DNS Records Ignored

Hi guys,

I am sure this a matter of “user error”, but I am stuck and need a fresh pair of eyes.

Situation:

I have the LE SSL setup on my server, their verification confirms my domains are accessible. And, I followed these very awesome instructions on your site to prep postfix for mail relay . I can reach my host’s default homepage at https://example.com

Problem 1
My DNS records aren’t being found when I attempt to validate domain, set up SPF and/or Domain Keys/DKIM with mailjet relay host.

So I used Vmin > Logs & Reports > Check Connectivity and it failed with the following error message:

Problem 2
Failed to check connectivity HTTP/1.1 503 Service Unavailable Verify that your DNS server is running, that software.virtualmin.com can be resolved, and that no firewall is blocking outgoing HTTP requests.

So, I checked bind9, systemctl status bind9 and was happily buzzing, along, no errors.

Things I’ve investigated:
1.) I checked FirewallD that said Port 53 and all the other necessary ports were open.

2.) I verified that my vps firewall and Firewalld have identical settings.

3.) From my home computer I ran sudo nmap -p- XX.XXX.XX.XXX it too verified that the corrects ports are open:

PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
80/tcp    open  http
110/tcp   open  pop3
143/tcp   open  imap
443/tcp   open  https
465/tcp   open  smtps
587/tcp   open  submission
993/tcp   open  imaps
995/tcp   open  pop3s
2222/tcp  open  EtherNetIP-1
10000/tcp open  snet-sensor-mgmt
20000/tcp open  dnp

Nmap done: 1 IP address (1 host up) scanned in 31.25 seconds

So at this point, I’m just plain confused.

Does anybody know what I am missing?

Thx

DNS mostly uses UDP, although it will revert to TCP in some specific cases. Make sure your firewall allows both.

@noisemarine Thanks for the tip. I’ve confirmed port 53 UDP is open in Firewalld and my vps firewall. However, when I run nmap it doesn’t show that port 53/UDP even exists. Contacted the hosting provider, let’s see what they say. Although I am surprised DNS didn’t switch to port 53/TCP as that is available…

It would never do that, as TCP is only used for transfers, not queries.

What does

host software.virtualmin.com 127.0.0.1

say when ran in the terminal?

@toreskev TCP/UDP = DNS … noted. thx

Here’s the output of:

# host software.virtualmin.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

software.virtualmin.com has address 163.172.162.254

Just heard back from the service provider and they confirm that port 53/UDP is open

$sudo nmap XX.XXX.XXX.XXX  -sU -p 53
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-22 13:35 CST
Nmap scan report for XX.XX.XXX.XXX
Host is up (0.062s latency).

PORT   STATE SERVICE
53/udp open  domain

As to possibly assist with troubleshooting, these are the DNS entries from my domain registrar.

image744×506 50.9 KB

OK, so you’re not using your Virtualmin server as DNS.
Then if port 53 is open or not doesn’t matter.

From the screenshot the DKIM, SPF and DMARC records aren’t visible.
Did you add them at all here?

@toreskev

Allow me to ask a basic question as a DNS novice. If I re-create all of the DNS records currently listed in Virtualmin on my domain registrar’s DNS (addding DKIM SPF and DMARC records -not yet added), plus the CNAME record… When I create additional virtualservers I should be able to give the the nameserver ns1.example.com and ns2.example.com, correct?

Yes, all of the records mentioned by Virtualmin should also be seen in the registrars panel.
After doing this you should also disable the “DNS domain enabled” under features for that domain so to not confuse Virtualmin when handling certificate requests and so on.

Correct, if you also create to A records with ns1 and ns2.maindomain pointing to your server, other domains you add later can use your server for DNS, provided they have the correct set up for nameservers at registrar level.

@toreskev Thanks for your feedback… Road Block… my domain register won’t allow me to create SPF, DKIM, & DMARC without sacrificing the life of my first-born child as payment. So, if I want email for my server (which I do) I need to figure out this port 53 bug.

UPDATE
I figured it out. My domain is now validated by mailjet.com. Instead of creating an SPF record directly, I had to create a SPF TXT record instead. My confusion came when I didn’t see an SPF record option and researched email services from my domain registrar. I still need to workout DMARC… but shouldn’t be a problem…let’s see…

@toreskev
Thanks for your help.

Ah, yes, I forgot to mention that. All of those records are TXT records.
DKIM and DMARC should also be sorted out that way.

root@server: dig TXT _dmarc.domain.tld
_dmarc.domain.tld. 21600 IN TXT “v=DMARC1; p=quarantine; pct=100; ruf=mailto:postmaster@domain.tld; rua=mailto:postmaster@domain.tld”

It should look similar to this.
If you want, just PM me the domain name if you want me to verify it

My registrar is verifying my DNS records @toreskev your help was invaluable to removing my road block. But before, we conclude, I want to emphasize a moment how important it is to resolve that port 53 UDP bug. When I couldn’t successfully reach the control panel following installation, I went to youtube and started looking for installation guides… which led me to create duplicate DNS records with my registrar, even though I knew DNS records in 2 places is bad practice. I will use the CNAME strategy for time being, but should I move email to an independent mail server, I see this as possibly popping back up as an issue.

In any case thanks for your help. Weekend Saved…

But are you sure you’re actually having DNS issues?
Seeing as you are using your registrars nameservers (which is perfectly OK), as long as the records are added there and the feature disabled on that particular virtual server, everything should be working perfectly well.

@toreskev @ the exact moment I disable all of the registrar DNS records in favor of my server’s DNS records… the panel, everything becomes inaccessible.

And you have changed the nameservers to point to your own server in the registrar panel?

If you mean did I create “ns1.example.com” and “ns2.example.com” prior to my installation of Vmin Pro. The answer would be “no”, but also nothing I read in documentation recommended doing this prior to installation.

My hosting provider, does provide the option to create my own DNS server using “ns1.example.com” and “ns2.example.com”, but as a new user it isn’t readily apparent that I should perform this step prior to basic installation.

Perhaps a message on the installation script about internal /external DNS records would help?

If you mean did I point my registrar’s DNS servers at “example.com” prior to install, the answer would be “yes” as that is the minimum requirement from my hosting provider.

However, with my hosting provider there is a separate process/requirement if you want to use your own DNS server.