DNS: Difference between revisions

From miki
Jump to navigation Jump to search
 
(18 intermediate revisions by the same user not shown)
Line 8: Line 8:
* [http://www.tldp.org/HOWTO/DNS-HOWTO.html DNS-HOWTO]
* [http://www.tldp.org/HOWTO/DNS-HOWTO.html DNS-HOWTO]
: Detailed explanations on how DNS work, applied to Linux.
: Detailed explanations on how DNS work, applied to Linux.

* [http://www.zytrax.com/books/dns/ch8/ zytrax open — Chapter 8. DNS Resource Records (RRs)]

* [https://en.wikipedia.org/wiki/Wildcard_DNS_record Wildcard DNS record] (like <code>*.example.com. 3600 IN MX 10 host1.example.com.</code>)

=== Public DNS ===
;CloudFlare
* <code>1.1.1.1</code> and <code>1.0.0.1</code>.

;Google
* <code>8.8.8.8</code> and <code>8.8.4.4</code>.

== How-to ==

=== Reverse DNS lookup ===
See [[Linux Commands#dig|dig]], [[Linux Commands#host|host]] and [[Linux Commands#nslookup|nslookup]].

=== Transfer a domain ===
See [https://www.ovh.com/fr/g1349.transfert-nom-de-domaine-generique OVH guide].

Prerequisite:
* <code>Domain status</code> record in Whois database must be <code>ok</code>.
<source lang=bash>
whois noekeon.org|grep -i "domain status"
# Domain Status: ok https://icann.org/epp#ok
</source>
:If not <code>ok</code>, then maybe the domain is ''locked''. In that case, it must be unlocked first at current registrar.
* Domain must not expire soon (soon seems variable, but is between 14 days and 60 days).
* Domain must exist for at least 60 days.
* Must have the domain transfer ''authorisation code'' (<code>AUTHINFO</code>).

=== Test domain configuration ===
Here some links to wizards that test the DNS configuration automatically:
* http://www.intodns.com/
* http://dkimvalidator.com/

More information:
* https://www.rackaid.com/blog/email-dns-records/ (PTR, SPF and DKIM records)
: These are for Reverse DNS (PTR), SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail)

;Test SPF record
The simplest is to send an email from domain to GMail account, and view the mail source (Select ''Show original'') to check for the fields <code>Received-SPF</code>:
<source lang=text>
Received: from ober.noekeon.org (ober.noekeon.org. [91.134.133.203])
by mx.google.com with ESMTP id g19si15969822wmc.137.2016.09.04.23.56.46
for <night.moore.nm@gmail.com>;
Sun, 04 Sep 2016 23:56:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) client-ip=91.134.133.203;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) smtp.mailfrom=michael.peeters@noekeon.org
</source>

== Troubleshooting ==
=== SERVFAIL ===
<code>dig</code> (and <code>dig +notrace</code>) fails with a '''SERVFAIL''' error code but <code>dig +trace</code> works:

<source lang=bash>
dig +notrace miki.immie.org

# ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +notrace miki.immie.org
# ;; global options: +cmd
# ;; Got answer:
# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29570
# ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
</source>

Using a different DNS server works too:

<source lang=bash>
dig @8.8.8.8 miki.immie.org
</source>

Other subdomains in that zone work though:

<source lang=bash>
dig +notrace kiwi.immie.org
dig +notrace mip.immie.org
</source>

;Solution
:Turns out that we had duplicate ''CNAME'' entries in the zone file. We delete one.
miki 10800 IN CNAME prime
miki 10800 IN CNAME prime

=== Using nslookup ===
From [https://www.tecmint.com/8-linux-nslookup-commands-to-troubleshoot-dns-domain-name-server/ tecmint.com]:
<source lang="bash">
nslookup yahoo.com # Find out "A" record (IP address) of domain
nslookup 209.191.122.70 # Find out reverse domain lookup
nsloopyp ir1.fp.vip.mud.yahoo.com # Find out specific Domain lookup
nslookup -query=mx www.yahoo.com # To Query MX (Mail Exchange) record.
nslookup -query=ns www.yahoo.com # To query NS(Name Server) record.
nslookup -type=soa www.yahoo.com # . To query SOA (Start of Authority) record.
nslookup -query=any yahoo.com # To query all Available DNS records.
nslookup -debug yahoo.com # Enable Debug mode
</source>

=== Get DNS info from NetworkManager ===

Get DNS info received from DHCP using NetworkManager:
<source lang="bash">
nmcli device show|grep -i dns
# IP4.DNS[1]: 127.0.0.1
# IP4.DNS[2]: 164.129.147.251
# IP4.DNS[3]: 10.129.252.253
</source>

=== Troubleshooting dnsmasq ===
See [[dnsmasq]].

Latest revision as of 09:11, 20 April 2022

References

A DNS database consists of one or more zone files used by the DNS server. Each zone holds a collection of structured resource records, the following of which are supported by the DNS Server service.
How DNS works.
Detailed explanations on how DNS work, applied to Linux.

Public DNS

CloudFlare
  • 1.1.1.1 and 1.0.0.1.
Google
  • 8.8.8.8 and 8.8.4.4.

How-to

Reverse DNS lookup

See dig, host and nslookup.

Transfer a domain

See OVH guide.

Prerequisite:

  • Domain status record in Whois database must be ok.
whois noekeon.org|grep -i "domain status"
# Domain Status: ok https://icann.org/epp#ok
If not ok, then maybe the domain is locked. In that case, it must be unlocked first at current registrar.
  • Domain must not expire soon (soon seems variable, but is between 14 days and 60 days).
  • Domain must exist for at least 60 days.
  • Must have the domain transfer authorisation code (AUTHINFO).

Test domain configuration

Here some links to wizards that test the DNS configuration automatically:

More information:

These are for Reverse DNS (PTR), SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail)
Test SPF record

The simplest is to send an email from domain to GMail account, and view the mail source (Select Show original) to check for the fields Received-SPF: 

Received: from ober.noekeon.org (ober.noekeon.org. [91.134.133.203])
        by mx.google.com with ESMTP id g19si15969822wmc.137.2016.09.04.23.56.46
        for <night.moore.nm@gmail.com>;
        Sun, 04 Sep 2016 23:56:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) client-ip=91.134.133.203;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of michael.peeters@noekeon.org designates 91.134.133.203 as permitted sender) smtp.mailfrom=michael.peeters@noekeon.org

Troubleshooting

SERVFAIL

dig (and dig +notrace) fails with a SERVFAIL error code but dig +trace works: 

dig +notrace miki.immie.org

# ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> +notrace miki.immie.org
# ;; global options: +cmd
# ;; Got answer:
# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 29570
# ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

Using a different DNS server works too: 

dig @8.8.8.8 miki.immie.org

Other subdomains in that zone work though: 

dig +notrace kiwi.immie.org
dig +notrace mip.immie.org
Solution
Turns out that we had duplicate CNAME entries in the zone file. We delete one.
miki       10800 IN CNAME prime
miki       10800 IN CNAME prime

Using nslookup

From tecmint.com: 

nslookup yahoo.com                # Find out "A" record (IP address) of domain
nslookup 209.191.122.70           # Find out reverse domain lookup
nsloopyp ir1.fp.vip.mud.yahoo.com # Find out specific Domain lookup
nslookup -query=mx www.yahoo.com  # To Query MX (Mail Exchange) record.
nslookup -query=ns www.yahoo.com  # To query NS(Name Server) record.
nslookup -type=soa www.yahoo.com  # . To query SOA (Start of Authority) record.
nslookup -query=any yahoo.com     # To query all Available DNS records.
nslookup -debug yahoo.com         # Enable Debug mode

Get DNS info from NetworkManager

Get DNS info received from DHCP using NetworkManager: 

nmcli device show|grep -i dns
# IP4.DNS[1]:                             127.0.0.1
# IP4.DNS[2]:                             164.129.147.251
# IP4.DNS[3]:                             10.129.252.253

Troubleshooting dnsmasq

See dnsmasq.

Retrieved from "https://miki.immie.org/mediawiki/index.php?title=DNS&oldid=14919"