nslookup looks for www.domainx.com.domainy.com and returns SERVFAIL

On the DNS server, I run nslookup, then do server localhost to make sure it queries itself. Asking it ot find google.com works fine. Asking it to find domainX.net or DomainY.com (zones hosted locally on the internet webserver) returns this error:

www.domainXnet
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:         localhost
Address:        127.0.0.1#53

** server can't find www.domainX.net.domainY.com: SERVFAIL

I guess it thinks those zones are part of the local domain, which means something is wrong in my configs. It should think that those are stand alone domains.

Here's named.conf.local
 
;named.conf.local

zone "domainX.net" {
        type master;
        file "zones/domainX.net.zone";
};

zone "domainY.com" {
        type master;
        file "zones/domainY.com.zone";
};

Open in new window


Here is the zone file for domainX.net:
 
$TTL 3D
@       IN      SOA     domainX.net. root.domainX.net. (
                        199609206       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
                NS      ns1.domaindiscover.com.
                NS      ns2.domaindiscover.com.
                MX      10 domainX.net.  ; Primary Mail Exchanger
                TXT     "My Corporation 2"

localhost       A       127.0.0.1

domainX.net.     A  192.168.13.3
www             CNAME   domainX.net.
ftp             CNAME   domainX.net.
mail            CNAME   domainX.net.

Open in new window


Here is the zone file for domainY.com:
 
$TTL 3D
@       IN      SOA     domainY.com. kgoodwin.domainY.com. (
                        199609206       ; serial, todays date + todays serial #
                        8H              ; refresh, seconds
                        2H              ; retry, seconds
                        4W              ; expire, seconds
                        1D )            ; minimum, seconds
                NS      ns1.domaindiscover.com.
                NS      ns2.domaindiscover.com.
                MX      10 domainY.com.  ; Primary Mail Exchanger
                TXT     "My Corporation 1"

localhost       A       127.0.0.1

domainY.com.     A  192.168.13.3
www             CNAME   domainY.com.
ftp             CNAME   domainY.com.
mail            CNAME   domainY.com.

Open in new window


What's wrong?
;named.conf.local

zone "domainX.net" {
        type master;
        file "zones/domainX.net.zone";
};

zone "domainY.com" {
        type master;
        file "zones/domainY.com.zone";
};

Open in new window

LVL 32
DrDamnitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jar3817Commented:
Do you have any views setup in bind? Can you paste your entire named.conf file please? When you start  or restart named look in /var/log/messages for errors.
0
DrDamnitAuthor Commented:
Default setup. No views (that I know of) have been setup.

named.conf just has three include statements for the named.conf.local, the rfc one, and another one.
0
DrDamnitAuthor Commented:
Here you go...

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Open in new window


Here's options:
 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Open in new window


Here's default:
 
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

Open in new window

0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

jar3817Commented:
Is named running and listening for connections:

# netstat -anp | grep :53|grep LISTEN

Do you have UDP/53 allowed through iptables on the server?
0
DrDamnitAuthor Commented:
Yes it's running, and yes ip tables is configured properly.
0
BlazCommented:
After changing the DNS zone files did you increase the serial number?

Try to do nslookup for "www.domainX.net." - with the trailing dot.

0
DrDamnitAuthor Commented:
Perhaps I didn't explain this well enough.

The two domains in question are websites. From the outside world, the DNS is fine because it resolves ot the public IP address. However, internally on the LAN, that DNS won't work because the firewall doesn't allow you to "go out and come back in" (that's insecure).

So, I need the client machines to have www.domainx.com to resovle the local 192.168.x.x address when querying the domain via DNS on the local network.

Right now, it is treating the www.domainx.com query like a "you're looking for a computer that is part of the local network, aren't you?" query. As if I was on a windows.local domain. Not the case.

Does this clarify what I need?
0
DrDamnitAuthor Commented:
This is starting to get frustrating! :-)

If I query the FQDN that is defined in the zone file, it is appending the domain of the mail server to the end of my query. Why is it doing that?

0
DrDamnitAuthor Commented:
OK... I apparently fixed the appending a domain problem.

I had "search domainx.com" in /etc/resolv.conf. So, I deleted that line.

Now, that's fixed, it is just not finding the zone files properly?
0
DrDamnitAuthor Commented:
Update. Once I removed the search domainx.com from /etc/resolv.conf, I say in syslog that the zone file could not be loaded. Turned out ot be a permissions problem. Fixed that, now it says there is a syntax error... working on that...
0
DrDamnitAuthor Commented:
Turns out the fix was three things:

1. Remove "search domainx.com" from /etc/resolv.conf.
2. Use FULL PATHS in /etc/bind/named.conf.local. (I was using relative paths, and syslog was reporting it could not find the file.
3. Change file permissions on the directory and the zone files so bind could access them.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DrDamnitAuthor Commented:
Hello PAQ. This fixed it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.