NEWBIE: DNS server on ADSL with static IP

[Hung Nguyen]

Hi all,

I have:

* A registered domain, let's say "xyz.com" for example
* An ADSL connection with static IP, let's say 111.111.111.111 for example
* Windows 2003 with AD and DNS installed ( I can re-installed it if
necessary) and a xyz.com zone in FORWARD zone (nothing in REVERSE zone)
* A router with LAN IP 192.168.0.250 and WAN IP 111.111.111.111
* A DynDNS domain, let's say "mydns.gotdns.com" pointing to 111.111.111.111


I did:

* Install win2K3 server, named it with "server2", IP address is
192.168.0.100
* Port forwarding 53 (TCP/UDP) to 192.168.0.100 in the router
* Set name server at my registrar "ns1.xyz.com" and "ns2.xyz.com" with IP
111.111.111.111
* Add ns1, ns2 host(A) in DNS with my public IP 111.111.111.111
* Add nameserver ns1.xyz.com and ns2.xyz.com => I have 3 nameservers in DNS
after I did this
server2 with IP: 192.168.0.100 (default after install AD and
DNS, cannot delete)
ns1 and ns2 with IP 111.111.111.111


1st scenario (with above setup):
* I tried dnsreport.com, the return results are:
Your NS records at the parent servers are:
ns2.xyz.com. [NO GLUE; No A record]
ns1.xyz.com. [NO GLUE; No A record]


ERROR. One or more of your DNS servers are missing A
records. As a result, they cannot be used. The problem hostnames are:
ns2.xyz.com. has no A record.
ns1.xyz.com. has no A record.


A timeout occurred getting the NS records from your
nameservers! None of your nameservers responded fast enough.
They are probably down or unreachable. I can't continue
since your nameservers aren't responding.
If you have a Watchguard Firebox, it's due to a bug in their
DNS Proxy, which must be disabled.


* Of course, cannot accesss from internet to server using xyz.com domain
(I asked a friend to test for me)

2ns scenario (with above setup and ...):
* I add "mydns.gotdns.com" with IP 111.111.111.111 to namserver at my
registrar
Then check on DNSreport.com, everything works but with a few
warnings regarding to:
* server2.xyz.com got IP 192.168.0.100 and not STEALTH
* mydns.gotdns.com does not have NS entry in my DNS

* I can access from internet now, but this is not the way it should work


The question is: What did I do wrong here?

I tried to google but everywhere people keep explain on
how to do it in private namespace and I want to do it in public namespace

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi all,

I have:

* A registered domain, let's say "xyz.com" for example

The question is: What did I do wrong here?

I tried to google but everywhere people keep explain on
how to do it in private namespace and I want to do it in public
namespace

What is your AD domain name?
If it is xyz.com it won't work on the same DNS server as the AD domain name.
The public and private namespaces must be kept separate, because the
internal domain will only communicate with private addresses, and the public
domain will only communicate with public addresses.
You need at least two DNS servers in this case, one for the internal users,
even if you are the only one and one for the public users.

It could be made to work, if the AD domain is something like xyz.local. That
way the zone are kept separate even though they are on the same DNS server.
There will still be a few problems. One, your xyz.com will only have public
addresses, because any other way won't work, but any local sites you host
can only be accessed by the private address.
The only way around it for you, if you only have one DNS server is to use
the HOSTS file for your local machines.
Another problem, and this goes for DNS hosted on any DC, If you use AD
integrated public zones, AD will automatically create an NS record for the
local machine FQDN which will resolve to the local IP address and make it
the SOA primary name server. You will have to use standard primary and
standard secondary zones.

Your best bet, is to leave the public zone at your registrar. It will be
faster, most give you administrative rights to the zone, and it will save
you one big headache. Unless of course, you are going into the DNS hosting
business and you are going to make enough for the headache. But then, I
would recommend hosting the public zones on totally separate machines, and
you have two of them.

 

[Hung Nguyen]

Hi Kevin,

Thank you very much for your answer. The public namespace is the answer i am
looking for in doing this DNS server thing. How do I set up a public
namespace for public user?
I dont mind if you can point me to some reference about setting up this
public namespace if you felt that I need to read more before asking newbie
questions

OK, let's put it this way:

I want DNS, Mail, Web on the same box

Just forget about the Web and Mail for now, how do i set up DNSfor public
namespace?

Thanks,

Hung Nguyen

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi Kevin,

Thank you very much for your answer. The public namespace is the
answer i am looking for in doing this DNS server thing. How do I set
up a public namespace for public user?
I dont mind if you can point me to some reference about setting up
this public namespace if you felt that I need to read more before
asking newbie questions

OK, let's put it this way:

I want DNS, Mail, Web on the same box

Just forget about the Web and Mail for now, how do i set up DNSfor
public namespace?

Create a zone for the public name, with the same NS records as the public
record shows for the domain. Then create records that only resolve to public
IP addresses in the zone.
I don't think reading more will help you until you understand that the
should be no records in the public zone that resolve to private IP
addresses.

DNS is really easy and it follows a hierarchy.
E.g. www.domain.com translates in DNS like this"
Zone: domain.com.
Host record in the zone: www address record with the IP www.domain.com
resolves to.

 

[PScyime via WinServerKB.com]

Hi

From what I remeber reading that error means when your DNS server is queried
it doesnt return an "A" Host record, called a "glue" record. I also think
from memory that although it is not good practice it is not against "the
rules" so to speak

If you wants a solution or more info have a look at www.dnsstuff.com forum
because that question has been asked and explained many times, you can easily
find the info there

You need Host A records for these - or do you have them? If not I beleive you
need to create them in the forward lookup zone xyz.com

ns2.xyz.com. [NO GLUE; No A record]
ns1.xyz.com. [NO GLUE; No A record]

I guess they need to point to your public DNS server's ip but Kevin should be
able to confirm that?

HTH

Regards

S

Hi Kevin,

[quoted text clipped - 11 lines]

Just forget about the Web and Mail for now, how do i set up DNSfor
public namespace?

Create a zone for the public name, with the same NS records as the public
record shows for the domain. Then create records that only resolve to public
IP addresses in the zone.
I don't think reading more will help you until you understand that the
should be no records in the public zone that resolve to private IP
addresses.

DNS is really easy and it follows a hierarchy.
E.g. www.domain.com translates in DNS like this"
Zone: domain.com.
Host record in the zone: www address record with the IP www.domain.com
resolves to.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Hi

From what I remeber reading that error means when your DNS server is
queried it doesnt return an "A" Host record, called a "glue" record.
I also think from memory that although it is not good practice it is
not against "the rules" so to speak

If you wants a solution or more info have a look at www.dnsstuff.com
forum because that question has been asked and explained many times,
you can easily find the info there

You need Host A records for these - or do you have them? If not I
beleive you need to create them in the forward lookup zone xyz.com

ns2.xyz.com. [NO GLUE; No A record]
ns1.xyz.com. [NO GLUE; No A record]

I guess they need to point to your public DNS server's ip but Kevin
should be able to confirm that?

The Glue record is the A record, he has apparently not create the Glue
records with his registrar. Not knowing who his registrar is I cannot tell
him how to do this exactly. But the crux of it is, he needs to create
ns1.xyz.com and ns2.xyz.com with the relating IPs at his registrar.
He also needs these two records on his own DNS server, in addition to the
two NS records for these names.

 

[Hung Nguyen]

Hi,

My registrar is domaincentral.com.au

The only settings that I have from them are two name server and additional
name server if needed.

Before I start this DNS thing, I can enter the server names, are ns1.xyz.com
and ns2.xyz.com and the appropriate ip address.

After this DNS start up, I can only allow to enter the DNS server name, not
the IP anymore? Please explain here if it makes sense to you and please tell
me how do I create A or GLUE record with my registrar?

So, after I set ns1, ns2.xyz.com at registrar, I went back to my server.

Deactivate AD and keep the DNS server with nothing setup

Create xyz.com zone in DNS server forwarder zone

add 2 host(A) ns1, ns2 with public IP 111.111.111.111

Double click on SOA and add ns1.xyz.com and ns2.xyz.com at Name Server tab

restart DNS server

Still, nothing work.

There are 2 issues raise after I did this:


First: why after I add mydns.gotdns.com as one of the DNS name server at my
registrar,
I got eveerything pickup from DNS server to my web host, etc, the only error
is
mydns.gotdns.com is not entered as NS in my DNS server (obviously), if I
have it removed, nothing work again.

Secondly, according to Kevin, I should remove any NS that resolve my private
address, what i did is setting SOA primary name server to ns1,
delete server2 from Name server list, delete server2 host(A), close DNS,
restart the DNS services, open DNS and
I got everything back, i.e server2 host(a) and NS. Do I need to save the
setting after delete server2 host and NS?

My question still, how do I create a public namespace? Step by step if
possible please.

I am reading some of the posts in DNS stuff forum see if they can help me.

Many Thanks

In

Hi

From what I remeber reading that error means when your DNS server is
queried it doesnt return an "A" Host record, called a "glue" record.
I also think from memory that although it is not good practice it is
not against "the rules" so to speak

If you wants a solution or more info have a look at www.dnsstuff.com
forum because that question has been asked and explained many times,
you can easily find the info there

You need Host A records for these - or do you have them? If not I
beleive you need to create them in the forward lookup zone xyz.com

ns2.xyz.com. [NO GLUE; No A record]
ns1.xyz.com. [NO GLUE; No A record]

I guess they need to point to your public DNS server's ip but Kevin
should be able to confirm that?

The Glue record is the A record, he has apparently not create the Glue
records with his registrar. Not knowing who his registrar is I cannot tell
him how to do this exactly. But the crux of it is, he needs to create
ns1.xyz.com and ns2.xyz.com with the relating IPs at his registrar.
He also needs these two records on his own DNS server, in addition to the
two NS records for these names.

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi,

My registrar is domaincentral.com.au

The only settings that I have from them are two name server and
additional name server if needed.

Before I start this DNS thing, I can enter the server names, are
ns1.xyz.com and ns2.xyz.com and the appropriate ip address.

After this DNS start up, I can only allow to enter the DNS server
name, not the IP anymore? Please explain here if it makes sense to
you and please tell me how do I create A or GLUE record with my
registrar?

Logon to your account with your registrar, somewhere on the site there
should be a link for something like mange host servers or manage domain host
or something like that. It is here that you create the host records for
your domain name. If you don't have these hosts created your DNS servers
will not have glue at the TLD servers and your domain may or not be
available on the internet.

So, after I set ns1, ns2.xyz.com at registrar, I went back to my
server.

Deactivate AD and keep the DNS server with nothing setup

Create xyz.com zone in DNS server forwarder zone

add 2 host(A) ns1, ns2 with public IP 111.111.111.111

Double click on SOA and add ns1.xyz.com and ns2.xyz.com at Name
Server tab

restart DNS server

Still, nothing work.

There are 2 issues raise after I did this:


First: why after I add mydns.gotdns.com as one of the DNS name server
at my registrar,
I got eveerything pickup from DNS server to my web host, etc, the
only error is
mydns.gotdns.com is not entered as NS in my DNS server (obviously),
if I have it removed, nothing work again.

Secondly, according to Kevin, I should remove any NS that resolve my
private address, what i did is setting SOA primary name server to ns1,
delete server2 from Name server list, delete server2 host(A), close
DNS, restart the DNS services, open DNS and
I got everything back, i.e server2 host(a) and NS. Do I need to save
the setting after delete server2 host and NS?

My question still, how do I create a public namespace? Step by step if
possible please.

Create the forward lookup zone for the domain name you are going to host,
e.g 'abc.com'
In that zone the first thing you should do is create NS records for the name
of your DNS servers, e.g. 'ns1.xyz.com' and 'ns2.xyz.com' set the primary
name server on the SOA record, create an MX record leave the host or domain
field blank, type in the SMTP server actual host name e.g. 'mail.xyx.com'
(use the SMTP server actual name, even if it is in a different domain) Then
you need host records for www, mail, ftp, etc.

I am reading some of the posts in DNS stuff forum see if they can
help me.

If you could post your actual domain name I would have more of an idea what
is wrong.

 

[Hung Nguyen]

Hi Kevin,

As I said in previous post, the only setting i have are name serve 1 and 2
and addition namserver if needed.

I also tried to contact registrar and they said send them my IP number so
they can glue??? Is that what you meant?
(You can do it manually with your registrar but perhaps my registrar have to
do it for me themselves

For create the public zone, i did similar to what you said the but the only
different is, after I create a zone xyz.com,
I have 1 SOA and 1NS already in the zone which resolve my private network,
ie. server2.

As I said, after deleted the server2 NS and host(A), update DNS server file,
exit DNS manager, restart DNS services,
open DNS manager, check, and server2 host(A) and NS records are there. Maybe
I need to reinstall the server .

For the glue, I may have to wait until next week because my registrar is so
slow ... to update GLUE.

I will let you know once i got A record in place with my registrar, i would
test my DNS again.

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin,

As I said in previous post, the only setting i have are name serve 1
and 2 and addition namserver if needed.

Just to clarify, each zone you host for a public domain must have NS records
matching the NS records seen in the public whois lookup for the domain name.

I also tried to contact registrar and they said send them my IP
number so they can glue??? Is that what you meant?
(You can do it manually with your registrar but perhaps my registrar
have to do it for me themselves

Yes, this is what I mean, exactly. Some registrars have a link in the
administration console when you logon to the registrar to manage your
domain.
However, some registrars do not have the capability to allow this and you
have to email them a request to create the Glue record for you.

For create the public zone, i did similar to what you said the but
the only different is, after I create a zone xyz.com,
I have 1 SOA and 1NS already in the zone which resolve my private
network, ie. server2.

Create a host record with the same public name you used with your registrar
(e.g NS1) with the same public public IP you gave your registrar. Edit or
delete current incorrect NS records in all public zones that DON'T match
what is in the Public whois for the domain.. Delete any Glue record that has
a private IP address in the NS record properties.

As I said, after deleted the server2 NS and host(A), update DNS
server file, exit DNS manager, restart DNS services,
open DNS manager, check, and server2 host(A) and NS records are
there. Maybe I need to reinstall the server .

You have to manually create the glue record and NS record, you cannot use AD
integrated public zones, as this will automatically create a NS record and
glue for the internal IP of the DNS server.

For the glue, I may have to wait until next week because my registrar
is so slow ... to update GLUE.

Some are very slow, did you ask them if they had an interface in your
Administrative console with the registrar?

I will let you know once i got A record in place with my registrar, i
would test my DNS again.

Creating the glue on your local DNS server with a long TTL can help, because
this A record will stay in cache if anyone does a lookup on your domain.
This cannot take the place of your registrar having your glue but it can
help succeeding lookups after the initial lookup.

 

[Hung Nguyen]

Just to clarify, each zone you host for a public domain must have NS
records
matching the NS records seen in the public whois lookup for the domain
name.


Yes, this is what I mean, exactly. Some registrars have a link in the
administration console when you logon to the registrar to manage your
domain.
However, some registrars do not have the capability to allow this and you
have to email them a request to create the Glue record for you.

It may be true as they are domain reseller, the reason i chose them because
they are cheap
and do the work OK before I start this DNS thing

Create a host record with the same public name you used with your
registrar
(e.g NS1) with the same public public IP you gave your registrar. Edit or
delete current incorrect NS records in all public zones that DON'T match
what is in the Public whois for the domain.. Delete any Glue record that
has
a private IP address in the NS record properties.


You have to manually create the glue record and NS record, you cannot use
AD
integrated public zones, as this will automatically create a NS record and
glue for the internal IP of the DNS server.

As in previous post, I did mention that I removed AD role from my server,
only DNS server left, but I guess all the settings are still hidden
somewhere and not been removed.

And I CANNOT delete it manually in DNS manager as it COMES BACK after
restart DNS server.

I will try to search registry and folder to see if it is hidden somewhere.

Some are very slow, did you ask them if they had an interface in your
Administrative console with the registrar?

Good point here. I should email and ask for it.
As this is my first time setting up public DNS, still lots of things to
learn

 

[PScyime via WinServerKB.com]

Hi

Wow...missed a fair bit, is the issue (apart from your ISP sorting out the
Host A "glue" records) that when you have a primary non integrated DNS and
restart the DNS service it gets populated with some records pointing to your
internal IP's?

Does it say the zone is standard primary? How did you remove AD from the
machine,was it the only DC ?


Regards

S

[quoted text clipped - 16 lines]

However, some registrars do not have the capability to allow this and you
have to email them a request to create the Glue record for you.

It may be true as they are domain reseller, the reason i chose them because
they are cheap
and do the work OK before I start this DNS thing
[quoted text clipped - 18 lines]

integrated public zones, as this will automatically create a NS record and
glue for the internal IP of the DNS server.

As in previous post, I did mention that I removed AD role from my server,
only DNS server left, but I guess all the settings are still hidden
somewhere and not been removed.

And I CANNOT delete it manually in DNS manager as it COMES BACK after
restart DNS server.

I will try to search registry and folder to see if it is hidden somewhere.

Some are very slow, did you ask them if they had an interface in your
Administrative console with the registrar?

Good point here. I should email and ask for it.
As this is my first time setting up public DNS, still lots of things to
learn
[quoted text clipped - 4 lines]

This cannot take the place of your registrar having your glue but it can
help succeeding lookups after the initial lookup.

 

[Hung Nguyen]

Hi

Wow...missed a fair bit, is the issue (apart from your ISP sorting out the
Host A "glue" records) that when you have a primary non integrated DNS and
restart the DNS service it gets populated with some records pointing to
your
internal IP's?

Does it say the zone is standard primary? How did you remove AD from the
machine,was it the only DC ?

Hi PScyime,

The zone IS standard primary at this moment (I just check).
I remove AD from manage server role and did not use dcpromo, would it make
any different?.
It was only DC as I have only one machine for this public DNS purpose thing.
The other computers I have are on workgroup only.

An yes, after I restart the DNS service, the zone has been populated again
with internal IP pointing records, i.e. Host(A) and NS.

By the way, just want to remind you that I use Windows 2003 server.

Regards,

Hung Nguyen

Regards

S

Hi Kevin,

[quoted text clipped - 16 lines]

However, some registrars do not have the capability to allow this and
you
have to email them a request to create the Glue record for you.

It may be true as they are domain reseller, the reason i chose them
because
they are cheap
and do the work OK before I start this DNS thing

For create the public zone, i did similar to what you said the but
the only different is, after I create a zone xyz.com,

[quoted text clipped - 18 lines]

integrated public zones, as this will automatically create a NS record
and
glue for the internal IP of the DNS server.

As in previous post, I did mention that I removed AD role from my server,
only DNS server left, but I guess all the settings are still hidden
somewhere and not been removed.

And I CANNOT delete it manually in DNS manager as it COMES BACK after
restart DNS server.

I will try to search registry and folder to see if it is hidden somewhere.

For the glue, I may have to wait until next week because my registrar
is so slow ... to update GLUE.

Some are very slow, did you ask them if they had an interface in your
Administrative console with the registrar?

Good point here. I should email and ask for it.
As this is my first time setting up public DNS, still lots of things to
learn

I will let you know once i got A record in place with my registrar, i
would test my DNS again.

[quoted text clipped - 4 lines]

This cannot take the place of your registrar having your glue but it can
help succeeding lookups after the initial lookup.

 

[Kevin D. Goodknecht Sr. [MVP]]

An yes, after I restart the DNS service, the zone has been populated
again with internal IP pointing records, i.e. Host(A) and NS.

By the way, just want to remind you that I use Windows 2003 server.

Do you still have a domain controller somewhere?

Did you set dynamic updates to none?

If this machine is not a DC, you can change the primary DNS suffix to
something other than your public domain name.

 

[Hung Nguyen]

Do you still have a domain controller somewhere?

That the first and only DC I have installed at this place, and also been
removed.

Did you set dynamic updates to none?

Dynamic update is set to "Nonsecure and secure"

If this machine is not a DC, you can change the primary DNS suffix to
something other than your public domain name.

Yes, I can change to something else. I just change DNS suffix to local,
restart computer, then go to DNS manager, delete "server2" host(A)
and NS, update server data file, restart DNS service, check and NS record
still there, i.e "server2.local" with IP unknown as no host(A) added for it.

Regards,
Hung Nguyen

 

[Hung Nguyen]

I just ticked on View->Advance in DNS manager and found
in Reverse zone there is 0., 127. and 255.in-addr.arpa zones
there are "server2" NS record in there. Should I do anything with it (delete
it)?

Regards,
Hung Nguyen

 

[Kevin D. Goodknecht Sr. [MVP]]

That the first and only DC I have installed at this place, and also
been removed.


Dynamic update is set to "Nonsecure and secure"

Change this none, you certainly don't want internet users registering in
your zone.

 

[Pscyime via WinServerKB.com]

Hi

Has what Kevin advised about the dynamic updates prevented those records
appearing in your DNS?

Simon

[quoted text clipped - 9 lines]

Dynamic update is set to "Nonsecure and secure"

Change this none, you certainly don't want internet users registering in
your zone.

 

[Hung Nguyen]

Hi Kevin and Simon,

At first, my DNS did not work, so i changed dynamic update to nonsecure and
secure.

That's also why I did not give out my domain and public ip address for
security reason .

Af ter I changed dynamic update to "none", those local records does not come
back. Woo hoo...

So I guess I have my DNS server ready, just wait for my registrar to update
host(A) record.
In the mean times, I just add

Thanks a lots guys.
Hung Nguyen

Hi

Has what Kevin advised about the dynamic updates prevented those records
appearing in your DNS?

Simon

An yes, after I restart the DNS service, the zone has been populated
again with internal IP pointing records, i.e. Host(A) and NS.

[quoted text clipped - 9 lines]

Dynamic update is set to "Nonsecure and secure"

Change this none, you certainly don't want internet users registering in
your zone.

 

[Kevin D. Goodknecht Sr. [MVP]]

I just ticked on View->Advance in DNS manager and found
in Reverse zone there is 0., 127. and 255.in-addr.arpa zones
there are "server2" NS record in there. Should I do anything with it
(delete it)?

You cannot modify these automatic zones.