Bind not resolving domain name
I have a dedicated server that I can't seem to get my domain name to resolve correctly with bind. I tried many internet searches and compared different config files, but I can't seem to figure it out. I only have one ip address and gateway address.
dig @localhost www.euphorics.net
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @localhost www.euphorics.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58762
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.euphorics.net. IN A
;; ANSWER SECTION:
www.euphorics.net. 3600 IN A 38.130.218.68
;; AUTHORITY SECTION:
euphorics.net. 3600 IN NS ns2.euphorics.net.
euphorics.net. 3600 IN NS ns1.euphorics.net.
;; ADDITIONAL SECTION:
ns1.euphorics.net. 3600 IN A 38.130.218.68
ns2.euphorics.net. 3600 IN A 38.130.218.68
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 19 08:24:26 EDT 2016
;; MSG SIZE rcvd: 130
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 38.130.218.68; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer { 38.130.218.68; }; # disable zone transfers by default
allow-query { trusted; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
acl "trusted" {
127.0.0.1; # ns1 - can be set to localhost
38.130.218.68; # ns2
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
/etc/named/named.conf.local
zone "euphorics.net" {
type master;
file "/etc/named/zones/db.euphorics.net"; # zone file path
};
zone "130.38.in-addr.arpa" {
type master;
file "/etc/named/zones/db.38.130"; # 10.128.0.0/16 subnet
};
/etc/named/zones/db.euphorics.net
$TTL 3600
@ IN SOA ns1.euphorics.net. admin.euphorics.net. (
3 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers - NS records
euphorics.net. IN NS ns1.euphorics.net.
euphorics.net. IN NS ns2.euphorics.net.
; name servers - A records
@ A 38.130.218.68
www A 38.130.218.68
ns1.euphorics.net. IN A 38.130.218.68
ns2.euphorics.net. IN A 38.130.218.68
Also I added port 53 tcp/udp to firewalld and also to iptables. I even turned off my firewall to see if that would help, but it didn't. Rebooted bind / server, still no go.
Установите
acl recurseallow { 127.0.0.1; 38.130.218.68; 192.168.0.0/24; }; //local network maybe?
allow-query { any; };
recursion { recurseallow; };
О файле зоны, попробуйте следующее:
$ttl 60 //for testing purpose. After that set it above 3600
@ IN SOA ns1.euphorics.net. root.euphorics.net. (
2016101901 ; serial
10800 ; refresh (3 hours)
60 ; retry (30 minutes) // after finishing testing, set it above 3600
604800 ; expire (1 week )
38400 ; minimum (1 day)
)
NS ns1.euphorics.net.
NS ns2.euphorics.net.
A 38.130.218.68
IN A 38.130.218.68
ns1 IN A 38.130.218.68
ns2 IN A 38.130.218.68
www IN A 38.130.218.68
В списке acl
acl "trusted" { 127.0.0.1; # ns1 - можно установить в localhost 38.130.218.68; # ns2 };
А в теге allow-query вы вызвали acl "trusted", где только локальные ips могут опрашивать.
allow-запрос { trusted; };
В идеале, для авторизованного сервера, весь интернет должен быть разрешен для запросов к вашему домену, иначе люди не смогут разрешить ваш домен.
В цифровом запросе, я получаю Запрос, статус: REFUSED во время запроса с вашего сервера.
@sly1x.... Ваш сервер теперь работает как открытый резольвер, как показано ниже --
*Kansals-MacBook:~ Kansal$ dig nkn.in @38.130.218.68 +short
180.149.57.82
Kansals-MacBook:~ Kansal$*
Ваш сервер может быть использован для генерации DDoS-атак на других.
В качестве лучшей практики, не рекомендуется запускать открытый резольвер, если и до тех пор, пока у вас не будет опыта, чтобы сделать то же самое.
Либо сделайте следующие настройки в опциях части конфигурации привязки
рекурсии нет;
Или используйте acl для выборочного разрешения рекурсии.
.