Bind9 not resolving external domains

Hello EE,

I have just fired up what will be one of my two nameservers, and it seems to be resolving my domain name inside and outside of my network...Perfect!! Just as i want.

But it cannot seem to resolve external domain names, i havent adjusted anything in the ROOT zone, apart from asking it to re-download the Root Nameservers.

I was hoping to use root-hints to resolve external DNS rather than just setting up forwarders.
nammit-manAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PapertripCommented:
All you should need is the following in named.conf, but pointing to where named.ca actually lives on your system.  The file could be named anything really, just look for zone "."
zone "." IN {
        type hint;
        file "named.ca";
};

Open in new window


That being said, there are a few things that could be causing this aside from that.  Please post your named.conf and any includes.
nammit-manAuthor Commented:
named.conf
// prime the server with knowledge of the root servers
zone "."  {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window


named.conf.options
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;
	listen-on-v6 { any; };
	recursion yes;
	forwarders {
		0.0.0.0;
		};
	forward first;
};

Open in new window



named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "mydomain.net" {
	type master;
	file "/var/lib/bind/mydomain.net.hosts";
	};

Open in new window


named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window

PapertripCommented:
First remove the following
forwarders {
		0.0.0.0;
		};
	forward first;

Open in new window


Secondly make sure that /etc/bind/db.root exists and is readable by whatever user is running named.
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

nammit-manAuthor Commented:
That code has been removed.

The db.root file exists and it is poulated with the Rootname servers from the Internic FTP server.

Still no joy though. If its any help im using webmin to administrate this server.
mateojaime07Commented:
not sure if it helps but i used the forwarders to pass any unresolved DNS requests to my ISP DNS servers if there was no A record for the request. so instead of 0.0.0.0 i would use the IP of my ISP name server. i will try to look back at my records and see if i can find an example. Hope this helps

Thanks,
Matthew
http://mjddesign.wordpress.com
PapertripCommented:
Did you reload the config or restart named after the change?

What does the following show
dig @localhost google.com +trace
dig . ns 
named-checkconf

Open in new window

nammit-manAuthor Commented:
uh oh, bind failed to start after saving config and trying to restart service!!
PapertripCommented:
That's ok, probably just missed a semi-colon or something.  Run named-checkconf and see what errors it gives, also check your logs for any messages of why it didn't start.  If your named.conf is not in /etc then you will need to tell named-checkconf where to look, e.g. named-checkconf /var/named.conf.  Paste the output here.
nammit-manAuthor Commented:
Ok i figured that out, i just needed to close the statement with a };

When i run the dig commands to google, it looks like the server is able to resolve google.com.

But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.
PapertripCommented:
Paste the dig results from the commands I asked you to run earlier please.  Also run named-checkconf again now that your config is fixed and make sure there is no output, and paste if there is.
PapertripCommented:
But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.

I thought you said you were able to resolve properly internally?  Do you mean local hostnames that you have DNS records for or internet hostnames? Please explain what is working and what is not because we could be barking up the wrong tree here.  I've never seen a problem with root hints before so I've been suspicious of that being the problem since the start.  Posting command outputs and config files are always helpful.
nammit-manAuthor Commented:
> dig @localhost google.com +trace

; <<>> DiG 9.7.3 <<>> @localhost google.com +trace
; (1 server found)
;; global options: +cmd
.			518027	IN	NS	j.root-servers.net.
.			518027	IN	NS	l.root-servers.net.
.			518027	IN	NS	m.root-servers.net.
.			518027	IN	NS	h.root-servers.net.
.			518027	IN	NS	f.root-servers.net.
.			518027	IN	NS	e.root-servers.net.
.			518027	IN	NS	a.root-servers.net.
.			518027	IN	NS	b.root-servers.net.
.			518027	IN	NS	k.root-servers.net.
.			518027	IN	NS	c.root-servers.net.
.			518027	IN	NS	i.root-servers.net.
.			518027	IN	NS	d.root-servers.net.
.			518027	IN	NS	g.root-servers.net.
;; Received 316 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net) in 73 ms

google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
;; Received 164 bytes from 192.12.94.30#53(e.gtld-servers.net) in 22 ms

google.com.		300	IN	A	173.194.34.104
google.com.		300	IN	A	173.194.34.97
google.com.		300	IN	A	173.194.34.100
google.com.		300	IN	A	173.194.34.99
google.com.		300	IN	A	173.194.34.110
google.com.		300	IN	A	173.194.34.96
google.com.		300	IN	A	173.194.34.103
google.com.		300	IN	A	173.194.34.102
google.com.		300	IN	A	173.194.34.101
google.com.		300	IN	A	173.194.34.105
google.com.		300	IN	A	173.194.34.98
;; Received 204 bytes from 216.239.34.10#53(ns2.google.com) in 24 ms 

Open in new window


Module Config
 Command Shell  

> dig . ns 

; <<>> DiG 9.7.3 <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39898
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 6

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			517973	IN	NS	k.root-servers.net.
.			517973	IN	NS	i.root-servers.net.
.			517973	IN	NS	h.root-servers.net.
.			517973	IN	NS	e.root-servers.net.
.			517973	IN	NS	f.root-servers.net.
.			517973	IN	NS	c.root-servers.net.
.			517973	IN	NS	a.root-servers.net.
.			517973	IN	NS	b.root-servers.net.
.			517973	IN	NS	d.root-servers.net.
.			517973	IN	NS	m.root-servers.net.
.			517973	IN	NS	j.root-servers.net.
.			517973	IN	NS	l.root-servers.net.
.			517973	IN	NS	g.root-servers.net.

;; ADDITIONAL SECTION:
i.root-servers.net.	604373	IN	A	192.36.148.17
i.root-servers.net.	604373	IN	AAAA	2001:7fe::53
j.root-servers.net.	604373	IN	A	192.58.128.30
j.root-servers.net.	604373	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	604746	IN	A	199.7.83.42
l.root-servers.net.	604746	IN	AAAA	2001:500:3::42

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr  8 19:54:21 2012
;; MSG SIZE  rcvd: 360

Open in new window


having a little trouble with the check conf command, but when i run the check conf command in webmin it reports that the config files are OK
nammit-manAuthor Commented:
When i set my XP test machine up to use my bind server, it resolved mydomain.net and www.mydomain.net etc...

But it will not resolve anything outside of my network say google.com
PapertripCommented:
updating.
nammit-manAuthor Commented:
updating?
PapertripCommented:
Yeah I wrote something but then saw your 2nd reply and wanted to edit it.  Speaking of that, I just edited it and hit submit but you already posted a new comment so it said denied :p  Time to write it again (in a separate reply)
PapertripCommented:
External resolution appears from the nameserver appears to be fine so that is good.

What does 'nslookup yahoo.com' show from your XP machine?  Were any other dns servers listed in the hosts network config?  Have you tried using your nameserver on any other client machine?

Since you have a vanilla named.conf (and insecure if it's listening on the internet but that's a different question/answer) all hosts should be able to query your server since the default is allow all and you have not modified that value from what I've seen.
nammit-manAuthor Commented:
From the XP machine nslookup yahoo.com says ...

unknown. query refused.

Same response from a windows 7 machine.
PapertripCommented:
Ah yes I think I know what it is now.  Let's fix that along with adding a bit of security.

Here are some of the security related options I have for my servers.  The important parts here are allow-query-cache and allow-recursion and this goes into the global options section of named.conf.  Having just localhost and localnets like I do might not be suited for your environment, instead using CIDR masks of your internal networks might be best.  Refer to the links below for the different options.

     
   version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; localnets; };
        recursion yes;
        allow-recursion { localhost; localnets; };
        allow-transfer { none; };

Open in new window


http://www.zytrax.com/books/dns/ch7/queries.html#allow-query
http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache
http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion

Let me know if anything is unclear.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nammit-manAuthor Commented:
Where abouts do i put this statements?
PapertripCommented:
Sorry this editing feature doesn't work well when we are replying so quickly.  I added to my last reply that these go into the global options section of named.conf where you removed that code from earlier.
nammit-manAuthor Commented:
Bind won't start again, so i guess i have messed this up somewhere

        auth-nxdomain no;
        listen-on-v6 { any; };
        recursion yes;
        version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; 213.121/16; };
        recursion yes;
        allow-recursion { localhost; 213.121/16; };
        allow-transfer { none; };
                                    

Open in new window

PapertripCommented:
Whenever named fails to start after making config changes just run named-checkconf and check your logs.  9/10 times the reason for named not starting back up after editing the config is a missing curly brace and/or semi-colon.
nammit-manAuthor Commented:
Looking back that makes perfect sense. Check config says...

/etc/bind/named.conf.options:23: 'recursion' redefined near 'recursion'

 
On looking at the conf file i could see that recursion was defined twice, having removed one. It looks to be working  perfectly now :)

You sir are a star!!
PapertripCommented:
Happy to help.  Everything working as expected now?
nammit-manAuthor Commented:
It is indeed! Just setting up the secondary now, which im hoping shouldnt be so tricky.

Bind has been a little bit of a learning curve as has linux itself. But i believe its the way i need to be going!
nammit-manAuthor Commented:
This guy knows his stuff!!! And couldnt have been anymore helpful considering i am fairly new to the Linux world!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.