I have an internal domain, say example.com, in Windows AD DNS. I have created a sub-domain delegation, aws.example.com, with a glue record pointing to a BIND 9.8 instance in AWS (over site-to-site VPN).
The BIND instance has a single zone configured as a forward only (with forwarder) pointing to the AWS VPC subnet resolver which has an AWS Rt. 53 zone (aws.example.com) associated.
The problem is resolution is not functioning correctly, sometimes.... from my internal network if I dig or nslookup against the Windows DNS for hosts in the Rt. 53 zone, i get no answer (although I do see the query hitting BIND). If I then dig/nslookup against the BIND instance directly it works.
Now if I go back to the first step, dig/nslookup against Windows DNS, I do get successful resolution.
It's as if the initial dig/nslookup, which is coming via Windows DNS, isn't triggering the forward only behavior and the direct query is & then caching the answer.
Can anyone provide insight into what I've done wrong or how to change this behavior?
BIND config:
acl goodclients {
172.31.0.0/16;
192.168.0.0/16;
localhost;
localnets;
};
options {
directory "/var/cache/bind";
recursion yes;
allow-query { goodclients; };
forwarders {
172.31.0.2;
};
#forward only;
dnssec-enable yes;
dnssec-validation yes;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
querylog yes;
};
zone "aws.example.com" {
type forward;
forward only;
forwarders { 172.31.0.2; };
};
here's a sample of the fail-succeed-succeed sequence running queries to windows then bind then windows again from 2 different clients:
windows AD dns domain example.com
\_ subdomain aws.example.com —> NS 172.31.32.5 (bind instance in AWS )
\_ —> forwarding to:172.31.0.2 (aws VPC resolver IP) to Rt.53 associated zone
client 1:
user1#vfvps-server:~ #date
Wed Sep 14 14:18:41 EDT 2016
user1#vfvps-server:~ #nslookup
> lserver 192.168.4.147 <—————windows dns
Default server: 192.168.4.147
Address: 192.168.4.147#53
> server1.aws.example.com
Server: 192.168.4.147
Address: 192.168.4.147#53
** server can't find server1.aws.example.com: NXDOMAIN
> exit
client 2:
KWK-MAC:~ user1$ date
Wed Sep 14 14:19:29 EDT 2016
KWK-MAC:~ user1$ dig #172.31.32.5 server1.aws.example.com <—— 172.31.32.5 = bind
; <<>> DiG 9.8.3-P1 <<>> #172.31.32.5 server1.aws.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23154
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;server1.aws.example.com. IN A
;; ANSWER SECTION:
server1.aws.example.com. 300 IN A 172.31.14.41
client 1:
user1#vfvps-server:~ #date
Wed Sep 14 14:19:40 EDT 2016
user1#vfvps-server:~ #nslookup
> lserver 192.168.4.147
Default server: 192.168.4.147
Address: 192.168.4.147#53
> server1.aws.example.com
Server: 192.168.4.147
Address: 192.168.4.147#53
Non-authoritative answer:
Name: server1.aws.example.com
Address: 172.31.14.41
Windows DNS server configured with subdomain delegation will send iterative query to your BIND server. BIND will respond only if it is authoritative or from cache.
(you can try dig +norecurse server1.aws.example.com #172.31.32.5 and it will fail)
In your Windows DNS, you need to configure "Conditional Forwarder" for aws.example.com.
Related
A week ago, I decided to implement a cloudfront dirstribution for a static web hosting s3 bucket when setting up a CI/CD pipeline with Buddy. When changing this, I made sure to change my A and AAAA records in route 53 for my site, eckmantek.com, from their default to my distribution, which is d22tb0q1u7k32l.cloudfront.net. With this set up, I began using my pipeline, but I found that the domain kept serving my old version of the site, before I implemented cloudfront.
At first I thought it was just a matter of waiting for the dns to refresh, but it's been a week now.
When I manually check my s3 bucket, I see the latest build there, and if I navigate to the distribution directly, I can see the updated site as well. It's almost like the domain is being routed to a ghost bucket, like a hidden cache or something. Any help is welcome!
Not really a programming problem, but I'll give it a shot. My DNS lookup tells me that both your main domain eckmantek.com as well as d22tb0q1u7k32l.cloudfront.net return the same A-records, which is a good sign.
$ dig A eckmantek.com
; <<>> DiG 9.16.1-Ubuntu <<>> A eckmantek.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3984
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;eckmantek.com. IN A
;; ANSWER SECTION:
eckmantek.com. 60 IN A 18.66.2.121
eckmantek.com. 60 IN A 18.66.2.15
eckmantek.com. 60 IN A 18.66.2.17
eckmantek.com. 60 IN A 18.66.2.8
$ dig A d22tb0q1u7k32l.cloudfront.net
; <<>> DiG 9.16.1-Ubuntu <<>> A d22tb0q1u7k32l.cloudfront.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23164
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;d22tb0q1u7k32l.cloudfront.net. IN A
;; ANSWER SECTION:
d22tb0q1u7k32l.cloudfront.net. 60 IN A 18.66.2.121
d22tb0q1u7k32l.cloudfront.net. 60 IN A 18.66.2.15
d22tb0q1u7k32l.cloudfront.net. 60 IN A 18.66.2.8
d22tb0q1u7k32l.cloudfront.net. 60 IN A 18.66.2.17
That means traffic gets to CloudFront. Assuming that you've configured CloudFront correctly to use the S3 bucket as the origin, the problem may be that CloudFront caches the old site and the TTL is too long.
You can explicitly clear the cache in CloudFront using invalidations, but you have to pay for that.
Once you have done that, make sure to set a reasonable TTL.
If we check out the headers from your website, we can also see that caching seems to be disabled and the content hasn't been updated in a while:
$ curl -sD - https://eckmantek.com -o /dev/null
HTTP/2 200
content-type: text/html
content-length: 2051
last-modified: Fri, 22 Nov 2019 11:17:48 GMT
accept-ranges: bytes
server: AmazonS3
via: 1.1 a06e85a5c7853d2f85565a048a9d2609.cloudfront.net (CloudFront), 1.1 99d54fc6a14abf3079ffadd5aa7c99de.cloudfront.net (CloudFront)
x-amz-cf-pop: YTO50-C3
date: Wed, 17 Nov 2021 11:19:18 GMT
cache-control: public, must-revalidate, max-age=0
etag: "e8179ec55581b2082badf57315b368b8"
vary: Accept-Encoding
x-cache: RefreshHit from cloudfront
x-amz-cf-pop: TXL50-P1
x-amz-cf-id: ZlWuOHfa-TjS1tzL74oXFnRHaCfyPm118OhO5gOm6pXFIfOI1LdDeQ==
It's served from S3, but maybe you should check if it's using the correct S3 bucket.
As an aside: You should use an ALIAS-record or a CNAME record to point your domain to CloudFront, because the CloudFront IPs may change.
I have changed name server of mypleaks.com like 24 hours back but it is still not updated.
It's still giving me below name servers which is old:-
Name Server: ns-****.awsdns-**.org
Name Server: ns-***.awsdns-**.com
Name Server: ns-****.awsdns-**.co.uk
Name Server: ns-***.awsdns-**.net
then tested it and got this result on zonemaster
where it's giving three Errors like below:-
No common nameserver IP addresses between child.
Parent has nameserver(s) not listed at the child
None of the nameservers listed at the parent are listed at the child.
Your question is offtopic as not related to programming.
You are in a lame delegation case, the list of nameservers do not match at the registry and in your own.
If you query the parent zone, you get now:
$ dig #a.gtld-servers.net mypleaks.com NS +noall +nodnssec +auth
; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> #a.gtld-servers.net mypleaks.com NS +noall +nodnssec +auth
; (2 servers found)
;; global options: +cmd
mypleaks.com. 172800 IN NS ns-107.awsdns-13.com.
mypleaks.com. 172800 IN NS ns-613.awsdns-12.net.
mypleaks.com. 172800 IN NS ns-1069.awsdns-05.org.
mypleaks.com. 172800 IN NS ns-1710.awsdns-21.co.uk.
But if you query these nameservers they do not believe to be authoritative on your domain:
;; ANSWER SECTION:
mypleaks.com. 300 IN NS ns1.digitalocean.com.
mypleaks.com. 300 IN NS ns2.digitalocean.com.
mypleaks.com. 300 IN NS ns3.digitalocean.com.
So you need to go back to Amazon and make the configuration needed so that all these 4 nameservers (or others as provided by Amazon) are indeed authoritative for your domain (in which case the second reply will be the same as the first, which is currently not the case).
My objective is to setup site like noip/dyndns.
I have purchased domain ( say locations.com ). In my cpanel i have redirected that into a static ip (say 128.10.10.10)
I have created subdomain (say device.locations.com) and redirected it to a another static ip
(say 128.20.20.20). This is working fine.
How ever i wish to setup dynamic DNS service in device.locations.com (128.20.20.20)
I laredy installed bibd (version 9 in Centos 7)
Probluem is :
say I have a dynamic client. Which i registered as "serial001.device.locations.com" which is having ip ( 50.50.60.1 , which will change over the time)
if i issue "dig serial001.device.locations.com" in dns server (128.20.20.20/device.locations.com ) I'll get,
;; ANSWER SECTION:
serial001.device.locations.com. 10 IN A 50.50.60.1
However if i issue "dig serial001.device.locations.com" in other machine i am not getting any answer.
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52799
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
if i specifically say to use nameserver as above (i have pointed jayaruvandns.tk to 128.20.20.20)
dig #locationsdns.tk serial001.device.locations.com
;; ANSWER SECTION:
serial001.device.locations.com. 10 IN A 50.50.60.1
Can i know how can i fix this issue?
( I am really new to DNS )
I have followed below blog.
Original Post -Build your own DynDNS
My configuration was missing DNS record in my config file
You have to add these two DNS records to your example.com nameserver:
>dyn NS ns.example.com
>ns A 203.0.113.17
I'm trying to get an ALB/Node.js/socket.io solution working in its simplest form and I'm running into an issue where the handshake disconnects. At the moment, I am intentionally using only one node in the TargetGroup to eliminate variables related to node switching and session stickiness for now.
When connecting directly to the node via my NAT instance, it works fine. The disconnect only happens when going thru the ALB.
Here is what I have set up:
ALB with Listener HTTP 80 -> 8081 (no SSL)
2 AZs, both with routes to internet (as required for ALBs)
One socket.io EC2 node in one of the AZs
Path Pattern for /socket.io/* to socket.io target group (with my one node in it)
Default pattern is also socket.io target group
Stickiness Enabled (should not need for one node, but did it anyway)
Here is what I see in the socket.io node client:
Thu, 22 Dec 2016 20:59:26 GMT socket.io-client:manager opening ws://52.72.198.58
Thu, 22 Dec 2016 20:59:26 GMT engine.io-client:socket creating transport "websocket"
Thu, 22 Dec 2016 20:59:26 GMT engine.io-client:socket setting transport websocket
Thu, 22 Dec 2016 20:59:26 GMT socket.io-client:manager connect attempt will timeout after 20000
Thu, 22 Dec 2016 20:59:26 GMT engine.io-client:socket socket close with reason: "transport close"
And here is what I see on the socket.io node server:
Thu, 22 Dec 2016 20:59:26 GMT socket.io:socket joined room U_qmSv_7gvP_JOFsAAAL
Thu, 22 Dec 2016 20:59:26 GMT socket.io:client client close with reason transport close
Thu, 22 Dec 2016 20:59:26 GMT socket.io:socket closing socket - reason transport close
When I go thru my NAT to the same socket.io ec2 node, it all works with no transport closes.
So somehow the ALB is closing the connection immediately during a successful handshake.
Since it works via the NAT, I think the socket.io node and client are ok. And since I see the DEBUG entries in node, I know the ALB is able to reach the socket.io node ok. And since I only have one single socket.io node, there should be no issues with sessions and stickiness.
What could be contributing to the immediate disconnect when using ALB?
EDIT : I have also found that if the socket.io client making the request to the ELB is on an EC2 node, then it works. This implies something in the network path between the client and the ELB. I've yet to find a case where this works other than when the client is on an EC2. It works everywhere via the NAT, just not via the ELB.
After lots of trial and error, I was able to determine this was due to a specific port range (80-83) in my case for the port the ALB/ELB is listening on. While the HTTP portion of the handshake works, the second TCP upgrade phase disconnects.
There were no restrictions in the VPC related to this port range, so the issue is in the network between my client and the ELB.
In conclusion, the issue is not anything in AWS or how I had set up resources, it lies elsewhere outside AWS. If I find the exact cause I will post a comment back to this answer.
socket = io.connect("https://mywebsite/myroom",{'reconnect':true});
Increased the HeartbeatTimeout and the closeTimeout on initialization
socket.on('connect', function(){
socket.socket.heartbeatTimeout = 500000;
socket.socket.closeTimeout = 500000;
socket.on('disconnect', function() {
socketConnectTimeInterval = setInterval(function () {
socket.socket.reconnect();
if(socket.socket.connected) {
clearInterval(socketConnectTimeInterval);
console.log('reconnected');
location.reload();
}
}, 0);
});
});
Also increase the Idle Timeout on the Load Balancer in AWS
Hopefully that should prevent the timeout issue !
I have a site hosted on AWS and recently the site went down with NXDOMAIN error. The site was working before and the issue doesn't appear to be with the site as the Elastic Beanstalk direct link (xxxx-prod.elasticbeanstalk.com) is working fine.
In my Route53 I have a CNAME linking to my (xxxx-prod.elasticbeanstalk.com) and a SOA and 4 NS records supplied by AWS. xxxx is a placeholder for the actual site name. Running dig...
dig xxxx.com any
; <<>> DiG 9.8.3-P1 <<>> xxxx.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 63003
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;xxxx.com. IN ANY
;; AUTHORITY SECTION:
com. 895 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1435723016 1800 900 604800 86400
;; Query time: 31 msec
;; SERVER: 64.71.255.204#53(64.71.255.204)
;; WHEN: Tue Jun 30 23:57:22 2015
;; MSG SIZE rcvd: 102
It looks like my NS records might be the issue but I am not sure. Can someone confirm.
TLDR: you need to contact your registar to figure out what's happening with the domains. You've left the domain in the question so I actually tried looking at what DNS was seeing for it.
Do you have an A record for your domain?
host vizibyl.com
Host vizibyl.com not found: 3(NXDOMAIN)
https://www.whois.net ->
Name Server: NS-1519.AWSDNS-61.ORG
Name Server: NS-1828.AWSDNS-36.CO.UK
Name Server: NS-228.AWSDNS-28.COM
Name Server: NS-544.AWSDNS-04.NET
Status: clientHold http://www.icann.org/epp#clientHold
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
http://www.icann.org/epp#clientHold
for clientHold:
This status code tells your domain's registry to not activate your domain in the DNS and as a consequence, it will not resolve. It is an uncommon status that is usually enacted during legal disputes, non-payment, or when your domain is subject to deletion.
Often, this status indicates an issue with your domain that needs resolution. If so, you should contact your registrar to resolve the issue. If your domain does not have any issues, but you need it to resolve, you must first contact your registrar and request that they remove this status code.