# NSD DNS server in FreeBSD 10



## samsam9988 (May 15, 2015)

I have setup NSD in FreeBSD 10, it listening to the public IP address only. When I ping its domain name from another ISP network, only the www.*.com works, but others are failed with error message 
	
	



```
Host name lookup failed
```

Here is nsd configuration:

nsd.conf:

```
server:
  # this is the IP address it will listen on for DNS requests
  # change this to the public-facing IP address of your VPS
  ip-address: 59.167.161.242
  #ip-address: 192.168.1.254
  #ip-address: 192.168.2.254
  #ip-address: 192.168.5.254
  #ip-address: 127.0.0.1

  # listen on IPv6 connections
  do-ip6: no


  # no need to tell people what version we're running
  hide-version: yes

  # the database to use
  #database: "/var/lib/nsd/nsd.db"

  # Maximum number of concurrent TCP connections per server.
  # This option should have a value below 1000.
  tcp-count: 10

  # Maximum number of queries served on a single TCP connection.
  # By default 0, which means no maximum.
  tcp-query-count: 0

  # Override the default (120 seconds) TCP timeout.
  tcp-timeout: 60

  # zonefile: to store pid for nsd in.
  pidfile: "/var/run/nsd/nsd.pid"

  # log file
  logfile: "/var/log/nsd.log"
# Number of NSD servers to fork.
  server-count: 1

# we'll use a separate "zone list" file to make rsync easier
include: "/usr/local/etc/nsd/zones/zone_list.conf"
```

zone_list.conf:

```
zone:
  name: iextentco.com
  zonefile: /usr/local/etc/nsd/zones/iextentco.com
```

iextentco.com file:

```
@  IN  SOA  ns1.iextentco.com. admin.iextentco.com. (
  2015051511  ; serial number
  28800  ; Refresh
  7200  ; Retry
  864000  ; Expire
  86400  ; Min TTL
  )

  IN  NS  ns1.iextentco.com.

ns1  IN  A  59.167.161.242
www  IN  A  150.101.123.162
jboss  IN  A  150.101.123.162
mail  IN  A  59.167.161.242

; MX Record
; mail.iextentco.com.  14400  IN  MX  10 mail
*.iextentco.com.  3600 IN  MX 10 mail.iextentco.com.
```

For e.g. `ping [URL='http://www.iextentco.com']www.iextentco.com[/URL]` works,
but ping other names failed with hostname not found.
eg.

```
ping ns2.iextentco.com
ping: cannot resolve ns1.iextentco.com: Host name lookup failured.
ping jboss.iextentco.com
ping: cannot resolve jboss.iextentco.com: Host name lookup failured.
ping mail.iextentco.com
ping: cannot resolve mail.iextentco.com: Host name lookup failured.
```
Any help is much appreciated.
Thanks
Sam


----------



## SirDice (May 15, 2015)

Your servers aren't authoritative for the iextentco.com domain. You need to fix the whois information so it points to the correct servers.


----------



## samsam9988 (May 15, 2015)

SirDice said:


> Your servers aren't authoritative for the iextentco.com domain. You need to fix the whois information so it points to the correct servers.


Hi, I thought I have setup correct ns records in my domain registrar?

Here is what I got from whois:

```
Name Server: NS2.IEXTENTCO.COM
Name Server: NS1.IEXTENTCO.COM
```


----------



## samsam9988 (May 15, 2015)

SirDice said:


> Your servers aren't authoritative for the iextentco.com domain. You need to fix the whois information so it points to the correct servers.


How to fix it?
Thanks
Sam


----------



## samsam9988 (May 15, 2015)

For example, when I `ping ns1.iextentco.com` from another isp network, the following `tcpdump` from the DNS server shown like this:


```
tcpdump -vvv -s 0 -l -n -i tun0 port 53
tcpdump: listening on tun0, link-type NULL (BSD loopback), capture size 65535 bytes
23:54:14.775302 IP (tos 0x0, ttl 61, id 22600, offset 0, flags [none], proto UDP (17), length 74)
  150.101.197.132.60635 > 59.167.161.242.53: [udp sum ok] 1875 [1au] A? ns1.iextentco.com. ar: . OPT UDPsize=4096 OK (46)
23:54:14.775418 IP (tos 0x0, ttl 64, id 14863, offset 0, flags [none], proto UDP (17), length 74)
  59.167.161.242.53 > 150.101.197.132.60635: [udp sum ok] 1875 Refused- q: A? ns1.iextentco.com. 0/0/1 ar: . OPT UDPsize=4096 OK (46)
23:54:14.801670 IP (tos 0x0, ttl 61, id 22601, offset 0, flags [none], proto UDP (17), length 74)
  150.101.197.132.6963 > 59.167.161.242.53: [udp sum ok] 33579 [1au] A? ns1.iextentco.com. ar: . OPT UDPsize=4096 OK (46)
23:54:14.801747 IP (tos 0x0, ttl 64, id 14864, offset 0, flags [none], proto UDP (17), length 74)
  59.167.161.242.53 > 150.101.197.132.6963: [udp sum ok] 33579 Refused- q: A? ns1.iextentco.com. 0/0/1 ar: . OPT UDPsize=4096 OK (46)
....
```

Any suggestion?
Thanks.
Sam


----------



## samsam9988 (May 16, 2015)

Here is the result from ifconfig command:


```
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1492
  options=80000<LINKSTATE>
  inet6 fe80::215:17ff:fef2:e591%tun0 prefixlen 64 scopeid 0x11
  inet 59.167.161.242 --> 150.101.199.219 netmask 0xffffffff
  nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
  Opened by PID 1922
```


----------



## gkontos (May 16, 2015)

If tun0 is part of a VPN pseudo interface, then you want to avoid binding your DNS server there. Use your external interface instead. Right now, nothing works:

`gkontos$ dig NS1.IEXTENTCO.COM`

```
; <<>> DiG 9.8.3-P1 <<>> NS1.IEXTENTCO.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;NS1.IEXTENTCO.COM.     IN     A

;; Query time: 886 msec
;; SERVER: 10.30.1.2#53(10.30.1.2)
;; WHEN: Sat May 16 13:32:20 2015
;; MSG SIZE  rcvd: 35
```


----------



## SirDice (May 18, 2015)

The whois information needs a so-called glue record. Or else you're going to have a chicken and egg problem. Both ns1 and ns2 will be resolved by the authoritive nameservers of iextentico.com, which can only be found if you can resolve ns1 and ns2. Which needs to be resolved by the authoritive nameservers of iextentico.com.. etc. By adding the glue records you're telling the world the specific IP addresses that need to be used.


----------



## kpa (May 18, 2015)

samsam9988 said:


> Hi, I thought I have setup correct ns records in my domain registrar?
> 
> Here is what I got from whois:
> 
> ...



They are not authoritative according to the standard nameserver query:


```
$ dig iextentico.com NS

; <<>> DiG 9.8.3-P1 <<>> iextentico.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 25818
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;iextentico.com.            IN    NS

;; AUTHORITY SECTION:
com.            12    IN    SOA    a.gtld-servers.net. nstld.verisign-grs.com. 1431941024 1800 900 604800 86400

;; Query time: 4 msec
;; SERVER: 10.71.14.1#53(10.71.14.1)
;; WHEN: Mon May 18 12:38:48 2015
;; MSG SIZE  rcvd: 105
```

You need to contact your domain registrar where you got the iextentico.com domain and delegate (ask your domain registrar to do this or follow their instructions on how to do it yourself) the domain to your two nameservers.

Your domain registrar will then set up what is described here and your domain is then delegated to your two nameservers:

http://www.zytrax.com/books/dns/ch8/ns.html


----------



## gkontos (May 18, 2015)

kpa, you have a typo, it is _iextentco.com_ not iextentico.com. He switched his DNS settings to the default of his registrar.


----------



## kpa (May 18, 2015)

Oops, yes I see that now...


----------

