DNS: Difference between revisions
Jump to navigation
Jump to search
(Created page with "== References == * [https://technet.microsoft.com/en-us/library/cc758321(v=ws.10).aspx Microsoft Technet — Resource records reference] : A DNS database consists of one o...") |
|||
| (19 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
* [https://technet.microsoft.com/en-us/library/cc728412(v=ws.10).aspx Microsoft Technet — Understanding DNS] |
* [https://technet.microsoft.com/en-us/library/cc728412(v=ws.10).aspx Microsoft Technet — Understanding DNS] |
||
: How DNS works. |
: How DNS works. |
||
* [http://www.tldp.org/HOWTO/DNS-HOWTO.html DNS-HOWTO] |
|||
: Detailed explanations on how DNS work, applied to Linux. |
|||
* [http://www.zytrax.com/books/dns/ch8/ zytrax open — Chapter 8. DNS Resource Records (RRs)] |
|||
* [https://en.wikipedia.org/wiki/Wildcard_DNS_record Wildcard DNS record] (like <code>*.example.com. 3600 IN MX 10 host1.example.com.</code>) |
|||
=== Public DNS === |
|||
;CloudFlare |
|||
* <code>1.1.1.1</code> and <code>1.0.0.1</code>. |
|||
;Google |
|||
* <code>8.8.8.8</code> and <code>8.8.4.4</code>. |
|||
== How-to == |
|||
=== Reverse DNS lookup === |
|||
See [[Linux Commands#dig|dig]], [[Linux Commands#host|host]] and [[Linux Commands#nslookup|nslookup]]. |
|||
=== Transfer a domain === |
|||
See [https://www.ovh.com/fr/g1349.transfert-nom-de-domaine-generique OVH guide]. |
|||
Prerequisite: |
|||
* <code>Domain status</code> record in Whois database must be <code>ok</code>. |
|||
<source lang=bash> |
|||
whois noekeon.org|grep -i "domain status" |
|||
# Domain Status: ok https://icann.org/epp#ok |
|||
</source> |
|||
:If not <code>ok</code>, then maybe the domain is ''locked''. In that case, it must be unlocked first at current registrar. |
|||
* Domain must not expire soon (soon seems variable, but is between 14 days and 60 days). |
|||
* Domain must exist for at least 60 days. |
|||
* Must have the domain transfer ''authorisation code'' (<code>AUTHINFO</code>). |
|||
=== Test domain configuration === |
|||
Here some links to wizards that test the DNS configuration automatically: |
|||
* http://www.intodns.com/ |
|||
* http://dkimvalidator.com/ |
|||
More information: |
|||
* https://www.rackaid.com/blog/email-dns-records/ (PTR, SPF and DKIM records) |
|||
: These are for Reverse DNS (PTR), SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) |
|||
;Test SPF record |
|||
The simplest is to send an email from domain to GMail account, and view the mail source (Select ''Show original'') to check for the fields <code>Received-SPF</code>: |
|||
<source lang=text> |
|||
Received: from ober.noekeon.org (ober.noekeon.org. [91.134.133.203]) |
|||
by mx.google.com with ESMTP id g19si15969822wmc.137.2016.09.04.23.56.46 |
|||
for <night.moore.nm@gmail.com>; |
|||
Sun, 04 Sep 2016 23:56:47 -0700 (PDT) |
|||
Received-SPF: pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) client-ip=91.134.133.203; |
|||
Authentication-Results: mx.google.com; |
|||
spf=pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) smtp.mailfrom=michael.peeters@noekeon.org |
|||
</source> |
|||
== Troubleshooting == |
|||
=== SERVFAIL === |
|||
<code>dig</code> (and <code>dig +notrace</code>) fails with a '''SERVFAIL''' error code but <code>dig +trace</code> works: |
|||
<source lang=bash> |
|||
dig +notrace miki.immie.org |
|||
# ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +notrace miki.immie.org |
|||
# ;; global options: +cmd |
|||
# ;; Got answer: |
|||
# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29570 |
|||
# ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 |
|||
</source> |
|||
Using a different DNS server works too: |
|||
<source lang=bash> |
|||
dig @8.8.8.8 miki.immie.org |
|||
</source> |
|||
Other subdomains in that zone work though: |
|||
<source lang=bash> |
|||
dig +notrace kiwi.immie.org |
|||
dig +notrace mip.immie.org |
|||
</source> |
|||
;Solution |
|||
:Turns out that we had duplicate ''CNAME'' entries in the zone file. We delete one. |
|||
miki 10800 IN CNAME prime |
|||
miki 10800 IN CNAME prime |
|||
=== Using nslookup === |
|||
From [https://www.tecmint.com/8-linux-nslookup-commands-to-troubleshoot-dns-domain-name-server/ tecmint.com]: |
|||
<source lang="bash"> |
|||
nslookup yahoo.com # Find out "A" record (IP address) of domain |
|||
nslookup 209.191.122.70 # Find out reverse domain lookup |
|||
nsloopyp ir1.fp.vip.mud.yahoo.com # Find out specific Domain lookup |
|||
nslookup -query=mx www.yahoo.com # To Query MX (Mail Exchange) record. |
|||
nslookup -query=ns www.yahoo.com # To query NS(Name Server) record. |
|||
nslookup -type=soa www.yahoo.com # . To query SOA (Start of Authority) record. |
|||
nslookup -query=any yahoo.com # To query all Available DNS records. |
|||
nslookup -debug yahoo.com # Enable Debug mode |
|||
</source> |
|||
=== Get DNS info from NetworkManager === |
|||
Get DNS info received from DHCP using NetworkManager: |
|||
<source lang="bash"> |
|||
nmcli device show|grep -i dns |
|||
# IP4.DNS[1]: 127.0.0.1 |
|||
# IP4.DNS[2]: 164.129.147.251 |
|||
# IP4.DNS[3]: 10.129.252.253 |
|||
</source> |
|||
=== Troubleshooting dnsmasq === |
|||
See [[dnsmasq]]. |
|||
Latest revision as of 09:11, 20 April 2022
References
- A DNS database consists of one or more zone files used by the DNS server. Each zone holds a collection of structured resource records, the following of which are supported by the DNS Server service.
- How DNS works.
- Detailed explanations on how DNS work, applied to Linux.
- Wildcard DNS record (like
*.example.com. 3600 IN MX 10 host1.example.com.)
Public DNS
- CloudFlare
1.1.1.1and1.0.0.1.
8.8.8.8and8.8.4.4.
How-to
Reverse DNS lookup
Transfer a domain
See OVH guide.
Prerequisite:
Domain statusrecord in Whois database must beok.
whois noekeon.org|grep -i "domain status"
# Domain Status: ok https://icann.org/epp#ok
- If not
ok, then maybe the domain is locked. In that case, it must be unlocked first at current registrar.
- Domain must not expire soon (soon seems variable, but is between 14 days and 60 days).
- Domain must exist for at least 60 days.
- Must have the domain transfer authorisation code (
AUTHINFO).
Test domain configuration
Here some links to wizards that test the DNS configuration automatically:
More information:
- https://www.rackaid.com/blog/email-dns-records/ (PTR, SPF and DKIM records)
- These are for Reverse DNS (PTR), SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail)
- Test SPF record
The simplest is to send an email from domain to GMail account, and view the mail source (Select Show original) to check for the fields Received-SPF:
Received: from ober.noekeon.org (ober.noekeon.org. [91.134.133.203])
by mx.google.com with ESMTP id g19si15969822wmc.137.2016.09.04.23.56.46
for <night.moore.nm@gmail.com>;
Sun, 04 Sep 2016 23:56:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) client-ip=91.134.133.203;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) smtp.mailfrom=michael.peeters@noekeon.org
Troubleshooting
SERVFAIL
dig (and dig +notrace) fails with a SERVFAIL error code but dig +trace works:
dig +notrace miki.immie.org
# ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +notrace miki.immie.org
# ;; global options: +cmd
# ;; Got answer:
# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29570
# ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Using a different DNS server works too:
dig @8.8.8.8 miki.immie.org
Other subdomains in that zone work though:
dig +notrace kiwi.immie.org
dig +notrace mip.immie.org
- Solution
- Turns out that we had duplicate CNAME entries in the zone file. We delete one.
miki 10800 IN CNAME prime miki 10800 IN CNAME prime
Using nslookup
From tecmint.com:
nslookup yahoo.com # Find out "A" record (IP address) of domain
nslookup 209.191.122.70 # Find out reverse domain lookup
nsloopyp ir1.fp.vip.mud.yahoo.com # Find out specific Domain lookup
nslookup -query=mx www.yahoo.com # To Query MX (Mail Exchange) record.
nslookup -query=ns www.yahoo.com # To query NS(Name Server) record.
nslookup -type=soa www.yahoo.com # . To query SOA (Start of Authority) record.
nslookup -query=any yahoo.com # To query all Available DNS records.
nslookup -debug yahoo.com # Enable Debug mode
Get DNS info from NetworkManager
Get DNS info received from DHCP using NetworkManager:
nmcli device show|grep -i dns
# IP4.DNS[1]: 127.0.0.1
# IP4.DNS[2]: 164.129.147.251
# IP4.DNS[3]: 10.129.252.253
Troubleshooting dnsmasq
See dnsmasq.