Help! DNS for new server not working...

AARRRGH

Hello

I really hope someone can help me with this. I have been trying to sort it out for days. I am going insane.

I recently got a new server.

This is the setup on my old server:

My server is also my nameserver. This means hostago.com and ns1.hostago.com are both on the same server. This works fine. I do not need glue records. It just works.

(Note the reason I have this weird setup is because I have many domains, and updating the nameserver records every time I move host - especially for many .ie domains - is a pain in the arse.)

My new server:

I want the same setup. Unfortunately it is not working.

When I update the nameserver IP's at my registrar (eNom) my websites just become unavailable. Ping errors are things like error 11004.

Three independent engineers have looked at my DNS and say everything is set up fine. They say there is a firewall (or something like that) blocking my server from working properly at the data centre.

The data centre engineers say the DNS was not fine and that I need glue records for this to work. The three engineers I used previously say this is not true.

eNom say I do not need glue records and that there is something wrong at the data centre stopping this from working.

AARRRGH.

Everyone is saying something different. I don't care who is right or wrong or lying or whatever. I just want this to work.

Does anyone have any practical advice I can use to sort this out? I fear this is going to drag on for days or weeks.

Thanks very much for reading.

steve-hosting36

When you say 'stopping this from working' - what exactly isn't working?

mneylon

Try zonecheck.fr to get a proper diagnostic of the DNS

AARRRGH

steve-hosting36 wrote: »

When you say 'stopping this from working' - what exactly isn't working?

When I update the nameserver IPs at my registrar, my websites become unreachable. I have spoken to many independent engineers about this and they say it has nothing to do with glue records. The problem is either my server or the data centre.

blacknight wrote:

Try zonecheck.fr to get a proper diagnostic of the DNS

Thanks, I gave that a try.

It seems port 53 is unreachable. I've had someone look at my server and port 53 is listening, bind is running, and there is no firewall on my server blocking access to this port.

Weird.

ecodub

Here is a good site to sort out that stuff

http://www.dnsstuff.com/

steve-hosting36

When you change the IP address of a domain, it can take up to 24 hours to propagate that change - when you change the IP of a nameserver it can take significantly longer (up to a week sometimes).

This is due to the fact that most registries cache the addresses for Nameservers longer than for regulaqr records, as they don't expect them to change very often.

As long as the old DNS server and the new DNS server contain identical records (all pointing at the new server) you should be ok with the propagation and your users shouldnt notice any downtime.

AARRRGH

Well wouldn't the caching be pointing to my old server, which is still active?

When you look at this -

http://www.zonecheck.fr/cgi-bin/zc.cgi?zone=jobseeker.ie&ns0=ns1.hostago.com&ips0=84.51.251.243&ns1=ns2.hostago.com&ips1=84.51.251.244&ns2=&ips2=&ns3=&ips3=&ns4=&ips4=&ns5=&ips5=&ns6=&ips6=&ns7=&ips7=&intro=t&explain=t&details=t&progress=counter&report=byseverity&format=html&lang=en&errorlvl=&profile=automatic&chkmail=t&chkzone=t&chkrir=t&transp3=ipv4&transp3=ipv6&transp4=std

- you can see port 53 isn't reachable.

However, it is listening -

[root@server ~]# netstat -an|grep tcp|grep :53
tcp 0 0 84.51.251.244:53 0.0.0.0:* LISTEN
tcp 0 0 84.51.251.243:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN

Bind is running, and turning off the servers firewall makes no difference.

jmcc

dublindude wrote: »

It seems port 53 is unreachable. I've had someone look at my server and port 53 is listening, bind is running, and there is no firewall on my server blocking access to this port.

The nameservers are not answering for NS or SOA. Are you changing the zonefile manually or using a control panel?

Regards...jmcc

AARRRGH

jmcc wrote: »

The nameservers are not answering for NS or SOA. Are you changing the zonefile manually or using a control panel?

Regards...jmcc

I haven't made the changes myself. However I've had 6 engineers look at my server at this stage so everything should be configured fine...

jmcc

dublindude wrote: »

I haven't made the changes myself. However I've had 6 engineers look at my server at this stage so everything should be configured fine...

Try 'dig -taxfr hostago.com @ns1.hostago.com' on the server if you can and see if it is getting a full zone back. Also check the serial at the top of the SOA. (dig -tsoa hostago.com @ns1.hostago.com). Then use host -C hostago.com (from the server).

Regards...jmcc

jmcc

dublindude wrote: »

Thanks jmcc.

Here you go -

Right it seems to be working internally. It may be a firewall issue as packets going to the DNS port might be being dropped. Is iptables active on the box?

Regards...jmcc

AARRRGH

Hey

I just tried this -

[root@server ~]# service apf stop
Stopping APF: [ OK ]
[root@server ~]# service iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter [ OK ]
Unloading iptables modules: [ OK ]

And then checked -

http://www.zonecheck.fr/cgi-bin/zc.cgi?zone=jobseeker.ie&ns0=ns1.hostago.com&ips0=84.51.251.243&ns1=ns2.hostago.com&ips1=84.51.251.244&ns2=&ips2=&ns3=&ips3=&ns4=&ips4=&ns5=&ips5=&ns6=&ips6=&ns7=&ips7=&intro=t&explain=t&details=t&progress=counter&report=byseverity&format=html&lang=en&errorlvl=&profile=automatic&chkmail=t&chkzone=t&chkrir=t&transp3=ipv4&transp3=ipv6&transp4=std

Exact same problem...

AARRRGH

According to an engineer in the US -

"I tested and your server is answering on port 53 from outside, and the firewall is allowing connections on port 53 "

WTF...

Webmonkey

dublindude wrote: »

According to an engineer in the US -

"I tested and your server is answering on port 53 from outside, and the firewall is allowing connections on port 53 "

WTF...

So Bind is actually responding? Rather strange alright that it works for them...

http://www.dollardns.net/cgi-bin/dnscrawler/index.pl?server=ns1.hostago.com&proto=tcp&name=ns1.hostago.com&type=ANY&class=IN&lr=12&submit=Send+Query#report

Response here as well but its running on TCP. I will admit I havn't much experience with DNS but don't most requests work on UDP?

AARRRGH

What I think they mean is they did some test on my server to make sure the port is open to the outside world...

jmcc

Webmonkey wrote: »

So Bind is actually responding? Rather strange alright that it works for them...

http://www.dollardns.net/cgi-bin/dnscrawler/index.pl?server=ns1.hostago.com&proto=tcp&name=ns1.hostago.com&type=ANY&class=IN&lr=12&submit=Send+Query#report

Response here as well but its running on TCP. I will admit I havn't much experience with DNS but don't most requests work on UDP?

That's exactly what's wrong. The AXFR is done over TCP but the normal queries are over UDP. It may be a problem in the afp configuration but I am not familar with its configuration.

Regards...jmcc

AARRRGH

Do you mean apf rather than afp?

I've shut down apf and the problem still exists...

jmcc

dublindude wrote: »

Do you mean apf rather than afp?

I've shut down apf and the problem still exists...

The firewall program (apf). Something is probably blocking the udp DNS queries. The US engineer may have only done an AXFR rather than a lookup. Stopping iptables may be wrong. It may be doing some NATing. You need someone who knows more about iptables. It might be best to restore it to the initial state and get an engineer at the data centre to take a look at it.

Regards...jmcc

AARRRGH

jmcc - if it's any use, I can give you root access to my server and you can have a look?

flamegrill

Is it redhat type OS?

do chkconfig iptables off, chkconfig apf off

reboot the box, just to make sure everything is clear.

Paul

mneylon

You're offering a random user on a bulletin board root access to your server?

Are you insane????

flamegrill

Jmcc isn't random

Paul

flamegrill

Also I'll sort the issue if you want. For free!!!!

AARRRGH

blacknight wrote:

You're offering a random user on a bulletin board root access to your server?

Are you insane????

flamegrill wrote: »

Jmcc isn't random

Paul

Exactly. It is obvious from boards.ie he is not some dodgy hacker...

AARRRGH

flamegrill wrote: »

Is it redhat type OS?

do chkconfig iptables off, chkconfig apf off

reboot the box, just to make sure everything is clear.

Paul

OK, tried this. Same problem unfortunately...

jmcc

dublindude wrote: »

jmcc - if it's any use, I can give you root access to my server and you can have a look?

It is best to get the local engineers to take a look at it as they would be more familiar with the distro and what is installed on it than I would be.

Regards...jmcc

AARRRGH

jmcc wrote: »

It is best to get the local engineers to take a look at it as they would be more familiar with the distro and what is installed on it than I would be.

Regards...jmcc

No worries. I've been trying that for a few days though

flamegrill

dublindude pm me access details and ill take a look

jmcc

flamegrill wrote: »

Jmcc isn't random

Yeah. I'm just a statistical oddity.

Regards...jmcc

mneylon

jmcc wrote: »

Yeah. I'm just a statistical oddity.

Regards...jmcc

Not exactly the words I used

AARRRGH

Thanks Paul, just sent you on the details there.

Cheers!