Kimsufi - Setting up a secondary DNS. I'm stumped!
nowwhat
09/03/2016, 19h54
Well done !!
hedgehog90
09/03/2016, 18h12
I didn't realise rollernet was a free service. Fantastic!
I finally managed to achieve 100/100
dnsinspect.com/gpstudios.com/1457543108
Thanks for everything, nowwhat! You have been enormously helpful and I'm very grateful.
hedgehog90
09/03/2016, 18h11
I didn't realise rollernet was a free service. Fantastic!
I finally managed to achieve 100/100
http://www.dnsinspect.com/gpstudios.com/1457543108
Thanks for everything, nowwhat! You have been enormously helpful and I'm very grateful.
hedgehog90
09/03/2016, 18h11
I didn't realise rollernet was a free service. Fantastic!
I finally managed to achieve 100/100
http://www.dnsinspect.com/gpstudios.com/1457543108
Thanks for everything, nowwhat! You have been enormously helpful and I'm very grateful.
nowwhat
09/03/2016, 16h20
Citation Envoyé par hedgehog90
".....
198.245.51.152: 2016030915
8.33.137.137: 2016030914"
A said above, when you edit the "zone file" at your serveur, the serial get incremented.
Your secondary DNS will not sync right away, it takes time - several hours, half a day, or more.
This is normal.
That is exactly the reason why I showed you 'the solution' : get more secondary DNS servers (afraid.org, rollernet.us), they are free, and very fast to sync.
OVH secondary servers are known to be slow to sync .... You can't do anything about that, it's the DNS slave who decides when he want to sync.
Btw I'm using also bind, and edit my zone files by hand.
A typical zone info in /etc/bind/named.conf.local :
Code:
....
zone "test-domaine.fr" {
type master;
file "/etc/bind/zones/db.test-domaine.fr";
allow-transfer { "ns-internal-net"; };
notify-source 5.196.43.182;
notify-source-v6 2001:41d0:2:927b::15;
notify yes;
};
....
The place-holder "ns-internal-net" is a list of all DNS servers I use:
Code:
acl ns-internal-net {
// Localhost;
127.0.0.1;
::1;
// ns1.rollernet.us
208.79.240.3;
2607:fe70:0:3::b;
// ns2.rollernet.us
208.79.241.3;
2607:fe70:0:4::b;
// ns2.afraid.org
208.43.71.243;
174.37.196.55;
2607:f0d0:3001:e::2;
// sdns2.ovh.net
213.251.188.141;
2001:41d0:1:4a8d::1;
};
hedgehog90
09/03/2016, 15h06
I use a backend system called Vesta Control Panel (vestacp), and it doesn't allow for easy SOA serial editing. Everytime I restart the service or rebuild the DNS via vestacp, it increments the SOA serial by 1.
When I checked earlier, my SOA serials were matching. I'm not sure why or how, was it something I did or did the secondary DNS sync up?
Since then however I did some configuring on vestacp and now its out of syn again:
198.245.51.152: 2016030915
8.33.137.137: 2016030914
If I just wait will these correct by themselves? I'm not sure how I managed to get them in sync temporarily.
In my bind9 options after the allow-transfer option for my secondary IP I've added the line 'notify yes;', but that was after they went out of sync.
Will this notify the secondary server in the future when the SOA serial changes?
I'm so confused...
nowwhat
07/03/2016, 19h28
Citation Envoyé par hedgehog90
"....
dnsinspect.com/gpstudios.com/1457357573
The main problem appears to be this bit: 'Name Servers Agreement on Serial Number'"
This is normal.
Every time you change the master zone (on your DNS server) this DNS server will signal its DNS secondary servers with a message like "Hey, I have an update" - up to the secondary DNS (slave) server to sync with the master DNS (your server).
Now for the bad news : OVH slave servers (like 'sdns1.ovh.ca' = "8.33.137.137") only sync one or twice a day .....
Just wait .....
[QUOTE=hedgehog90;197275]....
The SOA records have slightly different expiry dates. What does this mean? How do I fix this?
Just edit thme !!
The master zone file of your domain name is on YOUR server.
The SOA record, this one :
"root@ns311465:~# dig gpstudios.com SOA +short
ns1.gpstudios.com. root.gpstudios.com. 2016030707 7200 3600 1209600 180"
So, according to this message :
"SOA Minimum TTL
WARNING: Minimum TTL value is 180. Recommended values [3600 .. 86400] (1 hour ... 1 day). Minimum TTL was redefined in RFC 2308, now it defines the period of time used by slaves to cache negative responses."
change 180 for 3600
increment the 'serial' (= 2016030706 to 2016030708)
save.
Run
"named-checkconf -z"
to be sure
and if ok, restart your DNS master server.
Btw : why stop at 2 DNS servers if you can have more ?
Check it out http://www.dnsinspect.com/test-domaine.fr/1457375131
You like the gleu records ? Ok => http://www.dnsinspect.com/voyelle-co.fr/1457375204
Btw : DO NOT forget the IPv6 entries !!!!! IPv4 is dying right now, IPv6 is not some kind of luxury ...
Citation Envoyé par hedgehog90
"....
Shouldn't the SOA record of ns2 also synchronise?"
Already answered above ....
hedgehog90
07/03/2016, 16h05
Another thing...
When I do a reverse DNS check of my ip, I still get nsxxxxxx.ip-xxx-xxx-xx.net (where the xs are digits).
I don't like this, can I change it so it gets my registered domain?
EDIT:
Before this post I replied to your post but it doesn't appear to have gotten submitted, so I'll write it again:
Thank you for your help nowwhat! I managed to get it working with your advice, however, there are still a few problems with my dns check results.
Here's a link to them:
dnsinspect.com/gpstudios.com/1457357573
The main problem appears to be this bit:
'Name Servers Agreement on Serial Number'
The SOA records have slightly different expiry dates. What does this mean? How do I fix this?
Shouldn't the SOA record of ns2 also synchronise?
hedgehog90
07/03/2016, 13h07
Thanks so much nowwhat! I finally managed to get the secondary dns working.
I've used all sorts of dns checking tools though and they all say something slightly different, I guess I need to wait a bit before checking again. Anyway, please look at the result and tell me how to improve upon this:
http://www.dnsinspect.com/gpstudios.com/1457351863
The main thing that gets flagged (usually as a severe problem on other checkers) is that the SOA serials are inconsistent. The only SOA I have control over is my server's, not sdns1.ovh.ca's SOA. So shall I just make them identical? I'm not sure how to do this with my control panel (I use VestaCP)
nowwhat
07/03/2016, 07h46
Hi,
If I Understood well, you managed to add your domain name and server IP into the DNS tab, in the manager of your server.
Before doing so, your master DNS server (your server !) should be informed that as secondary DNS (or sdns1.ovh.ca as stated in the Manager) has the right to sync with its master (your server). Check out that this is ok (the 'bind' settings).
If all goes well, "sdns1.ovh.ca" starts syncing with your master DNS ... and the job is done.
Btw : using your server as a master and secondary DNS is, of course, a very bad idea - ans most registrats will simply not allow this.
Check your DNS settings (and more) with this tool : http://www.dnsinspect.com/ do not stop before you have a "100 %" everywhere."
I guess, where things went wrong, is that you are not using the right documentation. You decided that your server should act as the main DNS master of one of your domains. That's ok, but in that case you should know what 'DNS' actually is. How it works, the pitfalls, the programs used, etc.
hedgehog90
06/03/2016, 23h59
Currently I have my site as its own DNS server with ns1 and ns2 records that both direct to my server IP, and my regsitrar has the same.
It's bad practice and potentially bad news if I keep it like this, so I went about trying to make a secondary nameserver in case the first one goes down.
I successfully added a secondary DNS in the kimsufi account settings.
After that I have the address 'sdns1.ovh.ca' ... now what do I do with it?
I've tested with DNS tools to see if i get a response with my site name and the nameserver 'sdns1.ovh.ca', but I get nothing.
I've tried setting ns2 on both my own server's DNS and my regsitrar to the IP of 'sdns1.ovh.ca', which doesn't work either.
I am completely stumped.
I've tried other things as well but not in a studied manner so I can't say exactly what it is I tried.
Have I misunderstood something? Is the secondary DNS not for the purpose of a backup nameserver incase my primary one goes down?
Please help!