topic Re: problem with DNS slave zone in Operating System - Linux

problem with DNS slave zone

Sunny Jaisinghani — Wed, 24 Mar 2010 06:16:05 GMT

Hello All,

I have a setup which has 2 DNS servers located in India(windows) and US(Linux).

For Indian employees INDIA server acts as primary DNS and US server acts as secondary. Opposite is the case for US employees.

Recently, a case was reported; the US employees are not able to resolve names of servers in INDIA domain

Now there are 3 zones on US server. 1 is forward lookup, 1 reverse lookup and 1 slave zone.
i restarted the named service and checked logs. I have both IN server and US server as masters in named.conf for slave zone.

Mar 23 21:43:50 USserver named[29352]: zone INDIA.xxx.com/IN: refresh: unexpected rcode (SERVFAIL) from master US_IP#53
Mar 23 21:43:51 USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: failed while receiving responses: REFUSED
Mar 23 21:43:51 USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: end of transfer
Mar 23 21:44:37 USserver named[29352]: zone INDIA.xxx.com/IN: refresh: unexpected rcode (SERVFAIL) from master US_IP#53
Mar 23 21:44:38 USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: failed while receiving responses: REFUSED
Mar 23 21:44:38 USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: end of transfer

from the above logs i assumed that there is something wrong with my slave zone file. I tried to correct it but it went in vain.

Now i am planning to create a fresh slave zone on US server.

Can you direct me.

Thanks
Sunny

Re: problem with DNS slave zone

Matti_Kurkela — Wed, 24 Mar 2010 13:27:18 GMT

> USserver named[29352]: zone INDIA.xxx.com/IN: refresh: unexpected rcode (SERVFAIL) from master US_IP#53

If I understand this correctly, here the US server is trying to refresh INDIA.xxx.com zone file from itself. This makes no sense: looks like the US server is trying to be both a slave and a master for INDIA.xxx.com simultaneously!

> USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: failed while receiving responses: REFUSED
> USserver named[29352]: transfer of 'INDIA.xxx.com/IN' from IN_IP#53: end of transfer

Here, the server in India (IN_IP) apparently refuses to give a copy of the zone file to the US server.

I'd guess the problem is probably with the configuration, not with the zone file. There may also be some problems with the IN server, because it is rejecting the zone transfer request made by the US server.

You say you have both the IN server and the US server as masters? This sounds suspicious: unless there is some external protocol for synchronization between the masters, there can be only one real master server. Active Directory in the Windows world has its own methods for data synchronization, and therefore Active Directory servers can be used as multiple master DNS servers.

It is possible to create a multi-tier DNS replication hierarchy by configuring the master of a slave zone be another slave server, but such a hierarchy must not have loops in it.

Your definition of the "slave zone" sounds ambiguous. By the log, I understand you apparently mean something like "the US server has a slave copy of the INDIA.xxx.com forward lookup zone".

There are two independent ways to classify DNS zone files.

1.) Master/slave:
The master zone file is the ultimate authority of that particular zone. If a DNS server holds a master file for a zone, it by definition knows everything there is to know about that zone.

The slave zone file is a copy of the master zone file. If a DNS server holds a slave file for a zone, it knows that the true master copy is on some other server, and this server must periodically check with that other server for updates.

2.) Forward/reverse lookup:
A forward lookup zone file includes many types of records, but primarily A records.

A reverse lookup zone file primarily contains PTR records.

Therefore, there can be four types of zone files:
- master forward lookup
- master reverse lookup
- slave forward lookup
- slave reverse lookup

Or alternatively, it could be said that "master/slave" is about the server's role regarding this particular zone, while "forward/reverse" is about the content of the zone.

MK

Re: problem with DNS slave zone

Sunny Jaisinghani — Thu, 25 Mar 2010 03:57:41 GMT

Hello,

I created a fresh slave zone on the DNS master(linux). Here is the zone file that was created.

[root@ferrari named]# more db-XXbhqnHu
$TTL 86400
INDIA.xxx.com IN SOA usj-pn-sn-01.INDIA.xxx.com hostmaster.INDIA.xxx.com (
2 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; ttl
)

ganges IN A 192.168.10.20

******************************************

Here usj-pn-sn-01 is the secondary DNS server(windows) and i am trying to resolve ganges.INDIA.xxx.com

[root@ferrari named]# host ganges.INDIA.xxx.com
Host ganges.INDIA.xxx.com not found: 2(SERVFAIL)

LOGS

Mar 24 19:52:35 ferrari named[2055]: zone INDIA.xxx.com/IN: refresh: unexpected rcode (SERVFAIL) from master 10.1.1.10#53

/etc/named.conf

zone "INDIA.xxx.com" {
type slave;
file "INDIA.xxx.com.zone";
allow-transfer {
10.1.1.10;
};
masters {
10.1.1.10 ;
};
};

What is wrong with the configuration

telnet from master DNS to secondary DNS on port 53 also works

Re: problem with DNS slave zone

Sunny Jaisinghani — Thu, 25 Mar 2010 04:14:03 GMT

Also, when i created a new slave zone as INDIA.xxx.com
a file with name db-XXbhqnHu is created under /var/named

Isn't this strange?
A zone file INDIA.xxx.com.zone should be created ideally.

Re: problem with DNS slave zone

Matti_Kurkela — Thu, 25 Mar 2010 06:19:14 GMT

I am still uncertain whether 10.1.1.10 is usj-pn-sn-01.INDIA.xxx.com, or "ferrari" (where the next log message is from).

> Mar 24 19:52:35 ferrari named[2055]: zone INDIA.xxx.com/IN: refresh: unexpected rcode (SERVFAIL) from master 10.1.1.10#53

Here your DNS server daemon on host "ferrari" was trying to get a fresh copy of the INDIA.xxx.com zone from 10.1.1.10, but got an error code from 10.1.1.10 instead.

The error code is SERVFAIL = Server Failed.
So, the 10.1.1.10 server is telling you it has a problem and cannot give a copy of that zone to your server.

The fact that 10.1.1.10 could send the SERVFAIL code tells us two things:
- connectivity from this server to 10.1.1.10 is OK
- 10.1.1.10 is running some DNS server software

If 10.1.1.10 = ferrari, then that is an obvious reason for the SERVFAIL code: as ferrari currently does not have the valid zone file of INDIA.xxx.com, it obviously cannot give it to itself.

According to your SOA record, usj-pn-sn-01.INDIA.xxx.com is the master server if INDIA.xxx.com. If you can connect to that server, you should put its IP address to the "masters" list of the INDIA.xxx.com slave zone.

MK

Re: problem with DNS slave zone

Sunny Jaisinghani — Thu, 25 Mar 2010 07:52:05 GMT

Thanks for the explanation Matti.

Instead of creating a slave zone. I created another master zone and now the name resolution works.

To be frank, i am still hugely confused with this master and slave thing; but i am happy that some things are working now.

Thanks again
Sunny

Re: problem with DNS slave zone

Matti_Kurkela — Thu, 25 Mar 2010 12:13:19 GMT

In a nutshell, the master/slave relationship is for DNS zone updates.

When the administrator updates the DNS zone on the master server, the slaves will automatically detect it and fetch an updated version from the zone's master server.

This is also why you should not need to create a zone file for the slave zone manually: when the DNS server starts up, it should detect that the slave zone file is missing and automatically fetch an up-to-date version from the zone's master server.

A DNS server can be a master for a zone or a set of zones, while being a slave for another zone or zones. In other words, the master/slave role assignment is specific to each zone.

In this case, when the US server tried to request the updated INDIA.xxx.com zone file from the IN server, the IN server refused to give it. This would be a configuration error in the IN server. Perhaps the IN server has not been told that it is supposed to have a slave in the US for the INDIA.xxx.com zone?

If both the IN and US servers are now declared as masters for the INDIA.xxx.com zone, when the zone is changed on one server the change won't be automatically reflected to the other server.

O'Reilly's "DNS and BIND" book has a very good introduction to DNS in general. The earliest editions of the book are written for BIND 4.9.x, which is obsolete. If you want to buy the book, make sure you get the latest edition, which covers BIND 9.

MK

Re: problem with DNS slave zone

Sunny Jaisinghani — Fri, 26 Mar 2010 05:16:27 GMT

I have another problem with the master zone that i created on US server.

Here are the logs when i restart named. Ferrari is the US server. lookup to INDIA domain fails again.

Mar 25 21:45:17 ferrari named[2187]: dns_master_load: INDIA.xxx.com.zone:16: unknown RR type 'IN'
Mar 25 21:45:17 ferrari named[2187]: zone INDIA.xxx.com/IN: loading master file INDIA.xxx.com.zone: unknown class/type

here is the zone file

$TTL 86400
@ IN SOA localhost root (
8 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ; ttl
)

@ IN NS usj-sj-ns-01 ; alias of ferrari
@ IN NS usj-pn-ns-01
xxx.com. IN NS ns01

ns01 IN IN A 216.69.185.1
ganges IN IN A 192.168.10.20
usj-pn-sn-01 IN IN A 192.168.10.10

Thanks for helping

Sunny

Re: problem with DNS slave zone

Sunny Jaisinghani — Fri, 26 Mar 2010 07:56:02 GMT

[root@ferrari root]# named-checkzone -dj INDIA.xxx.com /var/named/INDIA.xxx.com.zone
loading "INDIA.xxx.com" from "/var/named/INDIA.xxx.com.zone" class "IN"
dns_master_load: /var/named/INDIA.xxx.com.zone:14: ignoring out-of-zone data (xxx.com)
dns_master_load: /var/named/INDIA.xxx.com.zone:16: unknown RR type 'IN'
dns_master_load: /var/named/INDIA.xxx.com.zone:17: unknown RR type 'IN'
dns_master_load: /var/named/INDIA.xxx.com.zone:18: unknown RR type 'IN'
zone INDIA.xxx.com/IN: loading master file /var/named/INDIA.xxx.com.zone: unknown class/type

Re: problem with DNS slave zone

Matti_Kurkela — Fri, 26 Mar 2010 09:26:52 GMT

>ns01 IN IN A 216.69.185.1
>ganges IN IN A 192.168.10.20
>usj-pn-sn-01 IN IN A 192.168.10.10

On these 3 lines, you have the record class name "IN" listed twice.

The correct lines should be:
ns01 IN A 216.69.185.1
ganges IN A 192.168.10.20
usj-pn-sn-01 IN A 192.168.10.10

There is also another problem:
> @ IN NS usj-sj-ns-01 ; alias of ferrari

In plain language, it means: "usj-sj-ns-01.INDIA.xxx.com is an authoritative DNS server for INDIA.xxx.com", but as there is no A record for usj-sj-ns-01, this NS record is effectively useless.

As you created a master zone file for INDIA.xxx.com on ferrari, you're effectively claiming that your /var/named/INDIA.xxx.com.zone file is a total, complete and authoritative description of the INDIA.xxx.com zone. If a name is not listed in the master zone file, it *does not exist* in the corresponding zone.

For example, with your current zone file, if someone requests the IP address if usj-sj-ns-01.INDIA.xxx.com from the ferrari system, ferrari will respond like: "I am absolutely certain that usj-sj-ns-01.INDIA.xxx.com does *not* have an IP address assigned."

MK

Re: problem with DNS slave zone

Sunny Jaisinghani — Fri, 26 Mar 2010 09:38:26 GMT

wow... finally i have the problem resolved..
Thanks Matti