Split DNS on Debian..?

[ceefus]

I'm having quite a problem with this whole split dns thing...

I've went through a couple of the forums and random walkthrough's...??

Ports are forwarded on my router and my CNAME goes to my public IP..

DIG shows A-records going to my public IP..

Code:

cat /etc/resolv.conf
# generated by NetworkManager, do not edit!


search mail.mydomain.com
nameserver 192.168.1.1 <-Internal IP
nameserver 65.xx.5.111 <-ISP's dns server
nameserver 65.xx.5.112 <-ISP's dns server

Code:

 cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
xx.xxx.226.183 mail.perfectdrunk.com mail <- public IP


# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Code:

 dig perfectdrunk.com mx

; <<>> DiG 9.3.4-P1.1 <<>> mydomain.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46249
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 9

;; QUESTION SECTION:
;mydomain.              IN      MX

;; ANSWER SECTION:
mydomain.com.       600     IN      MX      10 ns1.mydomain.com.
mydomain.com.       600     IN      MX      20 mx1.biz.mail.yahoo.com.
mydomain.com.       600     IN      MX      30 mx5.biz.mail.yahoo.com.
mydomain.com.       600     IN      MX      10 mail.mydomain.com.

;; AUTHORITY SECTION:
mydomain.com.       80840   IN      NS      yns1.yahoo.com.
mydomain.com.       80840   IN      NS      ns8.san.yahoo.com.
mydomain.com.       80840   IN      NS      yns2.yahoo.com.
mydomain.com.       80840   IN      NS      ns9.san.yahoo.com.

;; ADDITIONAL SECTION:
mx1.biz.mail.yahoo.com. 228     IN      A       67.28.113.136
mx1.biz.mail.yahoo.com. 228     IN      A       209.191.89.172
mx1.biz.mail.yahoo.com. 228     IN      A       4.79.181.18
mx5.biz.mail.yahoo.com. 877     IN      A       66.196.126.37
mx5.biz.mail.yahoo.com. 877     IN      A       68.142.224.244
ns9.san.yahoo.com.      165768  IN      A       66.196.84.168
ns8.san.yahoo.com.      165768  IN      A       66.218.71.205
yns2.yahoo.com.         171469  IN      A       66.196.84.168
yns1.yahoo.com.         171469  IN      A       66.218.71.205

;; Query time: 124 msec
;; SERVER: 65.32.5.111#53(65.32.5.111)
;; WHEN: Wed Oct 15 00:07:57 2008
;; MSG SIZE  rcvd: 352

The real problem I see is when I run host 'hostname'

Code:

host hostname
hostname has address xxx.28.193.9 <- I don't know where this IP is or how to change it...?
Host hostname not found: 3(NXDOMAIN)
Host hostname not found: 3(NXDOMAIN)

I'd really appreciate any help..

Thanks!

[uxbod]

If you are using split DNS then the IP that should be in your /etc/hosts is your private LAN IP. External servers will resolve your public IP and then your router will forward the necessary ports through.

[dwmtractor]

It looks to me like you may not have things set up right, if I'm reading you right. Are you DIGging from the command line of your Zimbra box, or from somewhere else?

The point of Split DNS is to make it so if you dig your domain from the command line of the zimbra box itself, it'll resolve to the INTERNAL (non-public) IP address of your server, while if you dig from anywhere else (with the possible exception of your LAN) it'll resolve to the public IP. This is accomplished by having two different sets of DNS set up--the records in the public somewhere on a public DNS, and then your private, internal DNS (bind9 on the local machine, or another DNS on the same subnet) resolving both IP and MX to the local IP.

The responses you show to your dig do not appear to reflect this.

[ceefus]

This is beyond frustrating! I went from trying to follow the wiki to running gui (gbindadmin) EVERYTHING in gbind is set to my ip. Now I get even less from "dig mydomain.com mx" I have no idea what the problem is! What do I need to set?????????????? This is so amazingly frustrating!

I changed my host file and pointed it to my local! That did nothing... Where am I going wrong?

[dwmtractor]

To diagnose your specific problems, we're gonna have to see the output of 2 digs--one from your mail server itself, and a second from somewhere outside the mail server's subnet. . .so we can see what's being returned by each. Gotta know what errors you are seeing before we can help you with them, I'm afraid.

There are several different wikis out there. You're running Debian which is close to Ubuntu so I suggest you try the DNS instructions in this one. I wrote it specifically because (1) the others weren't set up for bind9, which I wanted to use, and (2) I didn't understand them so I thought simplification would be in order. It's by no means perfect, but those steps do work.

It would also be helpful to know your network setup--specifically, where is your mailserver--on a LAN, on a DMZ, on a public IP? If on a LAN or DMZ (and if you're not on one or the other you don't need splitDNS), how are you translating the traffic from public to private IP?

In other words, it's going to take more detail for us to help you, but there are LOTS of people on this forum who've gone through this so with the detail I'm sure we'll identify what's going wrong for you. Don't give up!

[ceefus]

My server is behind a router.

Service -> Router -> Server

I had it behind two routers that were running WDS but I decided to put it closer to the service.... and... well it was just a pain in the ass..

What I don't understand is.. My webserver is right beside it and works without any problem....

What do you guys need to see? I just want to get this working and forget about it

[ceefus]

I somehow botched my who DNS setup... now everything is having a tissy.. SO... I'm opting to just format and throw ubuntu server on and pray that it works..

[dwmtractor]

OK good luck with the reinstall. . .come back and let us know how it goes.

Be aware, though, since you have a web server "right beside" your mail server, that there is at least one more potential "gotcha" to watch out for. I am assuming that your web and email servers have different public IP addresses (or at least a different IP address from the "main" public IP of your router). If this is true, then you obviously have some sort of DNAT translating the traffic from those public IPs to your internal LAN or DMZ addresses. What you may not realize is that the default (for most routers/firewalls at least) for OUTGOING traffic is to have it go out from the main NAT address, so that it appears to be coming from the public IP of your router, NOT the IP of your mail server. For IMAP, SSL, and a variety of other things to work properly (not least reverse DNS so that other servers don't reject your mail as spam), you need to set up an SNAT rule that will translate outgoing traffic from your mail server to the same public IP address that gets the incoming traffic. Failing to do this creates some massive headaches.

[ceefus]

So.. ubuntu wasn't going so well so I reinstalled debian and did everything from scratch.. Its going now!

As for my next question is there a way I can let people sign up for email addresses? Like an automated sign up?

Thanks!!!

[uxbod]

You could achieve this using either SOAP or CLI.