pfSense Gold Subscription

Author Topic: can TinyDNS act as a primary nameserver for an internet domain?  (Read 21808 times)

0 Members and 1 Guest are viewing this topic.

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
can TinyDNS act as a primary nameserver for an internet domain?
« on: September 05, 2009, 08:05:45 pm »
I need to setup a DNS server on this machine. My machine isnt running a vmare, its a native hard drive install. Is this posible currently? I am using the 1.2.3RC1 version.

Thanks!!

Offline cmb

  • Hero Member
  • *****
  • Posts: 11230
  • Karma: +893/-7
    • View Profile
    • Chris Buechler
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #1 on: September 05, 2009, 08:38:27 pm »
Yes, that's its purpose.

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #2 on: September 05, 2009, 11:05:30 pm »
thanks.

I was wondering if there is a guide on how to set it up?

I am using a round robin with dual WANs. I have my own domain and am looking to host the nameserver on this router/gateway, one nameserver on each of my 2 IP addresses...

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2818
  • Karma: +5/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #3 on: September 06, 2009, 11:55:37 am »
Note that the whole point of requiring 2 IP addresses for 2 DNS servers is that the servers are different physical hosts - ideally on different networks.  That stops your entire domain having a single point of failure.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #4 on: September 06, 2009, 05:23:20 pm »
While this is true, and i realize that if the machine goes down, having 1092452 ip addresses wouldnt help, HOWEVER. If I bind to only one IP and the modem which leased that IP goes down, explodes, or God should strike it down in anger, my DNS is toast. At least having this coupled into my FailBack setup will allow me to keep online if one of my two lines goes down for some reason. I will be adding ns3 later on which will be another machine in another building on another line, but first things first. I gotta get this domain setup :)

So, anybody have a HOW-TO? I went through the DNS wizard and entered my basic information, I will add my nameservers and IP addressses to the registrar, and then open up the ports in my firewall on each WAN. Using that as a base, is there anything else I should need to do?

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #5 on: September 07, 2009, 01:09:51 pm »
I have an update.. sort of.

I got TinyDNS bound to 127.0.0.1

I have two WAN ips, one per network card. Each network card is connected directly to a cable modem and I have a load balancer/failover connection established and working.

if I telnet (just for testing purposes) to port 53 on my WAN connection, TinyDNS accepts the connection. If I telnet to port 53 on my LAN ip 10.0.100.1 TinyDNS accepts the connection. If I telnet to port 53 on my WAN2 connection the firewall rejects the connection. I have tried manually making firewall rules, and tried a NAT config, and neither works. I have also tried forcing TinyDNS to bind to WAN2 and it refuses to as well, still bound to the other IP.

Am I doing something wrong?

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #6 on: September 09, 2009, 12:26:01 am »
ok I got it working on both wan ports now. but the dns server remains unauthoratative to the internet only locally.

I did a review of the current tinyDNS logs and here is what its showing me

 tinydns: fatal: unable to bind UDP socket: address not available

whats with this?

Offline infratek

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #7 on: September 10, 2009, 03:43:41 am »
What did you finally do ?
Tinydns binds to 127.0.0.1 and you NAT/forward DNS traffic from WAN and WAN2 to 127.0.0.1 ?
That's what I did on my setup and DNS server is responding on both WAN and WAN2 ip addresses.

Why do you say your dns server remains unauthoritative to the internet ? What test did you make ?
Have you changed your registrar yet to define tinydns as SOA for your zone ?
Sometimes it can take a couple of days for the update to be taken into account.
Have you tuned TTL to a short time period ?

Actually I'm also setting up a tinydns server at the moment with 2 WANs. I haven't changed the registrar yet. I'm still wondering how the failover status is set.
For instance, my backup IP would still be seen as "in service : NO" even if tinydns sees the primary ip down ...
If you found a howto somewhere, I'd be glad to have it :)

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #8 on: September 10, 2009, 11:04:12 am »
I bound TinyDNS to 127.0.0.1 and manually made a firewall rule to allow traffic from the WAN IP to enter on port 53. I then made a new rule based on the WAN rule except I changed the interface to WAN2, and the gateway to Opt2-Wan2 (since Opt1 is my wifi card).

I went to dnsstuff.com to verify my DNS integrity. I queried ns1.myhomelyhacker.com and returned
Quote
ns1.myhomelyhacker.com.   A   IN   172800   209.105.197.70

 myhomelyhacker.com.   NS   IN   172800   ns1.myhomelyhacker.com.

 myhomelyhacker.com.   NS   IN   172800   ns2.myhomelyhacker.com.

 ns1.myhomelyhacker.com.   A   IN   172800   209.105.197.70

 ns2.myhomelyhacker.com.   A   IN   172800   208.96.89.33

That is the correct data.

However, when I query www.myhomelyhacker.com I am returned with:

Quote
Searching for www.myhomelyhacker.com A record at k.root-servers.net [193.0.14.129]: Got referral to d.gtld-servers.net. (zone: com.) [took 70 ms]

Searching for www.myhomelyhacker.com A record at d.gtld-servers.net. [192.31.80.30]: Got referral to ns1.myhomelyhacker.com. (zone: myhomelyhacker.com.) [took 33 ms]

Searching for www.myhomelyhacker.com A record at ns1.myhomelyhacker.com. [209.105.197.70]: Refused! [took 100 ms].

Response:
The DNS server reported that it refuses to respond to the query. There's a problem with the DNS server for www.myhomelyhacker.com.

Which leads me to believe I have an error somewhere.

Furthermore, when attempting to transfer the zone file to dnsstuff.com for examination, I am returned with:

Quote
Sorry, none of the DNS servers would allow a zone transfer.

I tried:
NS Records:
myhomelyhacker.com. NS ns1.myhomelyhacker.com. (IP=209.105.197.70)
myhomelyhacker.com. NS ns2.myhomelyhacker.com. (IP=208.96.89.33)

WARNING: I could not get a SOA record for %.100s.

WARNING: I could not get an NS record at ns2.myhomelyhacker.com..
209.105.197.70: TCP Connection Refused
208.96.89.33: Socket closed

I have added a zone file transfer ALLOW in TinyDNS, and restarted the daemon to make sure all new configurations are updated, and this does not solve the issue.

My firewall allows TCP/UDP traffic on port 53 of both the aforementioned IP addresses.

This is the section of my config file which pertains to the authoratative nameserver.

Quote
.myhomelyhacker.com::ns1.myhomelyhacker.com.
.myhomelyhacker.com::ns2.myhomelyhacker.com.
+www.myhomelyhacker.com:209.105.197.70
&ns1.myhomelyhacker.com:209.105.197.70
&ns2.myhomelyhacker.com:208.96.89.33
+test.myhomelyhacker.com:209.105.197.70
« Last Edit: September 10, 2009, 11:06:03 am by SuperK »

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2818
  • Karma: +5/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #9 on: September 10, 2009, 11:29:21 am »
People tend to think that DNS is UDP only - it's also a TCP protocol.  Ensure you've forwarded 53/TCP as well as 53/UDP and that all rules are in place to allow this.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #10 on: September 10, 2009, 02:01:33 pm »
Yeah port 53 on both WAN interfaces is forwarded for TCP/UDP.

Offline Cry Havok

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 2818
  • Karma: +5/-0
  • Backup: n. What you should have done yesterday.
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #11 on: September 10, 2009, 05:15:00 pm »
The error you posted suggests that 53/TCP is either being filtered by your ISP, not forwarded to TinyDNS or TinyDNS isn't listening on 53/TCP.
If you're planning on PMing me to ask me to look at a thread, or for individual support, don't.

Offline infratek

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #12 on: September 11, 2009, 03:11:09 am »
Or maybe that transfers are not allowed with tinydns.

One thing strange in your logs, I don't see any statement about SOA, although it's declared correctly in your data file.
But if I type :
# dig soa myhomelyhacker.com.

There is no answer, as if this domain was not declared on the internet.
Do you have a correct registrar ? Sorry for asking such dumb questions but sometimes so dumbest is the thing you see last.

Offline SuperK

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #13 on: September 11, 2009, 11:24:06 am »
The error you posted suggests that 53/TCP is either being filtered by your ISP, not forwarded to TinyDNS or TinyDNS isn't listening on 53/TCP.

My ISP does filter some ports, but to the tech supports knowledge they dont filter port 53, only 21, 80, 139 I believe. I specifically requested if 53 was open he said it should have been but couldnt connect and forwarded the issue to Tier2 tech support, still awaiting a reply.

Or maybe that transfers are not allowed with tinydns.

One thing strange in your logs, I don't see any statement about SOA, although it's declared correctly in your data file.
But if I type :
# dig soa myhomelyhacker.com.

There is no answer, as if this domain was not declared on the internet.
Do you have a correct registrar ? Sorry for asking such dumb questions but sometimes so dumbest is the thing you see last.

Zone transfers are allowed with TinyDNS provided you properly configure TinyDNS to do so, which I believe I have.

The registrar is www.namecheap.com. Before this I was using a freedns service which provided proper service and all dns queries were accepted perfectly.

BUT I just got off the phone with the Tier2, got fed up of waiting and called back. They filter out requests on port 53. Its funny though because they must have JUST started going that. When I first started doing tests I could receive connections on 53, and yesterday I tried and I cant. I went to GRC.com and ran Shields up, and it said the port was OPEN, but I am guessing thats internal to the LAN versus external.

So I guess I will just have to wait til my business package is installed sometime today and have my ports unblocked.

Judging from my config file, and assuming that I have TCP/UDP 53 open, there should be no further issues with this right?

Offline danswartz

  • Hero Member
  • *****
  • Posts: 1168
  • Karma: +1/-0
    • View Profile
Re: can TinyDNS act as a primary nameserver for an internet domain?
« Reply #14 on: October 23, 2009, 06:43:37 pm »
although havok is right technically, in practice, end-users almost never need to do tcp/dns, since it is only for zone transfers or packets too large to fit into a datagram (highly unusual.)