspond to
xxx.pcm.com.pcm.com.

Usually, you use relative names, so the line should look like:

	xxx   IN   A   192.xx.xx.xx

> to test it ,I ran dig  for one of the hostnames and it appears that 
> there is already a master for pcm.com somewhere else
> which  (obviously) does not have a record for my machine.
> To make my machine not query other nameservers, I made my nameserver the 
> only one in resolv.conf.
> and  made it a slave for queries on zone "com"  with the main NS outside 
> as the master.
> however this causes dig to give a timed out error.
> 
> Am I missing something here?

Probably.

> What I feel is that dig first tries to resolve  "."  (root)zone and is 
> not able to because my NS does not hold any info on it.
> Am I right in thinking so?

Probably.

If named has been configured to allow recursive queries, it should
attempt to forward queries for other domains (ones which don't have an
entry in named.conf) to other DNS servers.

However, such queries (or, more likely, the replies) may be blocked if
your server is behind a firewall. In that situation, you would need to
forward such queries to a DNS server from which you can receive
replies (e.g. the one which was previously listed in resolv.conf).

> My  NS had  a different hostname before and  dig  could return a valid  
> ip.However, my employer insists
> that the  hostnames end with pcm.com (for  some administrtive reasons )

Are these names supposed to be resolvable from outside of the LAN?

If so, the only solution is to update the authoritative nameserver
(the one to which the ".com" domain has delegated authority over the
"pcm.com" domain) with the additional hosts.

If not, you need to configure the local nameserver(s) (the one(s) to
which hosts on your LAN send DNS queries) to answer queries for the
pcm.com zone. These nameservers will already be configured to answer
general DNS queries.

However:

1. If you aren't running your own local nameserver(s) (e.g. you're
just pointing the hosts at your ISP's DNS servers), you will have to
do so; your ISP certainly isn't going to add the pcm.com zone to their
recursive nameservers. You should be doing this anyhow.

2. The local pcm.com zone file will need to include any public DNS
records for that zone (e.g. www.pcm.com) as well as any local ones
(e.g. xxx.pcm.com).

> Do I need to to write the  PTR records for every A  record I add?

Probably not.

Most programs don't care whether PTR records exist or if they are
accurate; i.e. they either don't bother to look them up, or if they do
look them up, don't care whether the query succeeds.

The main exception is for access control. If you are accessing a
service which is restricted to specific hosts, access may be denied if
the PTR records can't be found or if they don't contain the expected
values.

-- 
Glynn Clements <glynn.clements@virgin.net>

Re: setting up bind

[Ahsan Ali]

Glynn pretty much covered everything. 

There is one thing though - you are saying you added pcm.com to your
named.conf as a slave zone. This is wrong - because if you create a
slave zone, you then need to define a master where it will transfer
the zone across from and place it on your system in the zone file you
specify. You cant directly edit zones on a slave because by definition
the slave zone is a copy of the zone from the master.

You need to create a master zone and copy across any records such as
www etc you need from it into your local zone file (which for your
server is a master because its the only one that matters to your
organization) and then you need to add all your local machines to it.

If you have a $ORIGIN defined as pcm.com (default is the name of the
zone/domain) then any hostname that does not end with a . will have
this appended to it. You should avoid using the . as it will make your
file less cluttered and easier to rename the zone if you ever need to.

Once that is done and you have the forward lookup file ready, you can
use a script to generate the reverse zones if you like. I prefer using
proper reverse zones whenever possible as many applications do a
hostname lookup on an IP when accepting connections and in a scenario
where DNS is improperly configured the application can seem to "hang"
for a while as the dns query times out.

You can use the mkrdns script [http://freshmeat.net/projects/mkrdns/]
to do this automatically. It seems to do a pretty decent job.

Hope this helped!

-Ahsan

On Fri, 2 Jul 2004 23:23:19 +0100, Glynn Clements
<glynn.clements@virgin.net> wrote:
> 
> joy wrote:
> 
> > The computers on my lan have hostnames like xxx.pcm.com and this
> > nameserver is an internal one to
> > serve these machines.
> > so i wrote a zone for "pcm.com" and made my server the master for the zone.
> > the records look somthing like this:
> > xxx.pcm.com   IN   A   192.xx.xx.xx  (is this right?)
> 
> No. Fully-qualified domains must end in a dot, otherwise they will be
> treated as relative to the root of the zone. E.g. if the above line
> occured in a zone file for pcm.com, it would correspond to
> xxx.pcm.com.pcm.com.
> 
> Usually, you use relative names, so the line should look like:
> 
>         xxx   IN   A   192.xx.xx.xx
> 
> > to test it ,I ran dig  for one of the hostnames and it appears that
> > there is already a master for pcm.com somewhere else
> > which  (obviously) does not have a record for my machine.
> > To make my machine not query other nameservers, I made my nameserver the
> > only one in resolv.conf.
> > and  made it a slave for queries on zone "com"  with the main NS outside
> > as the master.
> > however this causes dig to give a timed out error.
> >
> > Am I missing something here?
> 
> Probably.
> 
> > What I feel is that dig first tries to resolve  "."  (root)zone and is
> > not able to because my NS does not hold any info on it.
> > Am I right in thinking so?
> 
> Probably.
> 
> If named has been configured to allow recursive queries, it should
> attempt to forward queries for other domains (ones which don't have an
> entry in named.conf) to other DNS servers.
> 
> However, such queries (or, more likely, the replies) may be blocked if
> your server is behind a firewall. In that situation, you would need to
> forward such queries to a DNS server from which you can receive
> replies (e.g. the one which was previously listed in resolv.conf).
> 
> > My  NS had  a different hostname before and  dig  could return a valid
> > ip.However, my employer insists
> > that the  hostnames end with pcm.com (for  some administrtive reasons )
> 
> Are these names supposed to be resolvable from outside of the LAN?
> 
> If so, the only solution is to update the authoritative nameserver
> (the one to which the ".com" domain has delegated authority over the
> "pcm.com" domain) with the additional hosts.
> 
> If not, you need to configure the local nameserver(s) (the one(s) to
> which hosts on your LAN send DNS queries) to answer queries for the
> pcm.com zone. These nameservers will already be configured to answer
> general DNS queries.
> 
> However:
> 
> 1. If you aren't running your own local nameserver(s) (e.g. you're
> just pointing the hosts at your ISP's DNS servers), you will have to
> do so; your ISP certainly isn't going to add the pcm.com zone to their
> recursive nameservers. You should be doing this anyhow.
> 
> 2. The local pcm.com zone file will need to include any public DNS
> records for that zone (e.g. www.pcm.com) as well as any local ones
> (e.g. xxx.pcm.com).
> 
> > Do I need to to write the  PTR records for every A  record I add?
> 
> Probably not.
> 
> Most programs don't care whether PTR records exist or if they are
> accurate; i.e. they either don't bother to look them up, or if they do
> look them up, don't care whether the query succeeds.
> 
> The main exception is for access control. If you are accessing a
> service which is restricted to specific hosts, access may be denied if
> the PTR records can't be found or if they don't contain the expected
> values.
> 
> --
> Glynn Clements <glynn.clements@virgin.net>
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re:setting up bind

[gracecott]

[-- Attachment #1: Type: text/plain, Size: 317 bytes --]


Hi, now I found out that my named isn't even starting up...

even if I manually run /etc/init.d/bind9 start
it says starting named
but ps ax|grep named tells me otherwise.....
any suggestions based on my configs. If you need anything else other than my root password, feel free to ask :-)

Thanx in advance,
Joy.M.M

Re: setting up bind

[Ahsan Ali]

Your named isnt starting because of errors in your named.conf. You can
look in /var/log/messages for more information on whats going wrong.

I am pasting my previous reply to you here on the list.

==========================================================
In /etc/named.conf

zone "com" {type delegation-only;};

Should look something like this:
=======================
zone "pcm.com" IN {
       type master;
       file "/var/named/pcm.com.zone";
};

zone "10.in-addr.arpa" IN {
       type master;
       file "/var/named/10.in-addr.arpa.zone";
 };
=======================

In your file /var/named/pcm.com.zone you should have:

==================================================
$TTL    86400
$ORIGIN pcm.com.
@                     1D IN SOA ns.pcm.com.        root (
                                       2004070703              ; serial
                                       3H              ; refresh
                                       15M             ; retry
                                       1W              ; expiry
                                       1D )            ; minimum

                       1D IN NS        10.0.1.2
nms                     1D IN A         10.0.1.25
ns                      1D IN A         10.0.1.2
(and so on for each host)
==================================================

In your /var/named/10.in-addr.arpa.zone
==================================================
@                       IN SOA ns.pcm.com.   root.pcm.com. (
                                       2004070702              ; serial
                                       3H              ; refresh
                                       15M             ; retry
                                       1W              ; expiry
                                       1D )            ; minimum

@                       NS              ns.pcm.com.
                       NS              nms.pcm.com.
$ORIGIN 1.0.10.in-addr.arpa.
2       PTR     ns.pcm.com.
25       PTR     nms.pcm.com.
(and so on for each host)
==================================================
I hope this helped.

Sorry I dont have time right now to go through all your zone files as
I am in a bit of a rush at the moment. I think you can customize the
above examples to suit your needs. I tend to keep my zone files in
/var/named whereas from your config it looks like you keep them in
/etc/bind. Please adjust to suit your needs.

Regards,

Ahsan Ali
State Bank of Pakistan
======================================================

Re: setting up bind

[joy]

Thanks a lot for all the help and advice.

I did whatever you guys guys told me to , stopping short only of copying 
whatever Ahsan had sent .

However, bind STILL refuses to start.
Got my 4th Sem., exams in three days and cannot spend any time on this 
right now.
When I return to work, however, I will try to solve it myself  else run 
to you guys for help.
So,

I'll be back.

Thanx a lot,

Joy.M.M