Having trouble delegating a subdomain to a custom nameserver

Hi, I’m sorry for bothering with perhaps something trivial, but I’ve been banging my head against the wall for many hours now and still can’t figure out what I’m doing wrong.

On my personal server, I want to have a DynDNS.org-like service – that is, a Raspberry Pi can periodically ping the service with the current public IP address assigned to my home network, and the service will keep a record up-to-date, so that no matter how often my home IP address changes, the record will always point to the correct address.

I got such service running at ddns.milanvit.net and set to manage the ns.milanvit.net subdomain (just to be clear – ddns.milanvit.net is called to update the IP address, and ns.milanvit.net holds all the dynamic records), so all that was left was to delegate a subdomain to this nameserver. I created the following records:

• Type: NS, name: ns, value: ddns.milanvit.net
• Type: A, name: ddns, value: <ipv4-address-of-my-server>
• Type: AAAA, name: ddns, value: <ipv6-address-of-my-server>

But even after disabling DNSSEC (after things did not work immediately, I suspected that perhaps having apex domain protected by DNSSEC but this particular subdomain not protected would cause issues) and waiting overnight for the records to propagate, I only have partial success. Please have a look:

$ dig @1.1.1.1 +short ns.milanvit.net NS
localhost. # incorrect
$ dig @8.8.8.8 +short ns.milanvit.net NS
localhost. # incorrect
$ dig @1.1.1.1 +short ddns.milanvit.net A
<correct IPv4 address>
$ dig @1.1.1.1 +short ddns.milanvit.net AAAA
<correct IPv6 address>
$ dig @1.1.1.1 +short <subdomain>.ns.milanvit.net
<SOMEHOW correct IPv4 address from my custom DDNS server>
$ dig @8.8.8.8 +short <subdomain>.ns.milanvit.net
<now that I’m writing this, it’s also correct but it definitely wasn’t 5 minutes ago>

So it’s like… the end result works, I suppose, I can query my home IP address by querying the proper subdomain. But I have no idea why the first two dig queries return localhost as an answer, I’d expect ddns.milanvit.net to be the correct answer. What am I doing wrong?

(Apologies for (very poorly) censoring the dig outputs, I hope that it’s still clear what is the problem and what is correct.)

Apologies for the bump, but even after another day of waiting (in case this was just a DNS propagation issue), the problem remains the same. For some reason. ns.milanvit.net always resolves to localhost..

Sorry, I meant to reply to you a few hours ago but completely got off my mind.

Let me understand. You have a DDNS service running at ddns., where you ping and say server.ns. has IP address 192.2.0.1, correct?

I believe the issue is that the DNS authoritative server is replying that as SOA. It’s not really a matter of Cloudflare’s DNS replies here… never done that specific thing myself, so can’t really confirm.

I have an additional question though, why not simply update Cloudflare’s DNS via the API directly? It would be way easier and less overhead for you…

Let me understand. You have a DDNS service running at ddns. , where you ping and say server.ns. has IP address 192.2.0.1 , correct?

Exactly. I mean, I’m pinging it with my public IP, not the private, but yes, that’s the idea! For example, dig @ddns.milanvit.net +short <subdomain>.ns.milanvit.net returns the correct IP address for my home network.

I believe the issue is that the DNS authoritative server is replying that as SOA. It’s not really a matter of Cloudflare’s DNS replies here… never done that specific thing myself, so can’t really confirm.

I see! I was wondering if SOA record could have something to do with it, but that’s one record type I fail to understand… And it doesn’t seem like it’s configurable in Cloudflare’s dashboard either. And the result of dig ns.milanvit.net very well looks like SOA is the problem, isn’t it?

$ dig ns.milanvit.net
; <<>> DiG 9.10.6 <<>> ns.milanvit.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40866
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;ns.milanvit.net.               IN      A

;; AUTHORITY SECTION:
ns.milanvit.net.        1800    IN      SOA     localhost. root.localhost. 75 3600 900 604800 86400

;; Query time: 282 msec
;; SERVER: 2405:6584:85a0:8f00:cc3:d86e:f78a:e612#53(2405:6584:85a0:8f00:cc3:d86e:f78a:e612)
;; WHEN: Wed Apr 22 09:37:51 JST 2020
;; MSG SIZE  rcvd: 118

I went according to this official document, and really thought that what I’m trying to do is possible…

I have an additional question though, why not simply update Cloudflare’s DNS via the API directly? It would be way easier and less overhead for you…

Good question! It’s just that I manage all the DNS records not in the Cloudflare’s admin panel, but in a GitHub repository in the form of a Terraform code. So if I wanted to do this “the clean way” by updating my Terraform code, suddenly the task would turn from “simply call Cloudflare’s API” to “pull repo, create a branch, modify, commit, push, open PR, wait for Atlantis to trigger Terraform Cloud, approve PR, wait for Atlantis to apply it and merge” I mean, I get that I could (probably – that’s assuming Terraform would not try to destroy the unknown record on every run) just manage this one single record outside of my Terraform codebase… but my OCD screams a bit at the thought

Ah, sorry, it seems I can’t edit my replies (yet?) but I definitely wanted to react to this part:

Sorry, I meant to reply to you a few hours ago but completely got off my mind.

Please don’t worry about that! I’m happy for your time, answer and suggestions!

You nameserver at ddns.milanvit.net is misconfigured. Currently, it only seems to know one zone: localhost.. Your Cloudflare configuration is fine; ddns.milanvit.net just doesn’t know that it’s responsible for ns.milanvit.net.. It looks like you’re running BIND 9.11.5; you’ll need to consult the documentation for configuring BIND9.

@Zenexer I see! Thank you very much ‍♂ I’m actually running pre-packaged/pre-configured DNS server (https://github.com/dprandzioch/docker-ddns), so I’ll have a look if other people hit this issue, and possibly replace the server for another pre-packaged Docker solution. Thank you so much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.