Join Log in
Score:-1
avatar Server

NS record of subdomain does not propagate

au flag
Jimmy Chi Kin Chau

UPDATE: resolved, answer at the end of the question

May I know if I had done something wrong? or if something has changed in the last 3~4 years regarding the practice of dns record propagations? the NS record of a subdomain I have setup does not seem to propagate to any public DNS server

I have setup a new subdomain which I plan to delegate its DNS to a specific server.

This was done by setting up a NS record for the subdomain on whois.com

the SOA and NS record are all pointing to whois.com

dig @8.8.8.8 SOA mydomain.com
;; ANSWER SECTION:
mydomain.com.          7200    IN      SOA     ns1.whois.com. someemail.someemail.com.

dig @8.8.8.8 NS mydomain.com
;; ANSWER SECTION:
mydomain.com.          21600   IN      NS      ns2.whois.com.
mydomain.com.          21600   IN      NS      ns4.whois.com.
mydomain.com.          21600   IN      NS      ns3.whois.com.
mydomain.com.          21600   IN      NS      ns1.whois.com.

I have setup a subdomain record for a name server I want to use

dig @8.8.8.8 ns.mydomain.com.
;; ANSWER SECTION:
ns.mydomain.com.       28800   IN      A       88.22.66.11

after setting up the NS record for the subdomain, on the whois.com server it looks like below

dig @whois.com SOA subdomain.mydomain.com  #both query came back the same
dig @whois.com NS  subdomain.mydomain.com
;; QUESTION SECTION:
;subdomain.mydomain.com.             IN      SOA

;; AUTHORITY SECTION:
subdomain.mydomain.com.      38400   IN      NS      ns.mydomain.com.

;; ADDITIONAL SECTION:
ns.mydomain.com.       28800   IN      A       88.22.66.11

so I think the setting is correct already.

however I have waited for more than 2 days, but seems none other public DNS server had picked up on that, I have tried others such as 1.1.1.1 and cisco name server as well

dig @8.8.8.8 NS subdomain.mydomain.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38946
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;subdomain.mydomain.com.            IN      NS

and remembering I have done the same setup for another subdomain 3~4 years ago, but the ns server later decomissioned without me ever changing any DNS record, I tried checking for the other domain

dig @8.8.8.8 NS oldsubdomain.mydomain.com
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;oldsubdomain.mydomain.com.            IN      NS

dig @whois.com NS  oldsubdomain.mydomain.com
;; QUESTION SECTION:
;oldsubdomain.mydomain.com.             IN      SOA

;; AUTHORITY SECTION:
oldsubdomain.mydomain.com.      38400   IN      NS      ns2.mydomain.com.

;; ADDITIONAL SECTION:
ns2.mydomain.com.       28800   IN      A       88.22.66.112

strangely the record seems to have also disappeared from other public DNS servers, except the whois.com name servers.

ANSWER

turns out named was not listening to port 53 on ipv4 on actual network interfaces

[]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      29722/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      29722/named
tcp6       0      0 :::80                   :::*                    LISTEN      29722/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      29722/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           29722/named
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           9134/avahi-daemon:
udp6       0      0 ::1:53                  :::*                                29722/named



dig @127.0.0.1 subdomain.mydomain.com
;;have answer
#assume 123.123.123.123 is public IP of server
dig @123.123.123.123 subdomain.mydomain.com
;;time-out no answer

I fixed by adding the public IP to named.conf

listen-on port 53 { 127.0.0.1; 123.123.123.123; };

so previously because the ns.mydomain.com server is not answering any dns query, that was the main issue.

My confusion is that I have mixed up the ns record with soa record, I thought by setting the NS record of the subdomain name, the SOA is already in place, actually that needs to come from the NS server. And my NS server was not able to use nsupdate on bind because of failed SOA query, which caused some circular logic in my own investigation.

285
1 + 8
vidarlo avatar
ar flag
vidarlo
How is `subdomain.mydomain.com` defined in your zone file?
0
Reply
au flag
Jimmy Chi Kin Chau
@vidarlo I have no access to the zone file, I set it in the DNS provider's web panel (whois.com ==> DNS management ==> NS record). Do you suggest I get its support to pull it for me and take a look?
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
Give the real names involved, otherwise ask your DNS provider or use yourself online troubleshooting tools like DNSViz. PS: There is no "propagation" in the DNS. Changes on the authoritative nameservers can be checked immediately.
0
Reply
au flag
Jimmy Chi Kin Chau
update: turns out the named server I have setup only listened on 127.0.0.1 on ipv4 but not 0.0.0.0 nor any actual network interface, and also ::1 in ipv6. I think thats a wierd configuration that shipped by default, and it seem different to the last server I had.
0
Reply
au flag
Jimmy Chi Kin Chau
changed the named.conf to listen-on port 53 { 127.0.0.1; my.v4.ip.address; }; things seems to work better now
0
Reply
vidarlo avatar
ar flag
vidarlo
@JimmyChiKinChau Please post the answer as an answer, not as an edit to your question. Self answering is perfectly fine, and you can then mark the answer as accepted.
1
Reply
au flag
Jimmy Chi Kin Chau
@vidarlo thanks for you advise, let me think of how to put an answer thats more educational for people who come later. Originally I think the actual answer to my question did not come from the details of the question, so it was not educational.
0
Reply
vidarlo avatar
ar flag
vidarlo
@JimmyChiKinChau Doesn't really matter. The point is to indicate that it's solved. So please post it as is, and edit at a later point if you would like to improve it.
0
Reply
Score:0
avatar Server
au flag
Jimmy Chi Kin Chau

The SOA record and NS record are different type of records to begin with.

NS record from upstream delegates (an)other name server(s) to answer the dns query of the subdomains.

SOA actually tells what the start of authority of a particular domain is.

In my case I should also have to setup the named to answer the SOA query, which I did, by setting up the zone file of the named. The zone file has the SOA and A record for subdomain.mydomain.com.

I wrongly assumed I should use nsupdate to troubleshoot, because nsupdate blocks when it does not find the SOA record, from the default DNS of the server, which was 8.8.8.8. The whole thing became quite circular for me.

The actualy issue was that no server was able to query the SOA from the name server ns.mydomain.com I have setup.

that was discovered by running the below dig and netstat commands on the ns.mydomain.com server itself

dig @127.0.0.1 subdomain.mydomain.com
;;have answer
#assume 123.123.123.123 is public IP of server
dig @123.123.123.123 subdomain.mydomain.com
;;time-out no answer

[]# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      29722/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      29722/named
tcp6       0      0 :::80                   :::*                    LISTEN      29722/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      29722/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           29722/named
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           9134/avahi-daemon:
udp6       0      0 ::1:53                  :::*                                29722/named

on closer examination of the netstat output, it showed that port 53 was only listened on all ipv6 interface plus the 127.0.0.1 ipv4 local loopback, but not any other ipv4 interface.

To change the configuration of this behaviour, amend the following line in named.conf

listen-on port 53 { 127.0.0.1; 123.123.123.123; };

adding in the public so named also properly listens to request from ipv4 interface

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.