DNS resolution problems; dig SERVFAIL error
- by JustinP
I'm setting up a couple of dedicated servers, and having problems setting up my nameservers properly. One of these is a LEMP server (LAMP with nginx in place of Apache), and the other will function solely as an email server, running exim/dovecot/ASSP antispam (no Apache). The LEMP server is CentOS 5.5, with no control panel, while the email server is CentOS 5.5 as well, with cPanel/WHM.
So, I've had problems getting DNS set up properly. I have two domains, each one pointing to one of these servers. The nameservers are registered correctly with the domain registrar, and the nameserver IPs are entered correctly as well. I've spoken to tech support at the registrar and they confirm that everything is set up on their end. Not knowing much about DNS, I googled nameservers and DNS until I nearly went blind, and spent hours messing with the configuration.
Eventually, I got the LEMP server's DNS working properly (no cPanel). Pleased with this triumph, I'm trying to mimic that configuration and repeat the process with the email server, and it's just not happening. The nameserver starts and stops, but the domain doesn't resolve.
Things I have tried
Going through standard procedures to set up DNS in WHM
Clearing all DNS information, uninstalling BIND, then reinstalling all of that and again going through WHM procedures for setting up DNS
Clearing all DNS information, and setting up BIND via shell (completely outside of cPanel) by using my config and zone files from the LEMP server as a template
named runs just fine, but nothing is resolving. When I "dig any example.com" I get a SERVFAIL message. Nslookups return no information.
Here are my config and zone files.
named.conf
controls {
inet 127.0.0.1 allow { localhost; }
keys { coretext-key; };
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { any; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "localhost_resolver" {
match-clients { 127.0.0.0/24; };
match-destinations { localhost; };
recursion yes;
//zone "." IN {
// type hint;
// file "/var/named/named.ca";
//};
include "/etc/named.rfc1912.zones";
};
view "internal" {
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
// include "/var/named/named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
zone "example.com" {
type master;
file "data/db.example.com";
};
zone "3.2.1.in-addr.arpa" {
type master;
file "data/db.1.2.3";
};
};
view "external" {
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { any; };
match-destinations { any; };
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
allow-query-cache { none; };
// Disable lookups for any cached data and root hints
// all views must contain the root hints zone:
//include "/etc/named.rfc1912.zones";
zone "." IN {
type hint;
file "/var/named/named.ca";
};
zone "example.com" {
type master;
file "data/db.example.com";
};
zone "3.2.1.in-addr.arpa" {
type master;
file "data/db.1.2.3";
};
};
include "/etc/rndc.key";
db.example.com
$TTL 1D
;
; Zone file for example.com
;
; Mandatory minimum for a working domain
;
@ IN SOA ns1.example.com. contact.example.com. (
2011042905 ; serial
8H ; refresh
2H ; retry
4W ; expire
1D ; default_ttl
)
NS ns1.example.com.
NS ns2.example.com.
ns1 A 1.2.3.4
ns2 A 1.2.3.5
example.com. A 1.2.3.4
localhost A 127.0.0.1
www CNAME example.com.
mail CNAME example.com.
;
db.1.2.3
$TTL 1D
$ORIGIN 3.2.1.in-addr.arpa.
@ IN SOA ns1.example.com contact.example.com. (
2011042908 ;
8H ;
2H ;
4W ;
1D ;
)
NS ns1.example.com.
NS ns2.example.com.
4 PTR hostname.example.com.
5 PTR hostname.example.com.
;
Also of note: both of these servers are managed. Tech support is very responsive, and largely useless. Hours go by with them asking me questions to narrow down what could be wrong, then they pass the ticket to the tech on the next shift, who ignores everything that's happened already and spend his whole shift asking all the same questions the last guy asked.
So, in summary:
*Nameservers, with IPs, are correctly registered with domain registrar
*named is configured and running
*...and must not be configured correctly, because nothing resolves.
Any help would be great. I changed domains and IPs in the files to generics, but let me know if you need to know the domain in question.
Thanks!
UPDATE
I found that I didn't have 127.0.0.1 in /etc/resolv.conf, so I added it, along with my two public IPs that I have named listening on.
resolv.conf
search www.example.com example.com
nameserver 127.0.0.1
nameserver 7.8.9.10 ;Was in here by default, authoritative nameserver of hosting company
nameserver 1.2.3.4 ;Public IP #1
nameserver 1.2.3.5 ;Public IP #2
Now when I DIG example.com from the host, it resolves. If I try to DIG from my other server (in the same datacenter), or from the internet, it times out or I get SERVFAIL.
