dns / soa query status refused

I did a major reorganization of my office last night and when I plugged everything back in for my webserver and double checked on the sites, they were all down.

I can only get to webmin using the IP address:10000.

When I do a lookup, it says domain not found. When I run a dns check the SOA record comes back with the REFUSED status.

I don’t recall changing anything in my Bind that would cause this. Any info would be helpful.


Well, it almost sounds as if BIND may not be running.

When you log into Virtualmin, it should display the "System Information" screen. On there is a link labeled "Status". When you click that, you should see a number of services – all of which should have a pretty little green check next to them (and not the evil red X!).

I suspect you’ll see the evil red X next to “BIND DNS Server” – if so, go ahead and try clicking the “Start BIND” button.

Hopefully after that it works fine – if not, you may need to look in the system logs and see if it’s generating any errors as it tries to start.

Thanks Eric.

I wonder if it comes down to DNS not being running when it comes time to repropogate on the net because now some of my email and websites are coming across while others are still down.

Would it be easier for me (since I just can’t seem to get my websites and email to stay up) to use a DNS service to do this instead of trying to do it with my static IP? I have never completely understood the whole DNS thing or what causes the problems.

It’s really frustrating to pay so much for an IP address that I can’t seem to set up properly.

Would it be easier for me (since I just can't seem to get my websites and email to stay up) to use a DNS service to do this instead of trying to do it with my static IP? I have never completely understood the whole DNS thing or what causes the problems.

Definitely not easier, since Virtualmin could no longer manage your DNS information for you. It might provide more reliable DNS service…but if you actual server is down, you can’t do anything with it anyway, so no point in having DNS.

I’m sure this is something simple. We just need to troubleshoot.

First up, use whois to find out what DNS servers the world thinks are “right” for your domain (hereinafter referred to as a “zone”, as that’s the level at which we’re talking with regard to whois). Look for the section labeled “Domain servers in listed order” or similar. All of the servers listed must have accurate records for your zone, or you will see intermittent failures…if any of those servers are not configured appropriately for providing name service for your zone, you need to remove them from the list. This is done at your registrar (GoDaddy, Gandi, Verisign, etc. whoever you registered your domain with).

Next up check to be sure they’re all answering with the right data:

host example.com ns1.another.com

Where “example.com” is your domain name (we’re no longer talking about zones, since we’re looking up single names), and ns1.another.com is one of the name servers listed in the whois step. Does it return accurate information quickly? If not, it’s gotta be fixed, or removed from the NS list at your registrar.

Next up, make sure the NS records for your zone match what is being served by the registrar:

host -t ns example.com ns1.another.com

You want to see a list of the exact same name servers shown in the whois lookup. If not, you’ll need to fix it in the BIND module. I can walk you through that if there’s a problem.

DNS is pretty simple once you grok the basic concepts…but a lot of folks lose the ball when it hits the registrar. The key issue is that there always has to be a sane path from “the Internet” to “your box”, and any distractions or incorrect data is going to throw a wrench into the picture. Once you understand that “the Intenet” only knows about one set of DNS servers (the “root” name servers) and they only know what name servers are authoritative for zones, and that’s the tiny thread that holds the whole system together…it should become clear that that thread and all of the servers it winds its way through have to have correct data or the end user goes off the path and gets lost. OK, that analogy stretched a little too far.

Just make sure the path from the world to your servers door is well-marked, and DNS won’t keep tripping you up, I promise. :wink:

Also, if you’d like to let us know an example of a domain that is having problems, I can walk through those above steps for you, and point out where/if things are going wrong.

Okay, this is a lot easier to understand.

I think one of my problems is that I only have 1 IP address so I think I have to use editdns for a second dns server.

Can I use just one?

you can use just 1. I have that on my backup server.
However at the registrar you need to fill in two.

What I did is, fill in:
ns1.domain.net 123.456.789.123 (the nameserver)
sv02.domain.net 123.456.789.123 (the hostname)

The registrar can only register the ns1.domain.net which is fine.
In the local zone file, thus on the server, I created A records for both the nameserver and the hostname.

Can I use just one?

Technically, no, if you want to be RFC compliant. But realistically, lots of people do. Some registrars will refuse to allow it, however…so it’s up to them.

As I mentioned, the reason DNS is supposed to be on two systems is for reliability–one goes down, you don’t want to lose everything. But, that assumes that “everything” includes multiple physical servers. In the case of single-server environments, which a lot of us have, losing that server means everything is gone anyway, so no point in having DNS service for a bunch of services that are already offline.

DNS has always been hard to understand for me. I was thrown off though because one of my sites was up and running while all the rest were down.

The reason it was up was because I had set up my DNS zone defaults to allow transfers on just that site. It was definitely an AHA moment.

Since I’ve changed my main nameserver configuration for ns1.ekmb.net, ns2.ekmb.net, etc (which my websites have always been pointed to) to look at the one IP address now everything is fine on every single site now! woo hoo :slight_smile:

I was almost ready to ditch Virtualmin altogether and just get a reseller account with someone else because I was so frustrated. I’m glad I asked here first… Thanks all!

If some one is getting a similar error:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id:

edit manually /etc/named.conf and in the options class add:

allow-recursion {
This will allow the server to answer queries on every Ip on the system