# Setting up nameserver - bind



## NuLL3rr0r (Jan 22, 2010)

Hi,

First of all sorry for bad English.

I'm a newcomer to FreeBSD, and I'm going to like it.
Before I tried FreeBSD, I had a Linux VPS (My ISP set it up for me). I decide to drop it in favor of FreeBSD and installed FreeBSD from scratch on VMWare ESXi 4.0 (My ISP just offers Linux VPS, but they agreed to let me set it up myself).

The problem is I know nothing about setting up DNS and Nameserver.

I followed this guide to setup bind nameserver:
http://www.freebsd.org/doc/handbook/network-dns.html


The Server Spec:

```
http://91.194.91.7/
ns1.babaei.net 91.194.90.11
ns2.babaei.net 91.194.90.12
ns3.babaei.net 193.200.241.6
ns4.babaei.net 93.104.209.252
```



I edit /etc/rc.conf:

```
named_enable="YES"
```


/etc/namedb/named.conf

```
zone "babaei.net" {
    type master;
    file "master/babaei.net";
};

zone "1.168.192.in-addr.arpa" {
        type slave;
        file "slave/1.168.192.in-addr.arpa";
        masters {
                192.168.1.1;
        };
};
```


/etc/namedb/master/babaei.net

```
$TTL 3600        ; 1 hour default TTL
babaei.net.    IN      SOA      ns1.babaei.net. root.babaei.net. (
                                2010012208      ; Serial
                                10800           ; Refresh
                                3600            ; Retry
                                604800          ; Expire
                                300             ; Negative Reponse TTL
                        )

; DNS Servers
                IN      NS      ns1.babaei.net.
                IN      NS      ns2.babaei.net.
                IN      NS      ns3.babaei.net.
                IN      NS      ns4.babaei.net.

; MX Records
                IN      MX 10   mx.babaei.net.
                IN      MX 20   mail.babaei.net.

                IN      A       91.194.91.7

; Machine Names
localhost       IN      A       127.0.0.1
ns1             IN      A       91.194.90.11
ns2             IN      A       93.104.209.252
ns3             IN      A       193.200.241.6
ns4             IN      A       91.194.90.12
mx              IN      A       91.194.91.7
mail            IN      A       91.194.91.7

; Aliases
www             IN      CNAME   babaei.net.
```


/etc/namedb/slave/1.168.192.in-addr.arpa

```
$TTL 3600

1.168.192.in-addr.arpa. IN SOA ns1.babaei.net. root.babaei.net. (
                        2010012208      ; Serial
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        300 )           ; Negative Reponse TTL

        IN      NS      ns1.babaei.net.
        IN      NS      ns2.babaei.net.
        IN      NS      ns3.babaei.net.
        IN      NS      ns4.babaei.net.

1       IN      PTR     babaei.net.
2       IN      PTR     ns1.babaei.net.
3       IN      PTR     ns2.babaei.net.
4       IN      PTR     ns3.babaei.net.
5       IN      PTR     ns4.babaei.net.
6       IN      PTR     mx.babaei.net.
7       IN      PTR     mail.babaei.net.
```



```
# named-checkzone babaei.net /etc/namedb/master/babaei.net
zone babaei.net/IN: loaded serial 2010012208
OK

# /etc/rc.d/named reload
// or
# rndc reload
```



When I tried this from the VPS itself:

```
# host -t ns babaei.net
babaei.net name server ns4.babaei.net.
babaei.net name server ns2.babaei.net.
babaei.net name server ns3.babaei.net.
babaei.net name server ns1.babaei.net.
```


I tried this for 5 days, and still I can't browse my website:

http://checkdns.net/quickcheck.aspx?domain=www.babaei.net&detailed=1


```
Tried to fetch SOA record for domain, but DNS server ns1.babaei.net [91.194.90.11] returned error code Refused 
  Error fetching SOA from ns2.babaei.net [93.104.209.252]: Connection reset. Probably DNS server is offline. 
  Tried to fetch SOA record for domain, but DNS server ns3.babaei.net [193.200.241.6] returned error code Refused 
  Tried to fetch SOA record for domain, but DNS server ns4.babaei.net [91.194.90.12] returned error code Refused
```


It's an rock-solid OS and I didn't want to ignore it just because I can't setup DNS in bind or my ISP doesn't support FreeBSD.


Thanks in Advance.


----------



## DutchDaemon (Jan 22, 2010)

As far as I can see, your domain registration lacks glue records. Glue records are needed when a domain's nameservers are within that domain. So the problem is that nobody can find the IP address for the nameservers, because there's no way to ask the nameservers for the IP address, because the IP address for the nameservers is not known, making it impossible to find .... you see where this is going? So your domain registration needs to contain the IP addresses for your nameservers as well as their names.


```
Domain servers in listed order:
    ns4.babaei.net
    ns3.babaei.net
    ns2.babaei.net
    ns1.babaei.net
```


```
$ dnscheck -c -r -v -z babaei.net
[   ] /usr/bin/dig +norecurse ns "babaei.net" "@a.root-servers.net"
[net] /usr/bin/dig +norecurse ns "babaei.net" "@h.gtld-servers.net"
      + babaei.net. IN NS ns1.babaei.net. (serial 0)
      + babaei.net. IN NS ns2.babaei.net. (serial 0)
      + babaei.net. IN NS ns3.babaei.net. (serial 0)
      + babaei.net. IN NS ns4.babaei.net. (serial 0)

[   ] /usr/bin/dig ns "babaei.net" "@localhost"
babaei.net (serial 0)
 ns1.babaei.net                    -
 ns2.babaei.net                    -
 ns3.babaei.net                    -
 ns4.babaei.net                    -
```

This may or may not relate to the errors you're experiencing, but it's an error nonetheless.


----------



## NuLL3rr0r (Jan 22, 2010)

Thanks for the answer.

Well this is the first time I've heard of a glue records. but from what I read and understood the Glue Record is simply an IP:

http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records
http://faq.domainmonster.com/dns/glue_record/

I checked my Domain Panel on Directi and found each dns registered with an IP address (If I'm not wrong, a glue record). My ISP did that for me.

I attached a pic that shows each dns and it's registered IP.

The problem is my ISP's technical support does know nothing about BSD and usually they setup DNS's with web interfaces like CPANEL or Webmin.

I'm not sure about my config files. Is the syntax and situation OK??
If I'll be sure the I can ask them for help (Maybe somethings on their side is wrong.).


However thanks for responding.


----------



## NuLL3rr0r (Feb 5, 2010)

Finally it works:

I just changed everything to VPS IP itself:


```
ns1             IN      A       91.194.91.7
ns2             IN      A       91.194.91.7
ns3             IN      A       91.194.91.7
ns4             IN      A       91.194.91.7
```

(This happens in domain panel also).


I also needed to change this line in

/etc/namedb/named.conf

```
//     listen-on       { 127.0.0.1; };
// Changed to:
        listen-on       { 91.194.91.7; };
```

or simply it's not working.


I added 

/etc/rc.conf

```
sendmail_enable="YES"
```

or I'll get:

```
error connecting to mail server port 25 : connection refused.
```


I'm still waiting till DNS databases across the NET is updating.

```
http://checkdns.net/quickcheck.aspx?domain=www.babaei.net&detailed=1
```



That's a shame!! They told me these IP's are authoritative for my domain, But it's not. I think these are my ISP's DNS Server, since I can browse them by a browser. I really don't know how they can handle this, But I'm happy for now.


----------



## Alt (Feb 5, 2010)

You must add allow-query for every world if this server ansers for domain zone.


----------



## NuLL3rr0r (Feb 6, 2010)

> You must add allow-query for every world if this server ansers for domain zone.




Thanks for the tip. But as you can see here
http://student.ing-steen.se/unix/named.conf.html
it says:


> allow-query
> Specifies which hosts are allowed to ask ordinary questions. The allow-query option may also be specified in the zone statement, in which case it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.



As it says I think this is the default option for all zones:

```
allow-query { any; };
```

Now it's just works fine.

I also found this nice brief tip for securing bind:
http://www.cyberciti.biz/tips/howto-restrict-unauthorized-zone-transfers-dns-bind.html

As a good security practice I'm going to try this.


----------



## Alt (Feb 6, 2010)

Dunno whats default, i just see error "returned error code Refused" in your logs xD


----------



## NuLL3rr0r (Feb 8, 2010)

Well!!

I just listen to your advice and put allow-query for every zone in named.conf.

If I use nameserver other than 91.194.91.7 in resolv.conf the DNS query failed. But with allow-query set to any now I can use any nameserver that I want in resolv.conf.

tnx,
for the advise.


----------

