Date: Fri, 20 Mar 1998 13:26:15 -0800 (PST) From: Studded <Studded@dal.net> To: Robert Ricci <rricci@NS3.theonlynet.com> Cc: FreeBSD ISP <freebsd-isp@FreeBSD.ORG> Subject: Re: Funky DNS Message-ID: <Pine.BSF.3.96.980320123802.4906A-100000@dt050n33.san.rr.com> In-Reply-To: <35129073.24352D59@theonlynet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 20 Mar 1998, Robert Ricci wrote: > I'm having some VERY strange things going on with DNS. We recently moved > our server (running 2.2.1), and now it has a different IP address. After > changing around things in our zone file, things worked great for a day, > then strange things started happening: I think someone else already addressed the fact that the new thing wasn't working, the old thing hadn't stopped working yet. Before I get started, I should warn you to brace yourself. You have a lot of problems with your dns setup. I *strongly* recommend that you pick up the book DNS and BIND, Second edition from O'Reilly and Associates. It's a requirement for anyone who does DNS. > 1) Many of our customers (who use ns3.theonlynet.com for their name > server) have reported that their web browsers work fine, but their mail > programs get a DNS error when trying to look up mail.theonlynet.com, > which is a CNAME for ns3. Never ever use a cname in an mx record. Instead, make an A record for mail like this: mail IN A 207.201.125.66 > Typing "mail.theonlynet.com" in the URL line > of Netscape brings up our home page correctly. (www, ftp, mail, etc. are > CNAMES for ns3 - we're pretty small.) If they have them enter the actual > IP of the server in their mail settings, everything pops up fine. Why > will Netscape do DNS lookups when Eudora won't? It did do the lookup, and it got an error. Eudora is working just like it should. > 2) When I try to use "nslookup" from my home FreeBSD machine, If you're going to do DNS on a professional level learn how to use dig and host. Nslookup is not very useful, however it did help you find an error in this case. :) > I get the > error message :"*** Can't find server name for address 201.201.125.66: > Non-existent host/domain" This error means that that IP address does not reverse resolve. Look it over carefully. I think the first 201 should be a 207. However, that won't solve the problem since 207.201.125.66 doesn't resolve either. You don't have PTR records for that in-addr.arpa address. The 125.201.207.in-addr.arpa domain is being operated by celestar.com which looks like your upstream provider. You need to get them to set up PTR records for you or delegate your netblock to you. > and it falls back on another name server. > (207.201.125.66 is ns3's IP) However, like our customers, Netscape will > do DNS lookups just fine, using that server. You've uncovered one of nslookup's deficiencies. :) Unfortunately your bad news isn't over. Your NS records with internic look out of date. Domain servers in listed order: NS1.THEONLYNET.COM 206.29.203.3 NS2.THEONLYNET.COM 206.29.203.1 NS3.THEONLYNET.COM 207.201.125.66 I can't reach either of the first two servers. 6 mci-sca-billing-eli.Seattle.mci.net (166.48.204.6) 146.147 ms 139.266 ms 136.126 ms 7 * * mci-sca-billing-eli.Seattle.mci.net (166.48.204.6) 168.984 ms !H 8 * * mci-sca-billing-eli.Seattle.mci.net (166.48.204.6) 239.229 ms !H Now, it looks like someone is taking a look at your zone files as I write this since the first line of your SOA just changed from theonlynet.com. 3600 SOA theonlynet.com. ns3.theonlynet.com. ( to theonlynet.com. 3600 SOA ns3.theonlynet.com. sysadmin.ns3.theonlynet.com. Now replace that 3600 with IN and you're in business. :) However you don't have any NS records at all, which is a problem. > Where should I be looking to find a solution for this? This is a good place. You should also consider hiring someone to deal with this. > By the way, we're > running 4.9.4 (I'd appreciate any thoughts on how easy it is to upgrade > to 8). You should place a HIGH priority on upgrading to 2.2.5-Release as soon as possible, and 2.2.6-Release as soon as it's available. This will upgrade your Bind to 4.9.6 which will close the huge security hole that you have now, and improve your OS situation as well. Don't even consider upgrading to bind 8 until your zones are straightened out. You would be adding an unecessary level of complexity otherwise. > Since this odd behavior started, the following line's been > showing up in /var/log/messages every time I start named: > Mar 20 08:52:58 ns3 named[7825]: Return from getdtablesize() > > FD_SETSIZE The kernel is not configured to handle the load you're putting on it. Once you upgrade to 2.2.5 you should increase the number of maxusers in your kernel and recompile it. I hope it's not considered crass for me to offer professional services on this list, but if you don't have any local help that you have confidence in please feel free to respond to me privately and we can discuss terms. Good luck, Doug -- *** Chief Operations Officer, DALnet IRC network *** *** Proud operator, designer and maintainer of the world's largest *** Internet Relay Chat server. 5,328 clients and still growing. *** Try spider.dal.net on ports 6662-4 (Powered by FreeBSD) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980320123802.4906A-100000>