[ale] DNS/BIND/domain HELP!

[Michael H. Warfield]

On Sun, 2010-01-17 at 19:22 -0500, Paul Cartwright wrote: 
> ok, so I dropped my domain host, and setup my Debian server to host my own 
> domain. No email... I have my domain registrar setup, but I need DNS/BIND 
> setup ( I think??)

> my debian box is behind my router, which now has a static IP 208.65.88.107

No good.  Can not ping that IP address.  No traceroute to it.  If that's
by intent, that's your first mistake(s).  Fix it/them.  ICMP must not be
blocked for reasonable administrative functions.  Traceroute probably
shouldn't be dump either, but that's not nearly as fatal.  Dropping ICMP
echo is actually a security problem (you become a "black hole address"
which can be abused to attack others).

> I have BIND now up and running, but it has been 15 years since I've worked 
> with DNS..
> here is what I have: dig pcartwright.com:
> ;; QUESTION SECTION:
> ;pcartwright.com.		IN	A
> 
> ;; ANSWER SECTION:
> pcartwright.com.	604800	IN	A	208.65.88.107

> ;; AUTHORITY SECTION:
> pcartwright.com.	604800	IN	NS	ns1.example.com.
> pcartwright.com.	604800	IN	NS	ns2.example.com.

Seriously?!?!

   Domain servers in listed order:

   NS1.PCARTWRIGHT.COM          208.65.88.107
   NS2.PCARTWRIGHT.COM          208.65.88.107

That's a disaster looking for a place to happen.  We WANT people to have
DNS servers on different networks.  We DON'T like it when both (or more)
are on the same network / subnet (just ask MicroSoft).  In essence
you're fudging by providing two DNS server names mapped to the same IP
address (which use to be prohibited).  Seriously, that's very VERY bad
even for personal sites.

> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Sun Jan 17 19:11:32 2010
> ;; MSG SIZE  rcvd: 93
> 
> here is my current config files:
> /etc/bind/named.conf.local
> zone "pcartwright.com" {
>        type master;
>        file "/etc/bind/pcartwright.com.db";
> };
> zone "107.88.65.208.IN-ADDR.ARPA" {
>        type master;
>        file "/etc/bind/208.65.88.107.rev";
> };

And, seriously...

AlanticNexus has delegated the reverse lookup of a single IP address
back to you?  I don't think so.  And you're trying to define an entire
zone for the single reverse address, 107.88.65.208.IN-ADDR.ARPA, and you
think they've installed ns records to delegate that reverse that to you?
Holy polluted namespaces, batman...  I don't see any delegations out of
them under their /22 toward you at all.

Yeah, that's not happening:

[root at mtking ~]# dig -type soa -x 208.65.88.107
;; Warning, ignoring invalid type ype

; <<>> DiG 9.6.1-P2-RedHat-9.6.1-13.P2.fc12 <<>> -type soa -x
208.65.88.107
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59985
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;soa. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2010011701
1800 900 604800 86400

;; Query time: 100 msec
;; SERVER: 130.205.38.61#53(130.205.38.61)
;; WHEN: Sun Jan 17 23:04:53 2010
;; MSG SIZE  rcvd: 96

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23192
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;107.88.65.208.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
88.65.208.in-addr.arpa. 2681 IN SOA atnex01.atlanticnexus.net.
admin.atlanticnexus.net. 110 900 600 86400 3600

;; Query time: 2 msec
;; SERVER: 130.205.38.61#53(130.205.38.61)
;; WHEN: Sun Jan 17 23:04:53 2010
;; MSG SIZE  rcvd: 111


> any hints/tips/corrections/suggestions?

1) You should have tested this long before cutting over.  You can spin
up a DNS server on an IP and test it from another before you make it
authoritative and cut your registrations over.  Epic fail.

2) Get a decent secondary.  There are several services out there like
no-ip and dyndns who will host secondaries for you for CHEAP if you
can't manage it with your own resources.  If you don't have the
facilities to provide yourself with decent DNS service, it's hard to
justify the effort to diagnose why your ducktape and chewing gum
solution doesn't work.  Then test against that secondary and verify that
they ARE working and they ARE getting your zone transfers.

> I thought atnex was giving me a ptr file for 
> mail.pcartwright.com ->pcartwright.com but I'm not sure it is still there..

A what?  At ptr file?  There are several things wrong with that
statement, if you know DNS...

1) It's not a file it's a record and PTR records map addresses back to
names.  You're not indicating an address to a name and that would have
no impact on this.

2) Redirecting a name to a name would be a CNAME or an MX (the case of
mail).  You need to have your terminology straight.

3) How in blue blazes would atnex be able to do anything when neither of
YOUR "nameservers" (all "one" of them) is not reachable from the net.

4) How would atnex give you anything when you've taken authoritative
control of the name registration and pointed it at your non-reachable
nameserver?

5) The address you provided has NO PTR record at all (not that it's
relevant for these purposes)!

host 208.65.88.107
Host 107.88.65.208.in-addr.arpa. not found: 3(NXDOMAIN)

You dug a hole and climbed into it with no ladder and tested no escape
route before pulling the dirt in over your head.  Time to start
evaluating first principles was before you did this.  Time to start over
again.


Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20100117/f2c61dfd/attachment-0001.bin