[NCLUG] ns errors
Stephen Warren
swarren at wwwdotorg.org
Fri Jul 6 11:59:57 MDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matt wrote:
> Hi,
>
> I found a site to check my server (www.dnsstuff.com) and it offers a
> free check for things like open relays and what not. A couple of
> NS errors it found are shown below. I'm using no-ip.com to point to my
> machine (I have a dynamic IP). Are these really problems and is there
> a way to get more info about them? Also, are these problems something
> I'm doing wrong or do I need to talk to no-ip?
Where is your domain registered? Do you control registration, or no-ip?
If you control it, then if you can, you probably want to add
ns4.no-ip.com and ns5.no-ip.com into the list of NS servers for your
domain. That should clear up most of the issues. Note that if you do
this, you should check with no-ip.com that they want those other servers
listed there; for example, dyndns.org provides something like 5 servers
total for me, but requires a specific subset be listed if I can't list
all of them.
However, my guess is that you can't do that - If I Recall Correctly, my
registrar only allows me to list 3 of the 5 name-servers for my domain,
so I'm probably in the same situation as you.
Otherwise, assuming no-ip.com is clueful and keeps the data on all those
servers nicely in sync, I suspect you can just ignore all these
"problems"; they mostly indicate that bad things can happen *if* the
multiple servers are out-of-sync, which should never happen, since
no-ip.com should manage them all as one, and keep them in sync.
The only thing I might want to track down is item 2; why dnsstuff.com
thinks some of your multiple servers might be the same machine. Maybe
the tests are flawed. Maybe no-ip.com failed over one of their NS
machines' records for another temporarily due to maintenance. Maybe
there's a real issue...
>
> Thanks,
>
> Matt
>
>
> 1) FAIL: You have one or more missing (stealth) nameservers.
>
> The following nameserver(s) are listed (at your nameservers) as
> nameservers for your domain, but are not listed at the parent
> nameservers (therefore, they may or may not get used, depending on
> whether your DNS servers return them in the authority section for
> other requests, per RFC2181 5.4.1). You need to make sure that these
> stealth nameservers are working; if they are not responding, you may
> have serious problems! The DNSreport will not query these servers, so
> you need to be very careful that they are working properly.
>
> ns4.no-ip.com.
> ns5.no-ip.com.
> This is listed as an ERROR because there are some cases where nasty
> problems can occur (if the TTLs vary from the NS records at the root
> servers and the NS records point to your own domain, for example).
>
> 2) WARNING: Although you have at least 2 NS records, they may both point
> to the same server (one of our two tests shows them being the same,
> the other does not), which would result in a single point of
> failure. You are required to have at least 2 nameservers per RFC 1035
> section 2.2.
>
> 3) Your DNS servers leak stealth information in non-NS requests:
>
> Stealth nameservers are leaked [ns4.no-ip.com.]!
> Stealth nameservers are leaked [ns5.no-ip.com.]!
>
> This can cause some serious problems (especially if there is a TTL
> discrepancy). If you must have stealth NS records (NS records listed
> at the authoritative DNS servers, but not the parent DNS servers), you
> should make sure that your DNS server does not leak the stealth NS
>
>
>
>
>
> records in response to other queries.
>
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify
> your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGjoMdhk3bo0lNTrURAh7BAJ4vd0B+3z7z+vqpSF2JjduBnMW3mwCgzFqd
Cx2zb7vsrFjRlm0dGRDvZDw=
=YbLO
-----END PGP SIGNATURE-----
More information about the NCLUG
mailing list