[SOLVED] Changing nameservers on a domain

SgtAwesomesauce · May 4, 2016, 7:45pm

Hey all,

I've registered a domain name on get.tech and I'm trying to change my name servers from the ones they provide to nsX.linode.com so I can use the linode DNS service. The issue I'm having is that when I run nslookup against my domain name I'm getting:

non-authoritative answer:
*** Can't find XXXXXX.tech: No answer

This is non-authoritative answer is causing letsencrypt to not work or accept my domain name.

On the get.tech control panel, I've got my nameservers listed as:

ns1.linode.com
ns2.linode.com
ns3.linode.com
ns4.linode.com
ns5.linode.com

Is there something I need to do to get an authoritative answer?

Th3Z0ne · May 4, 2016, 7:47pm

Have you added the domain to the linode control panel? so that their nameservers actually know that they are now responsible for that domain?

SgtAwesomesauce · May 4, 2016, 7:48pm

yeah, I should have added that in there. I've got a zone setup with all the records I need.

I know very little about DNS, but at the very least I know that much.

Eden · May 4, 2016, 7:51pm

When did you do it? It can take time to take effect.

SgtAwesomesauce · May 4, 2016, 7:51pm

About 20 hours ago. I know about TTL.

Th3Z0ne · May 4, 2016, 7:51pm

what happens if you query the linode servers directly for your domain? do you get the valid IP returned?

SgtAwesomesauce · May 4, 2016, 7:52pm

when I do ssh [email protected] I can log into the vm the same as if I were to ssh root@ipaddress, so the zone file appears to be working properly.

Eden · May 4, 2016, 7:53pm

You beat me to my next question :p

Eden · May 4, 2016, 7:56pm

Sounds like its working. Does dig yourdomain any return results?

SgtAwesomesauce · May 4, 2016, 8:01pm

; <<>> DiG 9.10.4 <<>> kebrx.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41287
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0,   ADDITIONAL: 0

;; QUESTION SECTION:
;kebrx.tech.            IN    A

;; ANSWER SECTION:
kebrx.tech.        11383    IN    A    192.155.92.143

;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Wed May 04 12:55:53 PDT 2016
;; MSG SIZE  rcvd: 44

not sure what should be there, but that's what I get.

Th3Z0ne · May 4, 2016, 8:02pm

well.. the structure should be

dig get.tech @a.root-servers.net 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> get.tech @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5879
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;get.tech.            IN    A

;; AUTHORITY SECTION:
tech.            172800    IN    NS    d.nic.tech.
tech.            172800    IN    NS    c.nic.tech.
tech.            172800    IN    NS    b.nic.tech.
tech.            172800    IN    NS    a.nic.tech.

;; ADDITIONAL SECTION:
d.nic.tech.        172800    IN    A    108.59.161.6
d.nic.tech.        172800    IN    AAAA    2a02:e180:4::6
c.nic.tech.        172800    IN    A    185.38.99.6
c.nic.tech.        172800    IN    AAAA    2a02:e180:3::6
b.nic.tech.        172800    IN    A    185.24.64.60
b.nic.tech.        172800    IN    AAAA    2a04:2b00:13cc::1:60
a.nic.tech.        172800    IN    A    194.169.218.60
a.nic.tech.        172800    IN    AAAA    2001:67c:13cc::1:60

;; Query time: 549 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Wed May 04 21:57:06 CEST 2016
;; MSG SIZE  rcvd: 281

than

dig get.tech @d.nic.tech

; <<>> DiG 9.10.3-P4-Ubuntu <<>> get.tech @d.nic.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19716
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;get.tech.            IN    A

;; AUTHORITY SECTION:
get.TECH.        3600    IN    NS    ns2.asoshared.com.
get.TECH.        3600    IN    NS    ns1.asoshared.com.

;; Query time: 152 msec
;; SERVER: 108.59.161.6#53(108.59.161.6)
;; WHEN: Wed May 04 21:58:00 CEST 2016
;; MSG SIZE  rcvd: 94

where now X.nic.tech should refer to x.linode.com ... how does that look for you?

Just did it for you:
dig kebrx.tech @a.root-servers.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> kebrx.tech @a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4651
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kebrx.tech.            IN    A

;; AUTHORITY SECTION:
tech.            172800    IN    NS    d.nic.tech.
tech.            172800    IN    NS    c.nic.tech.
tech.            172800    IN    NS    b.nic.tech.
tech.            172800    IN    NS    a.nic.tech.

;; ADDITIONAL SECTION:
d.nic.tech.        172800    IN    A    108.59.161.6
d.nic.tech.        172800    IN    AAAA    2a02:e180:4::6
c.nic.tech.        172800    IN    A    185.38.99.6
c.nic.tech.        172800    IN    AAAA    2a02:e180:3::6
b.nic.tech.        172800    IN    A    185.24.64.60
b.nic.tech.        172800    IN    AAAA    2a04:2b00:13cc::1:60
a.nic.tech.        172800    IN    A    194.169.218.60
a.nic.tech.        172800    IN    AAAA    2001:67c:13cc::1:60

;; Query time: 920 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Wed May 04 21:59:54 CEST 2016
;; MSG SIZE  rcvd: 283


dig kebrx.tech @a.nic.tech

; <<>> DiG 9.10.3-P4-Ubuntu <<>> kebrx.tech @a.nic.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39010
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;kebrx.tech.            IN    A

;; AUTHORITY SECTION:
kebrx.tech.        3600    IN    NS    ns1.linode.com.
kebrx.tech.        3600    IN    NS    ns2.linode.com.
kebrx.tech.        3600    IN    NS    ns3.linode.com.
kebrx.tech.        3600    IN    NS    ns4.linode.com.

;; Query time: 519 msec
;; SERVER: 194.169.218.60#53(194.169.218.60)
;; WHEN: Wed May 04 22:00:14 CEST 2016
;; MSG SIZE  rcvd: 121

dig kebrx.tech @ns1.linode.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> kebrx.tech @ns1.linode.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64234
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 11
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;kebrx.tech.            IN    A

;; ANSWER SECTION:
kebrx.tech.        86400    IN    A    192.155.92.143

;; AUTHORITY SECTION:
kebrx.tech.        86400    IN    NS    ns4.linode.com.
kebrx.tech.        86400    IN    NS    ns3.linode.com.
kebrx.tech.        86400    IN    NS    ns2.linode.com.
kebrx.tech.        86400    IN    NS    ns1.linode.com.
kebrx.tech.        86400    IN    NS    ns5.linode.com.

;; ADDITIONAL SECTION:
ns1.linode.com.        300    IN    A    162.159.27.72
ns1.linode.com.        300    IN    AAAA    2400:cb00:2049:1::a29f:1a63
ns2.linode.com.        300    IN    A    162.159.24.39
ns2.linode.com.        300    IN    AAAA    2400:cb00:2049:1::a29f:1827
ns3.linode.com.        300    IN    A    162.159.25.129
ns3.linode.com.        300    IN    AAAA    2400:cb00:2049:1::a29f:1981
ns4.linode.com.        300    IN    A    162.159.26.99
ns4.linode.com.        300    IN    AAAA    2400:cb00:2049:1::a29f:1b48
ns5.linode.com.        300    IN    A    162.159.24.25
ns5.linode.com.        300    IN    AAAA    2400:cb00:2049:1::a29f:1819

;; Query time: 82 msec
;; SERVER: 162.159.27.72#53(162.159.27.72)
;; WHEN: Wed May 04 22:00:30 CEST 2016
;; MSG SIZE  rcvd: 375

It looks perfectly fine; each step has the propper authoritive section

Eden · May 4, 2016, 8:04pm

dig record looks fine, it lists the proper name servers in your record. There shouldnt be an issue. Have you tried letsencrypt again?

SgtAwesomesauce · May 4, 2016, 8:05pm

@Eden it worked now. Maybe propagation needed that extra few minutes. Odd, but problem solved.

Thanks to both of you.

Th3Z0ne · May 4, 2016, 8:08pm

Its working fine... I would just recommend you to move ssh away from port 22; that little obscurity will save your machine from thousands of scripted port scans and login attempts a day.
A seasoned attacker will find your port (e.g. 22000) but the bots and skidies don't do that.

Oh and use submission for your clients to submit mail to the server; port 25 is blocked on most networks for "users" as it's commonly abused for spam. My ISPs all block 25 outbound unless you request a exception.

Eden · May 4, 2016, 8:10pm

fail2ban works well

Th3Z0ne · May 4, 2016, 8:11pm

It does amazing.. but it has enough to do with sasl and 80, 443 so this little move saves me ~ 1000+ banns a day. - saves cpu time ^^

SgtAwesomesauce · May 4, 2016, 8:13pm

good to know. I've got ssh root login disabled and user without-password, so it's a bit more secure, but I'll definitely be switching ports when the machine is up and running. I've only had this machine up for a few hours, so nuke and pave won't be an issue for me.

I'll be adding fail2ban soon, but for now, I'm just trying to get my mail server up and running.

Th3Z0ne · May 4, 2016, 8:16pm

I realy have to encourage you to switch to public/private key authentication - specially for the user(s) that can become root via sudo. If there is no need for other users having access to ssh (sftp is ftp over ssh) you should, when the ppki auth works dissable password login as a whole; but always! always! leave one ssh session alive in case you messed up so you can revert changes =)

For both debian and ubuntu I know there are great guides out there that are fool-prove =)