Doug Barton

bind-users@isc.org FAQ


Copyright © 2002-2009, 2013, 2016 by Douglas Barton, dougb@dougbarton.us, All rights reserved.

Disclaimer: The opinions here are my own. I make no claim to be the one true authority on all DNS matters, speak for my employer, cure cancer, or anything else. If you use any of the advice on this page, you are on your own with it. Good luck. :)

Index

Section I: General FAQ Questions
What is this?
If I don't know the answer, should I guess?
Why are people asking me for the real names of my domains/reverse zones, and/or my conf files?
Where can I get more information about DNS?
Section II: General BIND Issues
"Can't find server name" error when using nslookup
Why is nslookup evil?
Can named serve more than one domain on the same server?
Where can I get a good GUI for BIND?
I'm having build problems
I'm having problems with BIND version <foo>
I'm having problems with BIND on Windows
How can I get a list of all domains being served from a certain name server?
How can I get a list of all domains delegated to a certain name server?
How do I point www.example.com to example.com?
I'm getting "CNAME and other data" errors
I screwed up my zone serial number, now my slaves won't update
I'm getting complaints about no TTL in my logs
I don't understand why hostname.example.com still resolves to an old address
Where do I find a DNS module for use with Perl
How do I use the same zone file with different zones?


Section I: General FAQ Questions

What is this?

The bind-users@isc.org mailing list is a general help and discussion list for the BIND name server software, distributed by The Internet Systems Consortium. It's also gated to the newsgroup, comp.protocols.dns.bind. There was formerly a bind9-users list for discussion of issues related specifically to that version of the software, however as of 13 June 2004 that list was merged with bind-users.

This document is an attempt to answer the most Frequently Asked Questions on the list. It is not intended to be an exhaustive source of DNS knowledge.

If I don't know the answer, should I guess?

No. The mailing list and newsgroup are distributed to thousands of users and news systems around the world. Many of those users pay for their Internet access by the byte. If you send an answer to the list that is wrong, not only does that answer get transmitted, but the corrections also have to be sent. Your best bet is to either carefully research the answer so that you're sure it's correct, or wait till someone more knowledgeable answers.

Why are people asking me for the real names of my domains/reverse zones, and/or my conf files?

Don't worry, we're not trying to hack you. Due to the nature of how DNS works it is virtually impossible to describe the problems you are having in a way that will help us solve them. Without being able to query your actual name servers, or look at your actual conf files, it is very difficult to determine what is wrong. If you do not feel comfortable with sharing that information, we understand. However, you have to realize that it might not be possible for us to solve your problem.

Where can I get more information about DNS?

Far and away the best reference for DNS in general, and administering BIND specifically is DNS and BIND, 5th Edition, by Paul Albitz and Cricket Liu. Cricket is a regular contributor to the bind-users maililng list, and an all around good guy. DNS is one of those things that is easy to get easy things done with, but very quickly becomes complex, and is prone to failure in non-obvious ways.

Thus, the topic of DNS is way too complex to be adequately handled on the web, however there are some good web sites that talk about various aspects of it. I make no claims as to the value of these sites, I simply include them for your benefit.

Info on BIND mailing lists
The ISC Tools and Resources page

The IETF RFC web site
IANA Root Zone Database
DNS Root Servers

Section II: General BIND Issues

"Can't find server name" error when using nslookup

For reasons lost in the mists of time, before nslookup starts working on resolving your query it tries to resolve the reverse zone for the IP address of your default name server. The most common error looks like this:
$ nslookup example.com
*** Can't find server name for address 127.0.0.1: Non-existent host/domain
*** Default servers are not available
The solution to this problem is to configure the reverse zone for the IP address of your resolving name server (which is a good idea anyway). Or better yet, learn to use 'host' for simple lookups, and 'dig' for serious DNS debugging.

Why is nslookup evil?

Ok . . . technically nslookup is not evil. In fact, if you are working on a problem involving the local system resolver, it is a good tool to use since it uses the resolver in all its glory. However, if you are trying to debug a DNS problem, it is a bad tool for precisely that reason. The 'host' program, included with the BIND distribution, is an excellent tool for doing simple lookups, and with the new command line options can be used for more specific queries. For more complex issues, the 'dig' program, which is also included with BIND, is the tool to use. It formulates its queries the same way your name server would so you see the same answers that your name server does when asking the same question. The output is quite verbose because it displays (by default) all of the information from the response packet. Learning to understand that information is essential to becoming a proficient DNS Administrator.

Can named serve more than one domain on the same server?

Yes. Simply add multiple
zone {};
statements to the conf file.

Where can I get a GUI for BIND?

While there are some commercial solutions available, the most commonly used freeware solution is Webmin. Using a GUI does not relieve you of the burden to understand what you are doing, however.

I'm having build problems

Problems building BIND are outside the scope of this FAQ. Please read the documentation that comes with the BIND distribution thoroughly, as most questions are answered there.

I'm having problems with BIND version <foo>

If you are not using the latest release version of BIND you should upgrade. Many bugs are fixed between versions, and trying to debug something that could very well be fixed in the latest version is a waste of everyone's time. You can find information on the latest versions of BIND on ISC's web page. If you are using BIND 4, BIND 8, or BIND 9 older than 9.3.1, you should definitely upgrade. However, do not assume that a version is safe just because it is newer than 9.3.1. Please also check The BIND Vulnerabilities Page to see if there is new information available since the last update of this FAQ.

I'm having problems with BIND on Windows

As they say on TV, "I don't do windows." Sorry, you'll have to find help elsewhere.

How can I get a list of all domains being served from a certain name server?

If you are trying to do this remotely, the answer is that you can't. There is no query, or combination of queries that will give you this information, short of querying the name server for every possible combination of valid hostname characters.

If you have access to the name server's configuration files, the following is an example command:
$ grep '^zone' named.conf | cut -d '"' -f 2

How can I get a list of all domains delegated to a certain name server?

This is another question for which there is no easy answer. To get a thorough answer to this question you'd have to get the zone files from every single TLD registry on the planet. It's simply not possible to do this. If you are interested in domains delegated to your name servers by certain registrars, you may be able to get this information from whois, or directly from that registrar. However, ultimately, getting a complete answer is all but impossible.

One way to improve your odds is to turn on query logging, then run a script to check whether or not your server has the domains being queried for configured on it. That will at least give you information on what domains people are querying you for.

How do I point www.example.com to example.com?

This question is usually asked the other way around. "How do I point my domain to www.mydomain?" The correct answer (and the only way that works) is to do it the other way around. Set up your A, MX, etc. records for your domain, then set up a CNAME for www, like this:
www		CNAME	example.com.

I'm getting "CNAME and other data" errors

A very common problem, accurately described by the error message. It happens when you add another RR type along with a CNAME. Most commonly, people do something like this:
hostname	CNAME	something.example.com.
hostname	MX	10 mailhost.example.com.
The solution of course is to delete the MX record, or anything else that is not the CNAME. When you CNAME one host to another, the CNAME inherits all of the records of the canonical host, so trying to add additional records to the CNAME does not make sense.

I screwed up my zone serial number, now my slaves won't update

See The RFC on Serial Number Arithmetic, or see page 138 of DNS and BIND, 5th Edition.

I'm getting complaints about no TTL in my logs

If you don't specify a TTL explicitly in your zone files, named will complain:
Zone "example.com" (file example.com): No default TTL ($TTL <value> set, using SOA minimum instead
In the "old days," named used the last field of the SOA value as the default Time To Live for all records in the zone. Starting with RFC 2308 that value is defined as the TTL for NXDOMAIN, and other negative responses returned by the server. That RFC also introduced the new mechanism to deal with setting a default TTL for your zones, the $TTL directive. Include a line that looks like this at the start of your zone file:
$TTL 8h
example.com. SOA ns1.example.com. root.example.com. (
. . .
The following command line sh script is a quick and easy way to get a $TTL line into all of your zone files. Assuming that your zone files are all in the same directory:
for zone in *; do
echo '$TTL 8h' | cat - $zone > t && mv t $zone
done

I don't understand why hostname.example.com still resolves to an old address

Another common problem, most often caused by an old, forgotten host record registration. You can usually find the answer by querying your registrar's whois server:
$ whois -h whois.networksolutions.com 'host www.example.com'
<DISCLAIMER>
[No name] (XXXXXXX-HST)

   Hostname: WWW.EXAMPLE.COM
   Address: 111.111.111.111
   System: ? running ?

   Coordinator:
      Foolish Administrator  (XXXXXXX-OR)  admin@EXAMPLE.COM
      2700 Foolish Way
      Foolish City, CA 00000
      USA

   Record last updated on 22-Feb-2001.
   Database last updated on 3-Mar-2002 09:05:00 EST.
The solution is to contact the registrar and get them to remove the host record.

Where do I find a DNS module for use with Perl?

http://search.cpan.org/search?module=Net::DNS

How do I use the same zone file with different zones?

For zones that are not edited dynamically, this is quite simple. Zones edited using DDNS should not share the same file.

Be sure that all of the references to things that need to exist in the different zones are relative, and all of the things that need to be consistent are fully qualified. Assuming that the records for example.com are in another zone, you could do something like this:
Conf file:
zone "example.net" { type master; file "common.db"; };
zone "example.org" { type master; file "common.db"; };

Zone file:
$TTL 8h
@ SOA ns1.example.com. hostmaster.example.com. (
	  42	  1d	   12h	  1w	  10m )
	; Serial, Refresh, Retry, Expire, Neg. cache TTL

        NS      ns1.example.com.
        NS      ns2.example.com.

	MX	mailhost.example.com.

        A       10.0.0.1

www	A	10.0.0.2

$Id: bind-users-FAQ.html,v 1.19 2016/02/17 01:29:18 dougb Exp $