dns problem resolution?

Re: dns problem resolution?

From:

Date:

Time:

My first guess is that you have your servers on private IP addresses.

Your master server loads a zone and sends notify packets to all
servers listed in each zone's NS records, excluding itself. It does
this by resolving the names to (public) IP addresses. But your slave
server is configured to think of the master server being at a private
address. So it rejects the notification.

(Continuing the assumption...) Since your firewall supports two-way
NAT (like all NAT-based firewalls should, though many don't), you can
solve this neatly as follows:

- For each server, remove the server (Administration > Remove Name
Server) and re-add it, using the public IP addresses. (You probably
don't even have to specify addresses.)

- Remove all the zones from your slave server and recreate them,
using the AppleScripts included with QuickDNS Manager for Mac OS X,
or else use a shell command like this on the slave server to change
the master server IP in all the slave zones (assumes Mac OS X):

cd /var/named/conf/zoneopt
sudo perl -pi -e 's {internal-ip} {public-ip}' *
rndc -k ../user_before reload

Chris Buxton
Men & Mice - Making DNS Easy
Customer Service and Sales Engineer

At 3:01 PM -0500 11/5/04, John May wrote:
>When we upgraded to 9.3.0, our secondary server throws a lot of the
>following errors at startup:
>
>
>05-Nov-2004 12:00:01.241 zone desco-services.com/IN: refused notify
>from non-master: 66.151.191.77#50835
>
>
>Any ideas?
>
> - John
>
>>Sure. I'm going to assume you're currently using BIND 9.2.x.
>>
>>- Download the source code for BIND 9.3.0 from the ISC.org website.
>>Decompress the archive.
>>- Open a shell (e.g. a Terminal window) and cd to the directory.
>>For example, if you download with normal web browser settings on
>>Mac OS X and decompress using Stuffit Expander, you can most likely
>>use this command:
>>
>>cd ~/Desktop/bind-9.3.0
>>
>>- Execute the following to compile and install:
>>
>>./configure
>>make
>>sudo -s
>>mv /usr/sbin/named /usr/sbin/named-9.2
>>cp bin/named/named /usr/sbin/named
>>
>>- Continue with the following to test (involves a little downtime
>>for your server):
>>
>>killall named && /usr/sbin/named -4 -g
>>
>>This opens the new copy in a debugging mode. See if there are any
>>error messages. When you're satisfied, type control-c to stop it,
>>then execute this to start it normally:
>>
>>/usr/sbin/named -4
>>
>>If you see any problems during the debug mode session, fix them. If
>>you can't, revert to the old version:
>>
>>/usr/sbin/named-9.2
>>
>>- Exit root mode:
>>
>>exit
>>
>>- If the new version works for you, modify your boot script (on Mac
>>OS X, that's /Library/StartupItems/QuickDNS/named; on FreeBSD, it's
>>your normal operating system boot script for named) to include the
>>-4 parameter for launching named.
>>
>>Chris Buxton
>>Men & Mice - Making DNS Easy
>>Customer Service and Sales Engineer
>>
>>At 6:36 PM -0500 11/4/04, John May wrote:
>>>Chris -
>>>
>>>Can you repost these instructions?
>>>
>>> - John
>>>
>>>>Explicit instructions for compiling version 9.3.0 are included in
>>>>the other message thread. If you need more help than that, feel
>>>>free to contact me off-list.
>>>>
>>>>Chris Buxton
>>>>Men & Mice - Making DNS Easy
>>>>Customer Service and Sales Engineer
>>>>
>>>>At 1:58 PM -0800 11/4/04, Jody McAlister wrote:
>>>>>I have version 9.2.3. I see other threads on how to upgrade so
>>>>>I'll read those. But I'm a unix newbie so compiling and such is
>>>>>out of my league.
>>>>>On Nov 4, 2004, at 11:42 AM, Men & Mice Support wrote:
>>>>>
>>>>>>What version of named do you have? Apparently, this option is
>>>>>>only available with version 9.3.0 and later.
>>>>>>
>>>>>>You can find out your version with this command:
>>>>>>
>>>>>>named -v
>>>>>>
>>>>>>Chris Buxton
>>>>>>Men & Mice - Making DNS Easy
>>>>>>Customer Service and Sales Engineer
>>>>>>
>>>>>>At 10:35 AM -0800 11/4/04, Jody McAlister wrote:
>>>>>>>I've tried this on two seperate machines , (10.3.2 & 10.3.5)
>>>>>>>and QDNS 4.6.1. It kills bind everytime I put the -4 in the
>>>>>>>Params setting as instructed below. As soon as I remove it,
>>>>>>>all starts up just fine.
>>>>>>>
>>>>>>>
>>>>>>>On Nov 1, 2004, at 1:51 PM, Men & Mice Support wrote:
>>>>>>>
>>>>>>>>We're working along these same lines, but initial tests have
>>>>>>>>not been uniformly positive.
>>>>>>>>
>>>>>>>>If you want to try this as described, a few changes will be
>>>>>>>>required to work within the framework provided by QuickDNS.
>>>>>>>>I'm going to assume you're using QuickDNS 4.6.1, since if
>>>>>>>>you're using an earlier version either you need to update
>>>>>>>>(for free if you're using version 4.5 or later), or you're
>>>>>>>>probably not having this problem (since you're using BIND 8).
>>>>>>>>
>>>>>>>>Instead of modifying /System/Library/StartupItems/BIND/BIND,
>>>>>>>>you'll need to modify /Library/StartupItems/QuickDNS/named.
>>>>>>>>Look for a line like this, near the top:
>>>>>>>>
>>>>>>>>PARAMS=""
>>>>>>>>
>>>>>>>>Add -4 inside the quotes, like this:
>>>>>>>>
>>>>>>>>PARAMS="-4"
>>>>>>>>
>>>>>>>>This takes care of settings for both starting and restarting.
>>>>>>>>To activate it, simply execute this (with root privileges):
>>>>>>>>
>>>>>>>>/Library/StartupItems/QuickDNS/named restart
>>>>>>>>
>>>>>>>>Chris Buxton
>>>>>>>>Men & Mice - Making DNS Easy
>>>>>>>>Customer Service and Sales Engineer
>>>>>>>>
>>>>>>>>At 2:18 PM -0800 11/1/04, Jody McAlister wrote:
>>>>>>>>>The mac os x server list just posted this message regarding
>>>>>>>>>dns lookups. they've been basically having the same thread
>>>>>>>>>that we had last week.
>>>>>>>>>
>>>>>>>>>I haven't tried it yet. I'm posting so maybe men and mice
>>>>>>>>>can confirm before I start playing with my server.
>>>>>>>>>
>>>>>>>>>*********************************************************************************************************************
>>>>>>>>>(Copied message begins here...)
>>>>>>>>>
>>>>>>>>>A more complex, but more reliable fix MacFixIt reader Ken
>>>>>>>>>has discovered a clever workaround that involves modifying
>>>>>>>>>the operation of Mac OS X's "named" daemon -- the DNS server
>>>>>>>>>that is part of the BIND set of UNIX DNS utilities.
>>>>>>>>>
>>>>>>>>> The theory behind why this fix works is as follows: root
>>>>>>>>>domain servers appear to have recently been given IPv6
>>>>>>>>>capability, and are now returning AAAA records in response
>>>>>>>>>to name lookups.
>>>>>>>>>
>>>>>>>>> Ken writes "The simple upshot is that for whatever reason,
>>>>>>>>>the first time named tries to go do a DNS query, it seems to
>>>>>>>>>decide to try sending to an IPV6 server address, which is
>>>>>>>>>pretty much guaranteed to fail for most users. Eventually
>>>>>>>>>this times out and it retries, but by that time Safari has
>>>>>>>>>usually given up on resolving the address and you get an
>>>>>>>>>error. The second time you try it, the correct address has
>>>>>>>>>already been cached by the system and everything works.
>>>>>>>>>"I found that a very simple fix (if you don't mind editing
>>>>>>>>>OS config files) was to modify the
>>>>>>>>>/System/Library/StartupItems/BIND/BIND file to add the '-4'
>>>>>>>>>option to named, which forces it to only use IPV4. For
>>>>>>>>>example, the first part of the file normally looks like this:
>>>>>>>>>
>>>>>>>>> StartService ()
>>>>>>>>> {
>>>>>>>>> if [ "${DNSSERVER:=-NO-}" = "-YES-" ]; then
>>>>>>>>> ConsoleMessage "Starting named"
>>>>>>>>> named
>>>>>>>>> fi
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>I changed the above to:
>>>>>>>>>
>>>>>>>>>StartService ()
>>>>>>>>> {
>>>>>>>>> if [ "${DNSSERVER:=-NO-}" = "-YES-" ]; then
>>>>>>>>> ConsoleMessage "Starting named"
>>>>>>>>> named -4
>>>>>>>>> fi
>>>>>>>>> }
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>"You should probably do the same thing for the
>>>>>>>>>RestartService section in the file. You'll either need to
>>>>>>>>>restart named by hand with the new option, or simply reboot
>>>>>>>>>your system to have the above take effect (probably the
>>>>>>>>>safest thing to do). I haven't yet tried digging into the
>>>>>>>>>BIND code deeply enough to determine why it seems to favor
>>>>>>>>>IPV6 address over and over again even though it never gets a
>>>>>>>>>valid response. It appears as though there is some code
>>>>>>>>>within BIND to sort the servers on response time, but IPV6
>>>>>>>>>servers seem to always wind up at the front of the list."
>>>
>>>
>>>--
>>>
>>>-------------------------------------------------------------------
>>>John May : President <http://www.pointinspace.com>
>>>Point In Space Internet Solutions jmay@pointinspace.com
>>>
>>> Professional Lasso / PHP / MySQL / FileMaker Pro Hosting
>
>
>--
>
>-------------------------------------------------------------------
>John May : President <http://www.pointinspace.com>
>Point In Space Internet Solutions jmay@pointinspace.com
>
> Professional Lasso / PHP / MySQL / FileMaker Pro Hosting

Sales:
888/4-DPOINT

Support:
858/452-3696