How to setup Win 2003 DNS to show Authority records when quering the name server Options

[smartins]

I'm trying to configure my domain's name server dns record to be able to show authority records.

Here's an example. The first link is for my name server, the second link is for someone else's name server:
http://network-tools.com/default.asp?prog=....pointstone.com
http://network-tools.com/default.asp?prog=...=ns1.geodns.net

As you can see, geodns.net shows two Authority records:
geodns.net 1 NS ns2.serverbeach.com 300s
geodns.net 1 NS ns1.serverbeach.com 300s

While my name server does not show any.

Anyone knows how I can setup the Windows 2003 DNS server so that they display the primary and secondary name servers on Authority records?

Thanks!

[brianzimm]

Umm.. I think I need to read up on it myself

http://www.inetdaemon.com/tutorials/intern...oritative.shtml
http://www.mnet.state.mn.us/data-net/dns/authority.php

[smartins]

Thanks for the reply.

I've read one of that pages before posting this message but I just could not make any sense on what I need to do so that my name server returns authority records.

Have you been able to figure out by reading these articles?

[brianzimm]

I think you need to make sure at the domain register the name servers need to be listed on the domain.
Also for the name server domain needs to have the host ip address set.

Make sure you have an A record for the name servers

For the domains make sure the the primary name server is listed as the responsible server. and that all name servers are listed in the name server tab.

If you get stuck I could get some pictures of the steps. I think that is all.

[joec@home]

Granted you are on a windows box, but DNS is so much easier to diagnose with a linux shell, even if it is a home computer with some sort of internet access just for testing purposes.

First we find a root DNS in question, pointstone.com being com

dig com NS
com. 27118 IN NS h.gtld-servers.net.
com. 27118 IN NS k.gtld-servers.net.
com. 27118 IN NS i.gtld-servers.net.
....... and so on ... really lots of data here we don't need

Now we grab one of these DNS servers and find out exactly where they are sending the DNS requests to. By the way, this is how you verify the whois database is actually correct!

dig @h.gtld-servers.net pointstone.com NS

; <<>> DiG 9.2.4 <<>> @h.gtld-servers.net pointstone.com NS
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1049
;; flags: qr rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;pointstone.com. IN NS

;; ANSWER SECTION:
pointstone.com. 172800 IN NS ns.pointstone.com.
pointstone.com. 172800 IN NS ns2.pointstone.com.

;; ADDITIONAL SECTION:
ns.pointstone.com. 172800 IN A 70.86.43.74
ns2.pointstone.com. 172800 IN A 70.86.43.75

Ok so now we are showing that .74 and .75 have been assigned as ns/ns2.pointstone.com, great! Now lets check the DNS zones on the server itself.

dig @ns.pointstone.com pointstone.com SOA

; <<>> DiG 9.2.4 <<>> @ns.pointstone.com pointstone.com SOA
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12745
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;pointstone.com. IN SOA

;; ANSWER SECTION:
pointstone.com. 3600 IN SOA ns.pointstone.com. admin.pointstone.com. 2007010852 1200 600 172800 3600

;; ADDITIONAL SECTION:
ns.pointstone.com. 3600 IN A 70.86.43.74


So from this we see that the zone file is missing the information for the ns2.pointstone.com nameserver. Lets check the other IP as well just in case it actually is a different server, but it returns the same information. So all you need as one more NS record for ns2.pointstone.com and one more A record to point ns2.pointstone.com to 70.86.43.75 Get that done and all is happy again.

[smartins]

Granted you are on a windows box, but DNS is so much easier to diagnose with a linux shell, even if it is a home computer with some sort of internet access just for testing purposes.

Thanks for your reply. I do in fact have a NS and A record like you suggested.

Here's my dns file:

CODE

;
;  Database file pointstone.com.dns for pointstone.com zone.
;      Zone version:  2007010877
;

@                       IN  SOA ns.pointstone.com.  admin.pointstone.com. (
                            2007010877  ; serial number
                            1200        ; refresh
                            600         ; retry
                            172800      ; expire
                            3600       ); default TTL

;
;  Zone NS records
;

@                       NS    ns2.pointstone.com.
@                       NS    ns.pointstone.com.

;
;  Zone records
;

@                       A    70.86.43.74
@                       MX    10    mail.pointstone.com.
@                       TXT    ( "v=spf1 mx a:mail.pointstone.com ip4:70.86.43.74 ip4:216.27.93.0/25 ip4:209.34.224.64/27 ip4:216.27.9.96/29 ip4:216.27.17.128/28 include:icpbounce.com ?all"
                            "" )
blog                    A    70.86.43.74
dl1                     A    70.86.43.75
dl2                     A    70.86.43.75
forums                  A    70.86.43.74
mail                    A    70.86.43.74
                        TXT    ( "v=spf1 a -all" )
ns                      A    70.86.43.74
ns2                     A    70.86.43.75
support                 A    70.86.43.74
www                     A    70.86.43.74

Does anything wrong with that configuration come to mind or is it missing something?

I've read dozens of web sites and tried to search about this "problem" but could not find anything

[brianzimm]

Here is some info from DNS Stuff. I looks like everything is ok but you may want to fix these.

FAIL Open DNS servers ERROR: One or more of your nameservers reports that it is an open DNS server. This usually means that anyone in the world can query it for domains it is not authoritative for (it is possible that the DNS server advertises that it does recursive lookups when it does not, but that shouldn't happen). This can cause an excessive load on your DNS server. Also, it is strongly discouraged to have a DNS server be both authoritative for your domain and be recursive (even if it is not open), due to the potential for cache poisoning (with no recursion, there is no cache, and it is impossible to poison it). Also, the bad guys could use your DNS server as part of an attack, by forging their IP address. Problem record(s) are:

Server 70.86.43.74 reports that it will do recursive lookups. [test] Server 70.86.43.75 reports that it will do recursive lookups. [test] See this page for info on closing open DNS servers.

WARN SOA EXPIRE value WARNING: Your SOA EXPIRE time is : 172800 seconds. This seems a bit low. You should consider increasing this value to about 1209600 to 2419200 seconds (2 to 4 weeks). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.

WARN Nameservers on separate class C's WARNING: All of your nameservers (listed at the parent nameservers) are in the same Class C (technically, /24) address space, which means that they are probably at the same physical location. Your nameservers should be at geographically dispersed locations. You should not have all of your nameservers at the same location. RFC2182 3.1 goes into more detail about secondary nameserver location.


Please see here for full report.
http://www.dnsstuff.com/tool/dnsreport.ch?...566ee8e1cc66019