Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 11
I've set up Bind on my LAN server with a public IP which should only help with mail delivery on my server. There is a second DNS server on the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59

    LAN Bind forwarding wrong DNS records to the Internet


    I've set up Bind on my LAN server with a public IP which should only help with mail delivery on my server. There is a second DNS server on the Nat box of my ISP that houses the dns records.

    The domain is peciatky.sk

    When I check the domain via network-tools.com and the dns analyzer it first shows the local ip addres and after several refreshes shows the global public ip address.

    Why does my server delegate it's lan settings outside my lan?!

  2. #2
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    TL;DR version: Global DNS records change every minute, they either assign my private LAN ip to the A record or the proper global public ip. ONLY my lan DSN server uses the local ip address, which means it somehow corrupts the world wide records.

    How can I limit bind to a single PC only?

  3. #3
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Let me see if I understand the situation. You have a DNS server on your LAN that is used for mail transfer. This DNS server is reachable from the outside WAN. If this is true then you need to think about what you want to resolve to the world. sounds like you are allowing all dns records to be resolved both internel and external. I would suggest you look at one of two things.

    1. DNS Views That split your DNS record so that external only can resolve external reachable ip addresses.

    or

    2. Split DNS. where you host your DNS domain on an internel server for your LAN and you host an external DNS service with only the records you want the external world to resolve.

    Myself I would go with option 2 as it is the easiest to setup.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  4. #4
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    Thanks for the reply! A actually set up a split DNS via this guide (Split DNS - Zimbra :: Wiki) - the mail software is working but something is wrong.

    I went step by step by the guide, used Bind9 but the DNS records are somehow delegated outside my Lan.

  5. #5
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    What are the NS records for your domain? And can you PM me your zone files? Both internal and external.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #6
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    PM'd you the files, don't know if you looked at them already. The NS records point to the same address as MX records, and use the local ip of the LAN server.

  7. #7
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Looking at the file you have sent to me you have only private addresses listed. If you are using these for your public DNS server that would explain why you are seeing private addresses being returned.

    If you plan on using your server for DNS then you must place the Public IP Addresses in the zone files or else no one from the internet will be able to connect to your services.

    I did a lookup of your domain and receive the following:

    Code:
    ~ $ dig peciatky.sk ns
    
    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> peciatky.sk ns
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65177
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;peciatky.sk.                   IN      NS
    
    ;; ANSWER SECTION:
    peciatky.sk.            34668   IN      NS      lemon.napri.sk.
    peciatky.sk.            34668   IN      NS      ns.erixline.sk.
    
    ;; Query time: 476 msec
    ;; SERVER: 192.168.1.254#53(192.168.1.254)
    ;; WHEN: Mon Oct 10 19:43:49 2011
    ;; MSG SIZE  rcvd: 81
    Doing a lookup for MX records against these to servers everything looks fine and they both supply the same information.

    Code:
    ~ $ dig @lemon.napri.sk peciatky.sk mx
    
    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @lemon.napri.sk peciatky.sk mx
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53877
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; QUESTION SECTION:
    ;peciatky.sk.                   IN      MX
    
    ;; ANSWER SECTION:
    peciatky.sk.            34590   IN      MX      30 ns.andreansky.eu.
    peciatky.sk.            34590   IN      MX      10 ns.erixline.sk.
    
    ;; AUTHORITY SECTION:
    peciatky.sk.            34590   IN      NS      lemon.napri.sk.
    peciatky.sk.            34590   IN      NS      ns.erixline.sk.
    
    ;; ADDITIONAL SECTION:
    ns.erixline.sk.         36000   IN      A       194.1.130.38
    ns.andreansky.eu.       12990   IN      A       194.1.130.117
    lemon.napri.sk.         43200   IN      A       194.1.128.5
    
    ;; Query time: 158 msec
    ;; SERVER: 194.1.128.5#53(194.1.128.5)
    ;; WHEN: Mon Oct 10 19:45:07 2011
    ;; MSG SIZE  rcvd: 177
    Code:
    ~ $ dig @ns.erixline.sk peciatky.sk mx
    
    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @ns.erixline.sk peciatky.sk mx
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 702
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; QUESTION SECTION:
    ;peciatky.sk.                   IN      MX
    
    ;; ANSWER SECTION:
    peciatky.sk.            36000   IN      MX      10 ns.erixline.sk.
    peciatky.sk.            36000   IN      MX      30 ns.andreansky.eu.
    
    ;; AUTHORITY SECTION:
    peciatky.sk.            36000   IN      NS      lemon.napri.sk.
    peciatky.sk.            36000   IN      NS      ns.erixline.sk.
    
    ;; ADDITIONAL SECTION:
    ns.erixline.sk.         36000   IN      A       194.1.130.38
    ns.andreansky.eu.       36000   IN      A       194.1.130.117
    lemon.napri.sk.         33422   IN      A       194.1.128.5
    
    ;; Query time: 156 msec
    ;; SERVER: 194.1.130.38#53(194.1.130.38)
    ;; WHEN: Mon Oct 10 19:45:32 2011
    ;; MSG SIZE  rcvd: 177

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #8
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    Quote Originally Posted by Lazydog View Post
    Doing a lookup for MX records against these to servers everything looks fine and they both supply the same information.
    Thanks for the reply!

    Yes, the domain records now work fine - as I have removed the zone files I sent you for the peciatky domain from my Bind directory, restarted Bindand therefore disabled them. After that change, the DNS records outside the LAN no longer seem to fluctuate. The thing is that I have the same records for my second domain (andreansky) and that works fine both within the LAN and outside from it, even when my DNS server is running.

    The only difference is that andreansky has a DNS server outside of the LAN, while peciatky has a DNS server probably on the NAT, which somehow messed things up. I sadly do not have access to the NAT, but I needed to know if my DNS zone files were correctly configured.

    If I add zone files with local ip addresses for my domains only on a server that is behind a NAT, there should NOT be any way that the records get delegated outside(unless I add an NS record with my nameserver to the primary list), right?

  9. #9
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Not sure why you were seeing what you were. The files you sent me are they everything from the DNS server with issues? What about your resolv.conf file? IT is pointing to your DNS server or an outside server?
    Last edited by Lazydog; 10-12-2011 at 10:25 PM.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  10. #10
    Just Joined!
    Join Date
    Oct 2009
    Posts
    59
    Quote Originally Posted by Lazydog View Post
    Not sure why you were seeing what you were. The files you sent me are they everything from the DNS server with issues? What about your resolv.conf file? IT is pointing to your DNS server or an outside server?
    Yup, resolv.conf was pointing to my server - wheneve I did a dig to one of my domains the reply came from my local machine from my ip address. I don't know what was wrong with the config neither, I am pretty convinced now that my isp had something configured on his NAT that is also a DNS server that somehow propagated my settings to the world.

    Think it's fair to say that if I don't add my DNS server, local or visible to the outside, to the NS records of my domain it should NEVER propagate it's settings outside.
    Last edited by SkyHiRider; 10-14-2011 at 05:57 AM.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •