[SOLVED] DNS in a nutshell

[marcmac]

Here's a quick overview of what you need:

First, remember that you need to set up an MX record for the DOMAIN, which points to the A record for the HOST, which will be the IP ADDRESS of the box running zimbra.

Example:
Zimbra is running on zcs.domain.com, IP 1.2.3.4
You send mail to user1@domain.com

Postfix will look up the MX record for domain.com, which will return zcs.domain.com, IP address 1.2.3.4.

Something like this is the file you need. This sets itself up as the SOA for the domain.com domain, sets the NS record to be zcs.domain.com, standard timeout stuff, then adds one MX record, plus the A record that corresponds to the MX record.

Code:

$TTL 3D
@       IN      SOA     zcs.domain.com. zcs.marcmac.com. (
                        2005110200
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                NS      zcs              ; Inet Address of name server
                MX      10 zcs.domain.com.     ; Primary Mail Exchanger
;
zcs              A       1.2.3.4
mail            CNAME zcs           ; CNAME for a common nickname
otherhost      A       1.2.3.5       ; another host, for example
www            CNAME otherhost   ; with a nickname

So, drop that in the domain.com file in /var/named/data (or /var/named/chroot/var/named/data, depending).

In /etc/named.conf (or /var/named/chroot/etc/named.conf), you'll put:

Code:

options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
};
include "/etc/rndc.key";

zone domain.com {
        type master;
        file "/var/named/data/domain.com";
};

A note about chrooting - most name servers run in a chrooted environment - so, you'll create the files in /var/named/chroot/whatever - but remember, when named is running, it's paths are relative to the chroot - so when you REFER to a file (as I do above in the named.conf snippet) you'll have absolute paths that are relative to the chroot.

Is it chrooted? Check /etc/sysconfig/named for a ROOTDIR value. If it's present, then that's your chroot.

Also, make sure that this nameserver is listed first in resolv.conf. Also, if there are other hosts in this domain, you should add them, too - or you won't be able to resolve them.

CAVEAT - I haven't touched my named config in a while, so more recent bind versions may be pickier than mine - but this should work.

Another CAVEAT - Run named chrooted, as a non-root user. Bind is known for exploits, and being hacked is a drag. My examples are just to get you going, and aren't intended as a Bind security primer.

[andreychek]

Quote:

Originally Posted by codecoward

So as far as I understand it, I need to have the first DNS server in my resolv.conf file point to something that in turn points to the internal ip address first. That way, when postfix asks where "mail.example1.com" or "mail.example2.com" are located, it points them to 192.168.1.3 before it points them to the external ip.

Is that correct, or am I way off base? And if it is correct... (the million dollar question) how do I get it to work?

Hmm. I haven't run into that problem... but, I'm going to move ahead making the assumption that this here is correct. That's what I gathered from the messages the Zimbra folks left. So, maybe we can fix it --

Quote:

Originally Posted by codecoward

Fedora Core 4 has BIND installed by default, so I would imagine that I use that. However, the documentation/forums and information about DNS and Bind is pretty archaic, and I have been unable to find anyone that just needs to use a small DNS footprint that ONLY translates a host to an internal ip address.

BIND offers a lot of functionality for what you need, it may be overkill. At the same time, it comes with Fedora, is well supported, and there are lots of examples of how to make it work. And, more to the point, I can tell you how to do what you need to in order for it to work, something I can't say for the others :-)

I only have a copy of CentOS/RedHat Enterprise in front of me. I'm assuming that their setup for BIND is the same as Fedora. What you'll need to do is this:

(assuming that you're running BIND on the same machine as Zimbra, and that you'll change "mydomain.com" to whatever your domain is, and "hostname" to whatever your hostname is)

* Edit /etc/named.conf, and add your domain like so to the end of the file:

Code:

zone "mydomain.com" {
	type master;
	file "/var/named/mydomain.com.hosts";
};

* Create a file /var/named/mydomain.com.hosts, and add this to it:

Code:

$ttl 38400
@	IN	SOA	hostname.mydomain.com. root.hostname.mydomain.com. (
			2005110200
			10800
			3600
			604800
			38400 )
@	      IN	NS	hostname.mydomain.com.
@             IN        MX     10 hostname.mydomain.com.
@	      IN	A	192.168.1.3
hostname IN        A       192.168.1.3
mail1       IN	      CNAME	hostname
mail2       IN        CNAME     hostname

* Edit /etc/resolv.conf, comment out the "nameserver" line(s), add make it read:

Code:

nameserver 127.0.0.1

Now restart bind:

service named restart

After all that, if you run the command:

dig a mydomain.com

You should get a few lines of output, that includes something like:

Code:

;; ANSWER SECTION:
mydomain.com.	2400	IN	A	192.168.1.3

I haven't tried the above. While I pieced it together from other settings I do have working, I'm not 100% certain there are no syntax errors and that sort of thing in this. You'll want to do a sanity check on anything you are typing in :-)

There are a lot of examples of how to setup BIND for handling DNS. One good place to start is the BIND HOWTO:

http://langfeldt.net/DNS-HOWTO/BIND-9/

Have a good one,
-Eric

[marcmac]

The above post is missing the MX record, which is key for this issue - also, it's considered a good idea to have the name for your MX host be an A record, not a CNAME record (though I don't remember why).

[andreychek]

Quote:

Originally Posted by marcmac

The above post is missing the MX record, which is key for this issue - also, it's considered a good idea to have the name for your MX host be an A record, not a CNAME record (though I don't remember why).

Oops, good catch. That's been corrected.

Now, I think the way most MTA's work is that they first look up the DNS MX record, and failing that, search for an A record. So, what was in there would likely have worked. However, it increases the amount of DNS queries necessary to deliver an email to that domain, which isn't what we want :-)

Regarding one not using a CNAME for an MX record... I ran across that in an RFC somewhere after having tried it with occasional odd results :-) Some MTA's rebel, and instead of delivering the email to the CNAME listed in the MX record, they resolve the A record for that IP address. So, it generally ends up working, but can have some really unexpected results if you aren't looking for it... for example, I saw that occur on a mailing list. The list was setup to receive mail at the domain stuff.mylist.com... which the name was really CNAME for other.domain.com.

So, the emails arrived, but some MTA's rewrote the To: address to be the A record, other.domain.com. Since the mailing list software was prepared to receive emails for stuff.mylist.com, it ignored the emails. It took some time to figure that out :-)

SMTP RFC: http://www.ietf.org/rfc/rfc2821.txt

"The lookup first attempts to locate an MX record associated with the name. If a CNAME record is found instead, the resulting name is processed as if it were the initial name."

So yeah, if you use a CNAME, it's going to deliver to the resulting A record. And MTA's like sendmail go so far as to rewrite the To: address to match this. So, yeah, bad :-)
-Eric

[phoenix]

Hi

I'm still learning about BIND DNS but just a quick query about the example above, shouldn't this line in your 'mydomain.com.hosts' file:

Code:

@             IN        MX     hostname.mydomain.com.

have a priority on it and be in this form:

Code:

@             IN        MX     10 hostname.mydomain.com.

On my system it seems to not resolve correctly if you don't have the priority, or have I missed something obvious?

Regards

Bill

[andreychek]

Quote:

Originally Posted by phoenix

Hi

I'm still learning about BIND DNS but just a quick query about the example above, shouldn't this line in your 'mydomain.com.hosts' file:

Code:

@             IN        MX     hostname.mydomain.com.

have a priority on it and be in this form:

Indeed it should have a priority. I thought I had corrected everything I had wrong with that line earlier, but I guess not :-)

Thanks for the heads up, I'll correct that now.
-Eric

[jholder]

DNS has/should be in the wiki.

unstuck.

[powrrrplay]

Quote:

Originally Posted by marcmac

Here's a quick overview of what you need:

First, remember that you need to set up an MX record for the DOMAIN, which points to the A record for the HOST, which will be the IP ADDRESS of the box running zimbra.

Example:
Zimbra is running on zcs.domain.com, IP 1.2.3.4
You send mail to user1@domain.com

Postfix will look up the MX record for domain.com, which will return zcs.domain.com, IP address 1.2.3.4.

Something like this is the file you need. This sets itself up as the SOA for the domain.com domain, sets the NS record to be zcs.domain.com, standard timeout stuff, then adds one MX record, plus the A record that corresponds to the MX record.

Code:

$TTL 3D
@       IN      SOA     zcs.domain.com. zcs.marcmac.com. (
                        2005110200
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
;
                NS      zcs              ; Inet Address of name server
                MX      10 zcs.domain.com.     ; Primary Mail Exchanger
;
zcs              A       1.2.3.4
mail            CNAME zcs           ; CNAME for a common nickname
otherhost      A       1.2.3.5       ; another host, for example
www            CNAME otherhost   ; with a nickname

So, drop that in the domain.com file in /var/named/data (or /var/named/chroot/var/named/data, depending).

In /etc/named.conf (or /var/named/chroot/etc/named.conf), you'll put:

Code:

options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
};
include "/etc/rndc.key";

zone domain.com {
        type master;
        file "/var/named/data/domain.com";
};

A note about chrooting - most name servers run in a chrooted environment - so, you'll create the files in /var/named/chroot/whatever - but remember, when named is running, it's paths are relative to the chroot - so when you REFER to a file (as I do above in the named.conf snippet) you'll have absolute paths that are relative to the chroot.

Is it chrooted? Check /etc/sysconfig/named for a ROOTDIR value. If it's present, then that's your chroot.

Also, make sure that this nameserver is listed first in resolv.conf. Also, if there are other hosts in this domain, you should add them, too - or you won't be able to resolve them.

CAVEAT - I haven't touched my named config in a while, so more recent bind versions may be pickier than mine - but this should work.

Another CAVEAT - Run named chrooted, as a non-root user. Bind is known for exploits, and being hacked is a drag. My examples are just to get you going, and aren't intended as a Bind security primer.

Does it matter if your if your NAT router is in PPOE w/ port forwarding or should the NAT router be in Bridged mode?

I have my router in NAT PPOE mode with DNS, POP, SMTP, IMAP (and the secure ports) pointing to zimbra (.77). My zimbra server (192.168.1.77) is up and running fine. But requests to the http server (192.168.1.67) are failing.

Internally I am not able to access .67 and I have not tested external access. (will use a free proxy server to test)

[uxbod]

Please open a new thread and not one that is two years old ! When you do please post

Code:

cat /etc/hosts
cat /etc/resolv.conf
dig yourdomain mx
dig yourdomain any
host `hostname` <- note backticks and not single quotes