Trace: • bind
Bind
Changes or new virtual hosts made in Virtualmin did not seem to affect the Bind module, so I have taken the Bind 9.2 version (through rpm), and I have reinstalled Bind through Webmin (now version 8 instead of 9).
The situation was:
- Bind 9 was installed;
- Webmin created an interface for Bind 8 by default
If have now uninstalled the standard Webmin Bind 8 module, and I have installed a third party module: BIND 9 dynamic DNS server.
So, both a real Bind module (in my case: bind-9.2.3-13) and a Webmin Bind module are required, it seems.
It seems, however, that a few old files were still in place (especially /etc/named.conf). Upon deletion, Webmin cannot properly recreate this file for Bind9 (or so I believe).
Strategy for installing Bind8 under Webmin
Delete each and every file pertaining to whatever Bind version you may have had. Install the original Webmin Bind8 module. Install the actual Bind8 module from the source (http://www.isc.org/):
make all make install
Now, go to Webmin and choose Module Config. Adjust the paths, and do whatever Webmin wants you to do. Also, choose NO for Is named.conf under chroot directory? if you want an easy installation.
Webmin can now without any trouble at all create the /etc/named.conf file.
If have made a few changes to the Webmin configuration of Bind, under:
Bind DNS Server > Module Config > System Configuration
/usr/sbin/named start
changed to
/usr/sbin/ndc start
and
/usr/sbin/named stop
to /usr/sbin/ndc stop
Bind and firewall
To get Bind to work through the firewall, some sources of documentation recommended including the following line under options, in named.conf:
query-source address * port 53;
This can also be achieved through Webmin:
Bind > Addresses and Topology > Source port for queries
Unfortunately, that does not seem to work for my situation, as the command host
will not run (without opening the firewall).
Instead, I have used the defaults, in combination with the following firewall rules. Here, port 53 is relevant (the standard DNS port), as well as the higher, unprivileged ports:
# Generated by iptables-save v1.2.9 on Thu Dec 16 10:56:02 2004 *filter :INPUT DROP [3:234] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [448:98404] -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 23 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT COMMIT # Completed on Thu Dec 16 10:56:02 2004 # Generated by iptables-save v1.2.9 on Thu Dec 16 10:56:02 2004 *mangle :PREROUTING ACCEPT [401:35825] :INPUT ACCEPT [400:35584] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [448:98404] :POSTROUTING ACCEPT [448:98404] COMMIT # Completed on Thu Dec 16 10:56:02 2004 # Generated by iptables-save v1.2.9 on Thu Dec 16 10:56:02 2004 *nat :PREROUTING ACCEPT [7:707] :POSTROUTING ACCEPT [2:213] :OUTPUT ACCEPT [2:213] COMMIT # Completed on Thu Dec 16 10:56:02 2004
Testing Bind
Once you've setup a domain (master zone, containing A-, MX and optionally CNAME records), you should test your Bind configuration using the host command:
[root@1038 sbin]# host campinglachassagne.fr 213.193.214.124 Using domain server 213.193.214.124: campinglachassagne.fr has address 213.193.214.124 campinglachassagne.fr mail is handled (pri=5) by mail.campinglachassagne.fr
The first argument is the domain name which you would like to look up. The 2nd argument specifies the name server you would like to query, which is in our case our ip address - where our DNS server resides.
This is something you can do from the “inside” of your Linux box, using a remote shell connection (e.g. you could use the Putty terminal). If your firewall settings are too strict, then this lookup will fail.
Once you are convinced that your DNS settings are correct, you should check if your DNS server can be reached from the outside. Again, your firewall settings could be too strict. So, let's use a Windows (XP) prompt to do this. First, flush your current DNS cache:
C:\>ipconfig /flushdns Windows IP Configuration Successfully flushed the DNS Resolver Cache.
Now, use nslookup:
C:\>nslookup campinglachassagne.fr 213.193.214.124 *** Can't find server name for address 213.193.214.124: Non-existent domain Server: UnKnown Address: 213.193.214.124 Name: campinglachassagne.fr Address: 213.193.214.124
As you can see, the command nslookup works pretty much in the same way as the host command (for simple tasks at least).
Testing Bind 2, 20051102
How do you really know Bind is up and running when you have no entries yet?
- Tell Bind to forward queries to another domain name server which you know to be working. How? See below, under “Global forwarding and zone transfer options”.
- Now, from some computer other than your server, look up a domain name, using your Bind version. In the following example, our Bind version is on ip 213.193.214.124:
C:\>nslookup trixan.nl 213.193.214.124 Server: unassigned.flexservers.com Address: 213.193.214.124 Non-authoritative answer: Name: trixan.nl Address: 195.130.154.44
3. This essentially tells you that Bind is up and running. But to make this really convincing, shut down Bind. Use Webmin's “Virtualmin Virtual” Servers section and click the “Stop Bind” button. Now repeat the test:
C:\>nslookup trixan.nl 213.193.214.124 *** Can't find server name for address 213.193.214.124: No response from server Server: UnKnown Address: 213.193.214.124 *** UnKnown can't find trixan.nl: No response from server C:\>
So now you know for certain that Bind really was running. Go to Webmin and turn it back on.
20050208 Global forwarding and zone transfer options
I have made a change in the configuration to allow for dns hostname lookups (I hope). In Webmin > Servers > Bind > Forwarding and Transfers:
Servers to forward queries to: 213.239.177.5 Lookup directly if no response from forwarder: Yes
The IP-address is the Flexservers.com second domain nameserver.
I hope this will resolve a Webalizer issue which prevents the proper display of countries and domain names. See Webalizer FAQ, item # 7.
20051102 No it does not
- solve the Webalizer issue. See the newly added section Webalizer.
20051115 Bind no longer recognized by Webmin since Webmin upgrade
Ever since I have upgraded Webmin to a newer version, it will no longer start Bind:
Failed to start BIND : ndc: error: name server already running? (pid 3682)
This is not really an issue, since I don't actually use my own nameserver - so I don't even need Webmin to manage Bind.
How to use linux/unix nslookup
Nslookup is a powerfull tool, but difficult to grasp at first. So we have included an example session. What you can learn from this example is:
- just type in a domain name to get it looked up
- use the
server
command to specify which particular nameserver should be used - use the command
exit
to, well, exit
% nslookup Default Server: peanut.nuts.com Address: 172.16.12.2 > set type=NS > zoo.edu Server: peanut.nuts.com Address: 172.16.12.2 Non-authoritative answer: zoo.edu nameserver = NOC.ZOO.EDU zoo.edu nameserver = NI.ZOO.EDU zoo.edu nameserver = NAMESERVER.AGENCY.GOV Authoritative answers can be found from: NOC.ZOO.EDU inet address = 172.28.2.200 NI.ZOO.EDU inet address = 172.28.2.240 NAMESERVER.AGENCY.GOV inet address = 172.21.18.31 > server NOC.ZOO.EDU Default Server: NOC.ZOO.EDU Address: 172.28.2.200 > set domain=zoo.edu > set type=any > tiger Server: NOC.ZOO.EDU Address: 172.28.2.200 tiger.zoo.edu inet address = 172.28.172.8 tiger.zoo.edu preference = 10, mail exchanger = tiger.ZOO.EDU tiger.zoo.edu CPU=ALPHA OS=UNIX tiger.zoo.edu inet address = 172.28.172.8, protocol = 6 7 21 23 25 79 tiger.ZOO.EDU inet address = 172.28.172.8 > exit