# bind as NS on a root server

## Armageddon

Hi all,

I have a rootserver running on Gentoo.

Now i want to use this rootserver as a nameserver, because at domainprovider i can only insert one IP for a Domain, but now i need to manage the Subdomains from that Domain.

I read in various pages from google that bind can solve my problems.

but howto setup bind, that bind forwardes the subdomins so other server?

I will be very pleased if someone can help me.

best regards

Armageddon

----------

## adaptr

 *Armageddon wrote:*   

> Hi all,
> 
> I have a rootserver running on Gentoo.

 

I have no idea what you mean by this.

 *Armageddon wrote:*   

> Now i want to use this rootserver as a nameserver, because at domainprovider i can only insert one IP for a Domain, but now i need to manage the Subdomains from that Domain.

 

Slightly better, but one fact stands out: you only have 1 IP for the domain.

 *Armageddon wrote:*   

> I read in various pages from google that bind can solve my problems.

 

I don't know about "solving your problems"; BIND is not a problem solver, it's a nameserver...  :Wink: 

 *Armageddon wrote:*   

> but howto setup bind, that bind forwardes the subdomins so other server?

 

This is only possible if you are authoritative for the domain in the first place.

If your setup is such that the ISP runs the nameserver but forwards the domain to your IP then there is nothing - positively nothing - you can do to influence any of this.

The use of this is limited anyway since you say you only have one IP for the domain.

What would you have the subdomains point to if not that IP ?

----------

## Armageddon

ok sry my English isn't very good

The question was:

I have a domain

In the web interface from my provider i can insert a IP. My rootserver.

From that Server i want to point with a subdomain of my domain to another server.

For that action i want to use bind and want to know if that is possible

sry for mistakes.

----------

## d_m

Yes, you can use BIND as a world-accessible nameserver and have it pointed to by your ISP as the authoritative server for your domain-name. In general, you will probably need another server (a friend or something) since DNS usually requires a back-up nameserver for each domain.

BIND comes with some examples which you help you get set up with it. If you have specific problems with it you should ask about those.

----------

## adaptr

 *Armageddon wrote:*   

> ok sry my English isn't very good

 

Not a problem.

 *Armageddon wrote:*   

> The question was:
> 
> I have a domain
> 
> In the web interface from my provider i can insert a IP. My rootserver.

 

Still no idea what a "rootserver" is.

 *Armageddon wrote:*   

> From that Server i want to point with a subdomain of my domain to another server.

 

That is possible - if you are authoritative for that domain, i.e. you run the nameserver for it.

At this point you do not, and it is not always a given that your ISP even supports or allows this.

Like d_m said, if they allow you to do so then you will need at least one other nameserver that holds the same data.

 *Armageddon wrote:*   

> For that action i want to use bind and want to know if that is possible

 

Of course - BIND is a nameserver; that is what a nameserver does.

----------

## Armageddon

ok thank you all for your answers

I didn't know that the word rootserver doesn't belong to the English language.

rootserver means, that u have a server somehow in a computer center and have root access to that server.

Ok

i've got the forst problems.

i emerged bind and i read that bind listens on port 53 but my port 53 doesn't listen to anything?

----------

## adaptr

You have to start the server:

```
rc-update add named default

/etc/init.d/named start
```

But you really should configure it first.

----------

## Armageddon

it runs and i have configured ist, i thougt so

here are my configs:

/etc/bin/named.conf

```
options {

        directory "/var/bind";

        // uncomment the following lines to turn on DNS forwarding,

        // and change the forwarding ip address(es) :

        //forward first;

        //forwarders {

        //      123.123.123.123;

        //      123.123.123.123;

        //};

        listen-on-v6 { none; };

        listen-on { 127.0.0.1; };

        query-source address * port 53;

        // to allow only specific hosts to use the DNS server:

        //allow-query {

        //      127.0.0.1;

        //};

        // if you have problems and are behind a firewall:

        //query-source address * port 53;

        pid-file "/var/run/named/named.pid";

};

zone "." IN {

        type hint;

        file "named.ca";

};

zone "localhost" IN {

        type master;

        file "pri/localhost.zone";

        allow-update { none; };

        notify no;

};

zone "127.in-addr.arpa" IN {

        type master;

        file "pri/127.zone";

        allow-update { none; };

        notify no;

};

```

but when i do a port scan port 53 is closed...

how must a zone look like if i want to forward this zone?

----------

## adaptr

```
listen-on { 127.0.0.1; }; 
```

is pretty self-explanatory.

It only listens on the localhost interface, not on the network.

The forward zone type can be used to forward queries for a particular zone to another server.

Read the bind manual for more details on this.

----------

## d_m

If a port scan shows it closed, run this command on the server:

```
netstat -an | grep LISTEN | grep 53
```

It could be your ISP is blocking that port.

Also, no worries about the "rootserver" confusion. In English, it sounded like you meant "root nameserver". There are a very small number of those and they run the entire DNS system for the internet. The idea that someone who "had" one of those would be asking about BIND on the Gentoo forum was sort of strange ;)

Good luck.

----------

## adaptr

 *d_m wrote:*   

> Also, no worries about the "rootserver" confusion. In English, it sounded like you meant "root nameserver". There are a very small number of those and they run the entire DNS system for the internet. The idea that someone who "had" one of those would be asking about BIND on the Gentoo forum was sort of strange 

 

My first thought was of a Windows root DC.

Your explanation probably makes more sense in the context, but was rejected by me as insane  :Wink: 

----------

## Armageddon

ok

it seems like my name Server is listening

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN

But i specified 2 other ips in named.conf in 

listen-on { 127.0.0.1; 83.246.***.***; 83.246.***.***; };

But netstat don't show me that ths daemon is really listening on that ips too?

Big thx for your help! Thanks a lot

----------

## d_m

I'd try restarting BIND (/etc/init.d/named restart) and then check /var/log/messages. You may get some error or something. BIND is really picky about the configuration file it uses.

Also, try commenting out that line. I think that by default BIND listens on all interfaces.

Good luck.

----------

## Armageddon

if comment it out

it starts saying that:

```
Feb 14 20:08:50  named[5011]: listening on IPv4 interface lo, 127.0.0.1#53

Feb 14 20:08:50  named[5011]: command channel listening on 127.0.0.1#953
```

uncomment:

the same

----------

## d_m

I assume your other interfaces are working, i.e. that "ifconfig -a" returns eth0, eth1, etc. and that they have the IP addresses that you are configuring?

Just for reference, here is the first part of my named.conf file. This was originally on a NetBSD server, and I hand-made the config, so ignore unimportant differences:

```
acl scams { 0.0.0.0/8; 192.168.0.0/16; 10.0.0.0/8; 172.16.0.0/12; };

acl servers { 66.X.Y.A; 66.X.Y.B; };

acl self { 66.X.Y.A; 127.0.0.1; };

acl slaves { 66.X.Y.B; };

options {

   directory "/var/bind";

   listen-on-v6 { none; };

   listen-on port 53 { self; };

   allow-query { self; servers; };

   allow-transfer { slaves; servers; };

   allow-recursion { self; servers; };

   // if you have problems and are behind a firewall:

   //query-source address * port 53;

   pid-file "/var/run/named/named.pid";

};

controls { };
```

NOTE: I am using allow-query there to limit restrictions... in the various zone declarations I allow queries from the outside world. You should not use that directive unless you override it with "allow-query { any };" in the specific zones you are the authority for. This server is only used for serving my domains... so it does not do recursive lookups (i.e. www.google.com) for other hosts.

Anyway, I hope this helps. Your problem is strange. I think it is important to determine if BIND is even using your config file or not.

Good luck.

----------

## Armageddon

i solved the listening Problem...

i started it in chroot and in the chroot dir wasn't the config so i copied all and it seams to work it also listens now on that interfaces i wanted it to listen!

Big sry for thar great mistake!

But i've got another Problem.

at my  provider for domains i can insert one ip this ip is now on my Server but i wanted to forward the Subdomains to another ip

and i don't get behind how that zone have to look like, and the man don't help me really or i am not a capable reader  :Sad: 

on the other server is also running bind

----------

## Armageddon

ok i find something that works

but it works very strange

because

i can ping the Subdomain and it goes to the other server

why on earth is the surf result not the same as the ping result?

----------

## d_m

OK, I'm not entirely sure I understand what you're asking. So here is my understanding of DNS, and you can fill-in what you need:

1. When you register a domain (like example.com) there is a company called a registrar that you do this with.

2. When you get an internet connection (with one or more static IP addresses) it is provided by a company called an ISP (internet service provider).

3. Your registrar can provide many different services, like matching "example.com" to an IP addres (using their own DNS servers), providing email forwarding (translating me@example.com into me@real-address.com), or other services.

4. Many registrars will also allow you to specify your own DNS servers to use for your domain (example.com) instead of using theirs (which are used by default). You are required to have at least 2 such servers and could have as many as 6-7. You would need to specify IP addresses for these.

5. If you set up your own DNS servers and get the registrar to point your domain to your servers (as in 4) then you can specify as many subdomains, hosts, or other things as you want, as per BIND configuration. This would allow you to specify mailhosts, etc. and also forward subdomains (like sub.example.com) to another DNS server to deal with.

6. In 5, you can map names (www.example.com) to numbers (1.2.3.4). However, you can't do the other yourself. If you want 1.2.3.4 to reverse-lookup to www.example.com, you need to contact your ISP and have them do that (since they "own" the IP address and are licensing it to you, their DNS server controls how the rest of the world sees your IP).

7. Once you have told your registrar to use your DNS servers (by giving them IP addresses for  2 or more servers) and you have gotten your ISP to put in the proper hostnames for your IP addresses that you are using, then all you have to do is set up BIND to do everything you want.

Whew.

So what I am confused about, is that you want to be doing (4), but when you say "at my provider for domains i can insert one ip" I think you are actually talking about something like (3). Also, I'm not sure if you are talking about your registrar (1) or your ISP (2), or if these two things are the same and you have registered your domain through your ISP (which is not unheard-of but is strange).

Anyway, I hope this helps clarify things.

----------

## Armageddon

ok

completly new:

i have a domain called example.com

that domain is registerd and points to my server

1-3 in your answer

and i want to have a subdomain pointing to another server

i think this is 5 in our answer

how must look my zonefile for the Subdomain i wanted to forward?

because when i say:

[code]zone "subdomain.example.com" IN {

type forward;

forwardes { xxx.yyy.aaa.bbb; };

};

i don't get a sigonmessage that this zone is loaded the other zones were loaded

and i think i can use bind to forward my subdomain to another server

----------

## d_m

 *Armageddon wrote:*   

> ok
> 
> completly new:
> 
> i have a domain called example.com
> ...

 

Without 4 you can't do 5 yourself (with your own server). Your registrar might allow you to create subdomains which would be stored on *its* DNS servers, but your DNS server(s) won't be used unless you do 4. Also, if you do 4 and your own server is not working (or setup properly), your current server (example.com) will not be found until you get it set up right.

You need to go to your registrar's website and look for a "nameservers" section or something like that. There should be spaces for you to input two or more IP addresses.

If you can't find a place to do 4 on your registrar's site, I think you should try to contact them and talk with them about this. I don't want to lead you astray, and once you do 4, then you will *have* to get BIND working or else nothing (not even example.com) will work.

----------

## Armageddon

ok i think i understood what you wanted to say to me

i thought i can do:

[code]zone "subdomain.example.com" IN {

type forward;

forwardes { xxx.yyy.aaa.bbb; };

};

i don't get a sigonmessage that this zone is loaded the other zones were loaded 

because my registrator of my domain with his nameservers said to me

that i can handle my subdomains as i want and that it is possible that i forward them

is there maybe another way how i can forward subdomains?

----------

## d_m

OK, well, if the registrar is letting you handle sub-domains, then I guess it will work (that would be 4 then).

In BIND, the "forwarder" option is used to pass control off to another DNS server (in most cases so you can use your ISPs servers to do lookups but provide DNS for your own domains). I don't think you want that.

If you could email me your IP addresses and domain names then I could do some checking and figure out what your set up is. Otherwise, I fear this will take a lot longer. My email is d_m <AT> plastic-idolatry.com.

----------

## Armageddon

ok mail send

i hope it will be receied because i have at the moment problems with my rDNS so often mails are in a spam folder.

big thx for your help

----------

## d_m

Got your mail--reply sent!

If you don't get it, i can post it  here (or send it somewhere else).

Good luck.

----------

