New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Redundant DNS Help
Hi,
I currently run nsd3 on 2 128MB VPS for my own domains and I have a script that rsyncs the 2 VPS when I make changes to one of them. The uptime on my ns1 is great (370 days) and recently the provider had to take it down for maintenance for couple of hours. It was at that time I noticed my ns2 isn't picking up because when I tried to go to any of the domains addresses, Chrome would say name could not be resolved.
Can anybody suggest some things I can look into to see why traffic isn't going to ns2 when ns1 is down? I did register both ns1 and ns2 IPs in my domain registry.
Comments
intodns.com
This sounds a bit strange, since the whole DNS was designed for redundandency from beginning, so if you have done everything correctly, it will definitely work (currently having 20+ Nameservers and it's working there)
Usually dig is your friend if you want to debug Nameservers.
For the first: dig yourdomain.com @ns2.domain.com to try if your Nameserver is even running
Next is if there is really a glue record existing for your second NS + if the second NS is even set for your domain name. But it's easier if you post the domain here, than someone (or I) can check it. Anyway, feel free to PM me, I'm happy to help you with this.
Thanks for the help guys, I used the intodns.com website and I found out what the problem was. Silly me, when I rsync, I rsync'ed the config file too so that was preventing my secondary DNS server's NSD3 from starting. I corrected that problem and I will test it again.
I am not sure what glue record means... I do have an A Record in my domain that points to ns1.domain.tld, is that what glue record means?
This (pointing ns1.domain.com -> NS1-IP) should be done as well, but isn't called Glue-Record. A Glue Record can be set with your domain provider, some support doing it through their webpanel, some required to get contacted. They do then set this up for you. You just need to provide them which subdomain (ns1.domain.com, etc) to which IP.
Even better, remove host-specific details from the config (nsd3 doesn't need any, really), that way you can run 2-3-5 NSes all with the same config.
The only difference in the config is the listen IP in the config file. I tried going with 0.0.0.0 but it wouldn't start a year ago when I set this up so I used the VPS IP in the listen IP.
I encounter 1 error in intoDNS:
FAIL: The following nameservers are listed at your nameservers as nameservers for your domain, but are not listed at the parent nameservers (see RFC2181 5.4.1). You need to make sure that these nameservers are working.If they are not working ok, you may have problems!
ns3.domain.tld
ns3 has identical setup as ns2 and ns1.
I use namecheap and the NS1 is registered with them on their control panel...
Just comment out the "ip-address:" line entirely, it listens on 0.0.0.0 by default.
Sooooooo, did you add ns3 as an NS for the domain at the namecheap panel?
Hi,
I'm not sure how NSC is coded exactly, but it's an issue listening on 0.0.0.0, receiving UDP packages and answer from the right interface. Maybe they're taking care of that by not allowing that. However, if you're only have configured one public IP address it should work technically.
Right, with Namecheap you can set at least Glue Records for IPv4 addresses through their webinterface. NS2, etc is also set?
Do you commonly have multiple independent network interfaces on a VPS? What exactly is the issue with listening on 0.0.0.0?
NS3 is registered with namecheap and I do have it in the SOA for the domain. I don't remember what the problem was but I'll give 0.0.0.0 a try now and see if it works.
I commented the listen ip line and hey it worked
Should I be too concerned with that error from intoDNS? That's the only thing I have left on my to-do list now.
Thanks again guys for the awesome help.
On VPS that are used for Nameservers: Yes. One some of them even more than 30.
Since it matters from which source address the nameserver is responding and due to UDP the there is no real connection, the application doesn't know to which IP address the package was sent to.
You can simply try it out by using at least two interfaces on a server, binding the nameserver to 0.0.0.0 and use dig to query it by using not the default IP address, but for example the second. You're noticing that the answer was sent from the first (primary) IP address so your client will not accept the answer.
A good article regarding that can be found at http://blog.powerdns.com/2012/10/08/on-binding-datagram-udp-sockets-to-the-any-addresses/
I don't think it's a common set-up. 30, what for? Kind of defeating the point of redundancy, if this box goes down, a lot of stuff will break. Makes more sense to use 30 separate VPSes, if you really need THAT many.
It's part of my anycast setup. There are several reasons why I'm doing it that way.
However, I have public routers that are talking to the DCs and upstreams through eBGP as well as internal (backend) servers that are also connected to the public routers through GRE (+iBGP), everything is built for redundancy, every smaller subnet is announced by at least three backend routers (so, even internally it's like anycast + local preference to make sure to have a low latency). But sometimes things are getting a bit complex. I wrote some scripts for handling configs, since at this moment these are about 4000 lines long
I don't want to get that much in detail here to not to spam OPs topic
@darkconz Use DNS AXFR, not rsync.
Cloudflare.com or dns.he.net
Thanks guys, I think I got the problems solved