Split DNS / CentOS 5 / x64

[powrrrplay]

I have built a CentOS5.3 x32 / split DNS / Bind9.3-Named system for Zimbra 6 beta 1. System works very well.

I am currently configuring a CentOS5.3 x64 system / split DNS / Bind 9.3 in preparation for Zimbra 6 RC1. So I have some battle scars and have learned some lessons regarding split DNS configurations for Zimbra setups.

I think I am loosing my mind on this one.

Here is my story.

I installed CentOS5.3 x64 net install with all pre req's for Zimbra.

Networking wise the system is running well at this point as all DNS resolutions are being resolved by my ISP.

So I change
/etc/hosts as required by zimbra
/etc/redhat-release as required by zimbra (not sure about this one but did anyway)
/etc/resolv.conf (nameserver 192.168....) and deleted ISP's nameserver

I have verified the above info after reboot.

reboot reboot again

dig mx mail.x-x.com and nothing found... as expected.
dig a nothing found
start firefox, can not resolv!

yeah, i am ready to start DNS and configure bind-chroot

I start DNS config via gui
Initial startup says no config found, create default?
I respond yes.

I add my mail.x-x.com zone records and configure my mail.x-x.com.db SOA records.

I have not added my forwarders at this point.
I have not added allow-query at this point.

I start bind. /etc/init.d/named start [OK]

dig mx x-x.com is resolving with my ISP.
dig mx mail.x-x.com is resolving with 192.168.x.x - my DNS server.

I am at a show stopper here for Zimbra because x-x.com needs to resolve with my DNS server not my up stream ISP.

The kicker here is i have not added the forwarders yet to my DNS global options. I am pulling my hair out trying to figure out how the hell is dix mx x-x.com resolving with my ISP and when I start firefox it is resolving too so that I can surf to yahoo.com. Remember, I have not entered my forwarders yet.

Any ideas/help?

[phoenix]

Post the output of the following (run on the Zimbra server):

Code:

cat /etc/hosts
cat /etc/resolv.conf
dig yourdomain.com and
dig yourdomain.com mx
host `hostname`   <-- use that exact command with backticks not single quotes

The following is not required by Zimbra installation and does not need to be modified:

Code:

/etc/redhat-release as required by zimbra

[powrrrplay]

Code:

# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain localhost
192.168.1.57    mail.7cz.com    mail

Code:

# cat /etc/resolv.conf
nameserver 192.168.1.57

Code:

# dig 7cz.com

; <<>> DiG 9.3.4-P1 <<>> 7cz.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33073
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;7cz.com.                       IN      A

;; ANSWER SECTION:
7cz.com.                1800    IN      A       204.101.242.12

;; AUTHORITY SECTION:
7cz.com.                3600    IN      NS      ns51.domaincontrol.com.
7cz.com.                3600    IN      NS      ns52.domaincontrol.com.

;; Query time: 79 msec
;; SERVER: 192.168.1.57#53(192.168.1.57)
;; WHEN: Wed Aug 26 10:17:26 2009
;; MSG SIZE  rcvd: 93

Code:

# dig 7cz.com mx

; <<>> DiG 9.3.4-P1 <<>> 7cz.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38072
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

;; QUESTION SECTION:
;7cz.com.                       IN      MX

;; ANSWER SECTION:
7cz.com.                1800    IN      MX      10 mail.7cz.com.

;; AUTHORITY SECTION:
7cz.com.                3570    IN      NS      ns51.domaincontrol.com.
7cz.com.                3570    IN      NS      ns52.domaincontrol.com.

;; ADDITIONAL SECTION:
mail.7cz.com.           86400   IN      A       192.168.1.57

;; Query time: 74 msec
;; SERVER: 192.168.1.57#53(192.168.1.57)
;; WHEN: Wed Aug 26 10:17:56 2009
;; MSG SIZE  rcvd: 114

I added this one

Code:

# dig mail.7cz.com mx

; <<>> DiG 9.3.4-P1 <<>> mail.7cz.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39152
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mail.7cz.com.                  IN      MX

;; ANSWER SECTION:
mail.7cz.com.           86400   IN      MX      10 mail.7cz.com.

;; AUTHORITY SECTION:
mail.7cz.com.           86400   IN      NS      mail.7cz.com.

;; ADDITIONAL SECTION:
mail.7cz.com.           86400   IN      A       192.168.1.57

Code:

# host `hostname`
mail.7cz.com has address 192.168.1.57
mail.7cz.com mail is handled by 10 mail.7cz.com.

[phoenix]

Please post your DNS configuration files. What exactly is your domain name in this setup, is it:

Code:

7cz.com

or the subdomain

mail.7cz.com

[powrrrplay]

named.conf

Code:

// Red Hat BIND Configuration Tool
//
// Default initial "Caching Only" name server configuration
//

options {


directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

zone "." IN {
        type hint;
        file "named.root";
};

zone "localdomain." IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost." IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "mail.7cz.com." IN {
        type master;
        file "mail.7cz.com.db";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa." IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa." IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa." IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

include "/etc/rndc.key";

mail.7cz.com.db

Code:

$TTL    86400
@               IN SOA  @               mail.7cz.com. (
                                                42      ; serial
                                                3H      ; refresh
                                                15M     ; retry
                                                1W      ; expiry
                                                1D )    ; minimum

@               IN NS                   mail.7cz.com.
                IN MX  10               mail.7cz.com.
                IN A                    192.168.1.57
mail            IN A                    192.168.1.57

[phoenix]

Try the following A record format:

Code:

mail.7cz.com.      IN A     192.168.1.57

[powrrrplay]

no change when i run

dig 7cz.com
dig 7cz.com mx

I can not figure out how dig is finding my upstream DNS records when there is no forwarders in my named.conf.

nsX.domaincontrol.com is Mad Dog Domains.

[philpw99]

The internal DNS configuration is not right, unless you want to has emails like john@mail.7cz.com

The resolv.conf should have one more line:
search 7cz.com

In the named.conf , the zone name should be 7cz.com. , not mail.7cz.com

[powrrrplay]

Quote:

Originally Posted by philpw99

The internal DNS configuration is not right, unless you want to has emails like john@mail.7cz.com

The resolv.conf should have one more line:
search 7cz.com

In the named.conf , the zone name should be 7cz.com. , not mail.7cz.com

OK, understood. will re-add search 7cz.com but it will not make any difference. My understanding of the sub domain then using the zone record to resolv 7cz.com is not true.

On another note, any idea of why domaincontrol.com is being resolved for dig 7cz.com when there are no forwarders within 192.168.1.57 named.conf?

[powrrrplay]

Philp/Bill,

Thank you for the extra set(s) of eyes on my DNS setup.

Yes, the correct fix was the conf zone record. drop the mail and now my "dig" works as designed.

I also put back the search in resolv.conf.

I am still baffled at how my domain was being resolved with no "forwarders" in the global settings.

This thread could be closed unless you wanted to leave it open for the forwarders.

Cheers