Properly setting up DNS and MX

[Chodid]

Hello,

while trying to resolve another problem it came up that my DNS and MX records aren't properly set up. In order not to mess up the already log-filled thread I hope it's ok if a start another one for that problem.

First the outputs of some commands:

cat /etc/hosts

Code:

zimbra@srvXXXX:~$ cat /etc/hosts
127.0.0.1	localhost.localdomain	localhost
95.xxx.xx.xx	srvXXXX.provider.tld	srvXXXX

cat /etc/resolv.conf

Code:

zimbra@srvXXXX:~$ cat /etc/resolv.conf
nameserver 95.xxx.xx.xx

dig domain.net mx

Code:

root@srvXXXX:~# dig domain.net

; <<>> DiG 9.4.2-P2 <<>> domain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18276
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	A

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Tue May 18 12:56:45 2010
;; MSG SIZE  rcvd: 28

dig domain.net any

Code:

root@srvXXXX:~# dig domain.net any

; <<>> DiG 9.4.2-P2 <<>> domain.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 18697
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	ANY

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Tue May 18 12:58:01 2010
;; MSG SIZE  rcvd: 28

dig domain.de mx

Code:

root@srvXXXX:~# dig domain.de mx

; <<>> DiG 9.4.2-P2 <<>> domain.de mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1597
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.de.			IN	MX

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Tue May 18 12:59:10 2010
;; MSG SIZE  rcvd: 27

dig domain.de any

Code:

root@srvXXXX:~# dig domain.de any

; <<>> DiG 9.4.2-P2 <<>> domain.de any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36881
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.de.			IN	ANY

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Tue May 18 12:59:55 2010
;; MSG SIZE  rcvd: 27

hosts `hostname`

Code:

zimbra@srvXXXX:~$ host `hostname`
srvXXXX.domain.tld has address 95.xxx.xx.xx

nslookup domain.net

Code:

root@srvXXXX:~# nslookup domain.net
Server:		95.XXX.XX.XX
Address:	95.XXX.XX.XX#53

** server can't find domain.net: SERVFAIL

nslookup domain.de

Code:

root@srvXXXX:~# nslookup domain.de 
Server:		95.XXX.XX.XX
Address:	95.XXX.XX.XX#53

** server can't find domain.de: SERVFAIL

Here the configuration files:

/etc/bind/named.conf.options

Code:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders {
         80.XXX.XXX.XXX; 145.XXX.XXX.XXX;
         };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

/etc/resolv.conf (Die IP ist die externe ServerIP)

Code:

Nameserver 95.XXX.XX.XX

/etc/bind/named.conf.local

Code:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

        zone "domain.net" {
                type master;
                file "/etc/bind/db.domain.net";
        };

        zone "domain.de" {
                type master;
                file "/etc/bind/db.domain.de";
        };

        # Reverse DNS
        zone "XX.XX.XXX.95.in-addr.arpa" {
                type master;
                file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
        };

/etc/bind/db.domain.net

Code:

;
; BIND data file for domain.net
;
$TTL    604800
@       IN      SOA     mail.domain.net. admin.domain.net. (
                         070725         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      srvXXXX.provider.tld
        IN      A       95.XXX.XX.XX
mail    IN      A       95.XXX.XX.XX

/etc/bind/db.domain.de

Code:

;
; BIND data file for domain.de
;
@       IN      SOA     mail.domain.de. admin.domain.de. (
                         070725         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      srvXXXX.provider.tld
        IN      A       95.XXX.XX.XX
mail    IN      A       95.XXX.XX.XX

/etc/hosts

Code:

127.0.0.1       localhost.localdomain   localhost
95.XXX.XX.XX    srvXXXX.provider.tld       srvXXXX

Thanks a lot in advance for any help.
Best regards

[phoenix]

So what exactly is the domain name on your server, you seem to be using three different ones? WHy are you using "provider.tld" when it should be your domain name.

These redords:

Code:

        IN      MX      srvXXXX.provider.tld
        IN      A       95.XXX.XX.XX
mail    IN      A       95.XXX.XX.XX

should look like this:

Code:

        IN      MX      srvXXXX.provider.tld.
        IN      A       95.XXX.XX.XX
srvXXXX.provider.tld.    IN      A       95.XXX.XX.XX

Note the additional period '.' at the end of the FQDN and I prefer the A record to have the full FQDN of the server. These instructions are documented in the Split DNS article in the wiki.

[Chodid]

I have 2 domains - domain.net and domain.de which I wanted both to lead to zimbra. The third domain is the domain the provider gave me for the server, to be quite honest I don't know why I left it in the configuration, probuably because I'm still not familiar enough with everything around the IP and Domain Setup - but I changed that now and substituted it with the proper domain names.
What I did now was change:

/etc/bind/db.domain.net

Code:

;
; BIND data file for domain.net
;
$TTL    604800
@       IN      SOA     mail.domain.net. admin.domain.net. (
                         100519         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      domain.net.
        IN      A       95.XXX.XX.XX
domain.net.    IN      A       95.XXX.XX.XX

db.domain.de

Code:

;
; BIND data file for domain.de
;
@       IN      SOA     mail.domain.de. admin.domain.de. (
                         100519         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      domain.de.
        IN      A       95.XXX.XX.XX
domain.de.    IN      A       95.XXX.XX.XX

and /etc/hosts

Code:

127.0.0.1       localhost.localdomain   localhost
95.XXX.XX.XX    mail.domain.net         mail

I increased the serial numbers and restarted bind but I still don't get proper MX results for "dig domain.net":

Code:

root@srvXXXX:~# dig domain.net

; <<>> DiG 9.4.2-P2 <<>> domain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 31981
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	A

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 10:52:11 2010
;; MSG SIZE  rcvd: 28

Is it possible that there is a mistake in the zone configuration for the 2 domains?
Thanks for all the help so far.

[uxbod]

Code:

;
; BIND data file for domain.net
;
$TTL    604800
@       IN      SOA     mail.domain.net. admin.domain.net. (
                         100519         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      mail
mail    IN      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

and for domain.de point the MX record at mail.domain.net. as that is the primary serving Zimbra.

[Chodid]

I adjusted the files:

db.domain.net

Code:

;
; BIND data file for domain.net
;
$TTL    604800
@       IN      SOA     mail.domain.net. admin.domain.net. (
                         100520         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      mail
mail    In      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

db.domain.de

Code:

;
; BIND data file for domain.de
;
@       IN      SOA     mail.domain.de. admin.domain.de. (
                         100520         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      mail
        IN      MX      mail.domain.net.
mail    IN      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

restarted bind, dig record still looks like this:

Code:

root@srvXXXX:~# dig domain.net

; <<>> DiG 9.4.2-P2 <<>> domain.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56604
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	A

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 11:32:56 2010
;; MSG SIZE  rcvd: 28

[phoenix]

Make the following changes, these lines:

Code:

@       IN      NS      mail
        IN      MX      mail.domain.net.
mail    IN      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

to this:

Code:

@       IN      NS      x.x.x.x <- IP address of server (never use the hostname)
        IN      MX      mail.domain.net.
mail.domain.net.    IN      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

When you've done that and restarted bind post the output of all the commands I asked your for earlier.

[uxbod]

For reference there is no need to specify the FQDN for MX or A records when you wish to use the domain of the zone. For which the domain.net you can set either

Code:

IN MX mail

or

Code:

IN MX mail.domain.net.

As Phoenix has said the '.' is very important if using the second scheme. For domain.de you would always need to specify the FQDN so that it can find mail.domain.net. With regards to why your dig was not reporting anything is due to you not saying what to look for eg. dig domain.net mx

[Chodid]

I decided to go with mail.domain.net. if it works both ways then i'd rather have the files similar for simplicity.

db.domain.net

Code:

;
; BIND data file for domain.net
;
$TTL    604800
@       IN      SOA     mail.domain.net. admin.domain.net. (
                         100522         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      95.XXX.XX.XX
        IN      MX      mail.domain.net.
mail.domain.net.    IN      A       95.XXX.XX.XX  
        IN      A       95.XXX.XX.XX

db.domain.de

Code:

;
; BIND data file for domain.de
;
@       IN      SOA     mail.domain.de. admin.domain.de. (
                         100523         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800         ; Negative Cache TTL
                        )
;
@       IN      NS      95.XXX.XX.XX
        IN      MX      mail.domain.net.
mail.domain.net.    IN      A       95.XXX.XX.XX
        IN      A       95.XXX.XX.XX

@phoenix I read back but couldn't find you asking for any commands? But if you ment the "dig mx/any" commands:

dig domain.net mx

Code:

root@srvXXXX:~# dig domain.net mx

; <<>> DiG 9.4.2-P2 <<>> domain.net mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62095
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	MX

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 13:41:02 2010
;; MSG SIZE  rcvd: 28

dig domain.net any

Code:

root@srvXXXX:~# dig domain.net any

; <<>> DiG 9.4.2-P2 <<>> domain.net any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15690
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.net.			IN	ANY

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 13:41:28 2010
;; MSG SIZE  rcvd: 28

dig domain.de mx

Code:

root@srvXXXX:~# dig domain.de mx

; <<>> DiG 9.4.2-P2 <<>> domain.de mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55811
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.de.			IN	MX

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 13:42:01 2010
;; MSG SIZE  rcvd: 27

dig domain.de any

Code:

root@srvXXXX:~# dig domain.de any

; <<>> DiG 9.4.2-P2 <<>> domain.de any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37252
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;domain.de.			IN	ANY

;; Query time: 0 msec
;; SERVER: 95.XXX.XX.XX#53(95.XXX.XX.XX)
;; WHEN: Wed May 19 13:42:25 2010
;; MSG SIZE  rcvd: 27

nslookup domain.net

Code:

root@srvXXXX:~# nslookup domain.net
Server:		95.XXX.XX.XX
Address:	95.XXX.XX.XX#53

** server can't find domain.net: SERVFAIL

I compared it to before when phoenix said that there was something wrong with the DNS A and MX records but nothing changed?
Also what worried me a bit is the output of "nslookup domain.net"

Thanks again for your help so far.

[phoenix]

@phoenix I read back but couldn't find you asking for any commands? But if you ment the "dig mx/any" commands:

Sorry, I meant the command you'd run earlier.

Well as you say, nothing has changed. Can you send me the IP address of the DNS server and the correct domain name so I can check your settings?

[phoenix]

OK, so your external DNS records look correct for both domains and they resolve to the correct IP address. Next question(s):

1. is this server on a public IP (the 95.x.x.x shown in this thread)?
2. your resolv.conf has the 95.x.x.x as it's DNS server, is that correct?
3. when you ran the dig commands were they run on the Zimbra server?
4. just out of interest, which operating system is this?
5. have you disabled selinx/apparmor and the firewall on this server?
6. is this server actually behind any firewall or NAT router?
7. is the Zimbra server currently up and all services running?