# Help with BIND9

## iExcel

Hello, I followed the HOWTO at http://www.tldp.org/HOWTO/DNS-HOWTO.html to play with the BIND9 I just emerged.

Here go the conf files.

```

/etc/bind/named.conf

options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarind ip address(es) :

        //forward first;

        //forwarders {

        //      123.123.123.123

        //      123,123.123.123;

        //};

        listen-on-v6 { none; };

        listen-on { 127.0.0.1; };

        // to allow only specific hosts to use the DNS server:

        //allow-query {

        //      127.0.0.1;

        //};

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

};

zone "." IN {

        type hint;

        file "root.hints";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        allow-update { none; };

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        allow-update { none; };

        notify no;

};

zone "mydomain.ca" IN {

        type master;

        notify no;

        file "pri/mydomain.ca";

};

```

```

/var/bind/pri/mydomain.ca

;

; Zone file for mydomain.ca

;

; The full zone file

;

$TTL 3D

@       IN      SOA     ns1.mydomain.ca. root.mydomain.ca. (

                        199802151       ; serial, todays date + todays serial #

                        8H              ; refresh, seconds

                        2H              ; retry, seconds

                        4W              ; expire, seconds

                        1D )            ; minimum, seconds

;

                NS      ns1.mydomain.ca.                             ;

                NS      ns2.mydomain.ca.                             ;

                MX      10 mydomain.ca.     ; Primary Mail Exchanger

;

localhost       A       127.0.0.1

mydomain.ca.         A       a.b.c.d

ns1             A        a.b.c.d

ns2             CNAME   ns1

mail            CNAME   mydomain.ca.

ftp             CNAME   mydomain.ca.

www             CNAME   mydomain.ca.

```

The problem is that BIND does not resolve the name at all.

#  dig @ns1.mydomain.ca ftp.mydomain.ca

would report a timeout.

```

; <<>> DiG 9.2.2 <<>> @ns1.mydomain.ca ftp.mydomain.ca

;; global options:  printcmd

;; connection timed out; no servers could be reached

```

Can anyone shed some light on this problem? I must have missed something. Thanks in advance!!

----------

## M104

Check the line:

```
listen-on { 127.0.0.1; };
```

I think you probably want to listen on your other ip addresses too.    :Wink: 

----------

## adaptr

Hmm.. okay, here we go:

 *iExcel wrote:*   

> 
> 
> ```
> 
> /etc/bind/named.conf
> ...

 

Don't you think it would be a good idea to use the nameservers of your ISP?

It will prevent you having to look up EVERY address yourself...

 *iExcel wrote:*   

> 
> 
> ```
> 
>         listen-on-v6 { none; };
> ...

 

... and this does not give you a clue ?

Only the server machine itself will be able to query this nameserver, which makes it... less than useful.

 *iExcel wrote:*   

> 
> 
> ```
> 
> /var/bind/pri/mydomain.ca
> ...

 

This is set in the /localhost.zone, leave it alone.

 *iExcel wrote:*   

> 
> 
> ```
> 
> mydomain.ca.         A       a.b.c.d
> ...

 

You insist on making it difficult, don't you ?

Give the machine a hostname - don't use the domainname!

F'rinstance:

gentoo     IN     A     a.b.c.d

Then you can alias all you like, and leave the domain out of it.

 *iExcel wrote:*   

> 
> 
> ```
> ns1             A        a.b.c.d
> 
> ...

 

That is useless - you only have one nameserver.

 *iExcel wrote:*   

> 
> 
> ```
> mail            CNAME   mydomain.ca.
> 
> ...

 

This name will never be used, since it is not the canonical MX name.

What is in your /etc/resolv.conf ?

For a nameserver, make sure ONLY the local machine is in it - else all nameservers will be used in turn, and no other nameserver in the world will give you the right info.

/etc/resolv.conf:

domain mydomain.ca

nameserver a.b.c.d

No more, no less.

As a minimal start, you could try this:

mail IN A a.b.c.d

gentoo CNAME mail

ns CNAME mail

www CNAME mail

ftp CNAME mail

IN MX mail

IN NS ns

There is only one hard rule: an MX record MAY NOT be an alias.

So it would make sense to make mail your "real" hostname (I did), and just alias the rest off that.

If you want you can use the IP for the ns too, but only the MX really needs it.

----------

## M104

Actually, I mean add more listen-on{...} lines.

Also, you do have real ip addresses in place of those a.b.c.d's, right?

----------

## iExcel

I added more IP addresses to the listen-on line and it seems to be working!!

I have real IP address and want to map my own domain to that IP. Since I want to control everything, I decided to set up my own DNS service so that I don't have to rely on my ISP's.

My domain was hosted by djbdns, which has been working great. For bind, I just want to give it a try. 

Thanks again to all the responses!!

----------

## adaptr

 *iExcel wrote:*   

> I have real IP address and want to map my own domain to that IP.

 

You can't. You can map your IP to that domain name, but that will only work for you internally - to really control it you must have 2 nameservers running on 2 different networks - this is a requirement, not a recommendation.

 *iExcel wrote:*   

> Since I want to control everything, I decided to set up my own DNS service so that I don't have to rely on my ISP's.

 

Because... you have more expertise in these matters ?

They are worthless and don't have decent nameservice ?

So far I haven't heard a single reason not to use their nameservers as much as possible.

----------

## UberLord

You can control everything and still forward to your ISPs nameservers

I override myhost.demon.co.uk internally so that all requests goto my internal server. This makes sense as externally they end up at the same box anyway  :Smile: 

anotherhost.demon.co.uk is handeled my demon's DNS servers.

adaptr is right - let the ISPs do the job

However, if you're ISP is BT then by all means handle it yourself - as their name servers are crap. My works ADSL is through BT and their nameservers are up and down like bloody yo yos   :Confused: 

----------

## fleed

Was he trying to do reverse resolution? Sounds like he just wants domain -> ip resolution from his post... 

IIRC only netsol insisted on 2 ns but I could be mistaken.

Oh, I'd also rather control my own nameservers rather than my ISP. With them I have to email cust support to have it done. Most cases that is too much of a pain. Even if I don't know as much as they might, I will probably still get better service out of myself  :Wink: 

----------

## iExcel

 *adaptr wrote:*   

>  *iExcel wrote:*   I have real IP address and want to map my own domain to that IP. 
> 
> You can't. You can map your IP to that domain name, but that will only work for you internally - to really control it you must have 2 nameservers running on 2 different networks - this is a requirement, not a recommendation.
> 
> 

 

Yes, I can. And I have been doing such for months. Yesterday, I wanted to replace djbdns with bind9. You may not have 2 name servers on 2 different networks. To 'cheat' your registrar, you just fill in 2 different hosts that could point to 1 identical IP address. That's why I have ns1.mydomainl.ca and ns2.mydomain.ca point to the same IP address.

 *adaptr wrote:*   

> 
> 
>  *iExcel wrote:*   Since I want to control everything, I decided to set up my own DNS service so that I don't have to rely on my ISP's. 
> 
> Because... you have more expertise in these matters ?
> ...

 

No, I don't have more expertise in these matters and that is the very reason I want to give all the options a try. Isn't it a part of the Linux spirit? Correct me if I am wrong.

----------

## iExcel

 *fleed wrote:*   

> Was he trying to do reverse resolution? Sounds like he just wants domain -> ip resolution from his post... 
> 
> IIRC only netsol insisted on 2 ns but I could be mistaken.
> 
> Oh, I'd also rather control my own nameservers rather than my ISP. With them I have to email cust support to have it done. Most cases that is too much of a pain. Even if I don't know as much as they might, I will probably still get better service out of myself 

 I'll try to configure the reverse resolution today or tomorrow with bind9.

A .ca registration requires 2 ns but you can workaround it.  :Wink: 

----------

## fleed

If you're trying to do reverse resolution then, as UberLord pointed out, it will only work for your internal network unless you are delegated the resolution of your ip block by your isp.

----------

## adaptr

 *iExcel wrote:*   

> Yes, I can.

 

No. you. can't.

I think you do not understand the issue, so let me clarify:

- you have an account with an ISP

- the ISP gives you an IP address

- the ISP defines by what name that adress is known in their network.

DNS consists of two mutually cooperating databases: the forward database, used to resolve name->address translations, and the reverse database, to translate addresses into names.

You can, by running your own nameserver, substitute your own data for anything related to the name->address mapping, but not the reverse.

If you want to know what the real name of your machine is, try:

```
#dig -x @<ISP's nameserver> your.ip.add.ress
```

You can not change this, since the address is always the more important piece of data, and your ISP controls all the addresses.

In short, yes, you can arbitrarily change the host and domainnames that your system will respond to, but if you don't control the netblocks you use, there is no way you can make real dns work in reverse for you.

 *iExcel wrote:*   

> No, I don't have more expertise in these matters and that is the very reason I want to give all the options a try. Isn't it a part of the Linux spirit? Correct me if I am wrong.

 

Yes, that is the Linux spirit - in a way.

You're being a bit stubborn - I try to explain the theory behind the DNS mechanism, and you say: bollocks, I did it this way and I'm right.

That's fine, but it won't change anything about how DNS works...

If you want to run a "real" world-wide approachable nameserver you have to have control of 3 items (and a 4th corollary):

1. control the netblocks you use

2. control the nameservers for your domain

3. own a domain, and for that you have to

4. control at least 2 nameservers

Note that 4 has nothing to do with 2 - I run a nameserver and have a domain, but my registrar just forwards everything to my IP address - cheap and simple.

The nameserver is for me, internally.

In your case, you have registered a domain, had the dns delegated to your "2" nameservers, and you run your own nameserver.

I understood all that, and so far, you're right.

But you do not have your own network connected to an NSP, as your ISP has.

No matter how many addresses you have, their primary names will all be assigned by the ISP.

The only way to remedy that is to ask/pay the ISP to delegate your netblock to you - which they won't do, or ask/pay them to manage the domain, in which case they can and will correct the reverse mappings, but you will have to pay them and you lose direct control over the nameserver issue.

phew </too long>

oh, and finally:

The single most important piece of this puzzle is this:

what does the NS record for your domain point to in the global .ca database?

That alone controls who manages your domain - who it is delegated to.

----------

## iExcel

You're right, dude.

I tried to configure the reverse resolution but, as you said, it is only valid within my network.

Anyway, my goal is realized that mydomain.ca can be mapped to the IP address I have.

Thanks again for the long explanation that benefits me a great deal!   :Smile: 

----------

