Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2033
  • Last Modified:

Bind9 not resolving external domains

Hello EE,

I have just fired up what will be one of my two nameservers, and it seems to be resolving my domain name inside and outside of my network...Perfect!! Just as i want.

But it cannot seem to resolve external domain names, i havent adjusted anything in the ROOT zone, apart from asking it to re-download the Root Nameservers.

I was hoping to use root-hints to resolve external DNS rather than just setting up forwarders.
0
nammit-man
Asked:
nammit-man
  • 13
  • 13
1 Solution
 
PapertripCommented:
All you should need is the following in named.conf, but pointing to where named.ca actually lives on your system.  The file could be named anything really, just look for zone "."
zone "." IN {
        type hint;
        file "named.ca";
};

Open in new window


That being said, there are a few things that could be causing this aside from that.  Please post your named.conf and any includes.
0
 
nammit-manAuthor Commented:
named.conf
// prime the server with knowledge of the root servers
zone "."  {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window


named.conf.options
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;
	listen-on-v6 { any; };
	recursion yes;
	forwarders {
		0.0.0.0;
		};
	forward first;
};

Open in new window



named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "mydomain.net" {
	type master;
	file "/var/lib/bind/mydomain.net.hosts";
	};

Open in new window


named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window

0
 
PapertripCommented:
First remove the following
forwarders {
		0.0.0.0;
		};
	forward first;

Open in new window


Secondly make sure that /etc/bind/db.root exists and is readable by whatever user is running named.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
nammit-manAuthor Commented:
That code has been removed.

The db.root file exists and it is poulated with the Rootname servers from the Internic FTP server.

Still no joy though. If its any help im using webmin to administrate this server.
0
 
mateojaime07Commented:
not sure if it helps but i used the forwarders to pass any unresolved DNS requests to my ISP DNS servers if there was no A record for the request. so instead of 0.0.0.0 i would use the IP of my ISP name server. i will try to look back at my records and see if i can find an example. Hope this helps

Thanks,
Matthew
http://mjddesign.wordpress.com
0
 
PapertripCommented:
Did you reload the config or restart named after the change?

What does the following show
dig @localhost google.com +trace
dig . ns 
named-checkconf

Open in new window

0
 
nammit-manAuthor Commented:
uh oh, bind failed to start after saving config and trying to restart service!!
0
 
PapertripCommented:
That's ok, probably just missed a semi-colon or something.  Run named-checkconf and see what errors it gives, also check your logs for any messages of why it didn't start.  If your named.conf is not in /etc then you will need to tell named-checkconf where to look, e.g. named-checkconf /var/named.conf.  Paste the output here.
0
 
nammit-manAuthor Commented:
Ok i figured that out, i just needed to close the statement with a };

When i run the dig commands to google, it looks like the server is able to resolve google.com.

But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.
0
 
PapertripCommented:
Paste the dig results from the commands I asked you to run earlier please.  Also run named-checkconf again now that your config is fixed and make sure there is no output, and paste if there is.
0
 
PapertripCommented:
But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.

I thought you said you were able to resolve properly internally?  Do you mean local hostnames that you have DNS records for or internet hostnames? Please explain what is working and what is not because we could be barking up the wrong tree here.  I've never seen a problem with root hints before so I've been suspicious of that being the problem since the start.  Posting command outputs and config files are always helpful.
0
 
nammit-manAuthor Commented:
> dig @localhost google.com +trace

; <<>> DiG 9.7.3 <<>> @localhost google.com +trace
; (1 server found)
;; global options: +cmd
.			518027	IN	NS	j.root-servers.net.
.			518027	IN	NS	l.root-servers.net.
.			518027	IN	NS	m.root-servers.net.
.			518027	IN	NS	h.root-servers.net.
.			518027	IN	NS	f.root-servers.net.
.			518027	IN	NS	e.root-servers.net.
.			518027	IN	NS	a.root-servers.net.
.			518027	IN	NS	b.root-servers.net.
.			518027	IN	NS	k.root-servers.net.
.			518027	IN	NS	c.root-servers.net.
.			518027	IN	NS	i.root-servers.net.
.			518027	IN	NS	d.root-servers.net.
.			518027	IN	NS	g.root-servers.net.
;; Received 316 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net) in 73 ms

google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
;; Received 164 bytes from 192.12.94.30#53(e.gtld-servers.net) in 22 ms

google.com.		300	IN	A	173.194.34.104
google.com.		300	IN	A	173.194.34.97
google.com.		300	IN	A	173.194.34.100
google.com.		300	IN	A	173.194.34.99
google.com.		300	IN	A	173.194.34.110
google.com.		300	IN	A	173.194.34.96
google.com.		300	IN	A	173.194.34.103
google.com.		300	IN	A	173.194.34.102
google.com.		300	IN	A	173.194.34.101
google.com.		300	IN	A	173.194.34.105
google.com.		300	IN	A	173.194.34.98
;; Received 204 bytes from 216.239.34.10#53(ns2.google.com) in 24 ms 

Open in new window


Module Config
 Command Shell  

> dig . ns 

; <<>> DiG 9.7.3 <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39898
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 6

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			517973	IN	NS	k.root-servers.net.
.			517973	IN	NS	i.root-servers.net.
.			517973	IN	NS	h.root-servers.net.
.			517973	IN	NS	e.root-servers.net.
.			517973	IN	NS	f.root-servers.net.
.			517973	IN	NS	c.root-servers.net.
.			517973	IN	NS	a.root-servers.net.
.			517973	IN	NS	b.root-servers.net.
.			517973	IN	NS	d.root-servers.net.
.			517973	IN	NS	m.root-servers.net.
.			517973	IN	NS	j.root-servers.net.
.			517973	IN	NS	l.root-servers.net.
.			517973	IN	NS	g.root-servers.net.

;; ADDITIONAL SECTION:
i.root-servers.net.	604373	IN	A	192.36.148.17
i.root-servers.net.	604373	IN	AAAA	2001:7fe::53
j.root-servers.net.	604373	IN	A	192.58.128.30
j.root-servers.net.	604373	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	604746	IN	A	199.7.83.42
l.root-servers.net.	604746	IN	AAAA	2001:500:3::42

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr  8 19:54:21 2012
;; MSG SIZE  rcvd: 360

Open in new window


having a little trouble with the check conf command, but when i run the check conf command in webmin it reports that the config files are OK
0
 
nammit-manAuthor Commented:
When i set my XP test machine up to use my bind server, it resolved mydomain.net and www.mydomain.net etc...

But it will not resolve anything outside of my network say google.com
0
 
PapertripCommented:
updating.
0
 
nammit-manAuthor Commented:
updating?
0
 
PapertripCommented:
Yeah I wrote something but then saw your 2nd reply and wanted to edit it.  Speaking of that, I just edited it and hit submit but you already posted a new comment so it said denied :p  Time to write it again (in a separate reply)
0
 
PapertripCommented:
External resolution appears from the nameserver appears to be fine so that is good.

What does 'nslookup yahoo.com' show from your XP machine?  Were any other dns servers listed in the hosts network config?  Have you tried using your nameserver on any other client machine?

Since you have a vanilla named.conf (and insecure if it's listening on the internet but that's a different question/answer) all hosts should be able to query your server since the default is allow all and you have not modified that value from what I've seen.
0
 
nammit-manAuthor Commented:
From the XP machine nslookup yahoo.com says ...

unknown. query refused.

Same response from a windows 7 machine.
0
 
PapertripCommented:
Ah yes I think I know what it is now.  Let's fix that along with adding a bit of security.

Here are some of the security related options I have for my servers.  The important parts here are allow-query-cache and allow-recursion and this goes into the global options section of named.conf.  Having just localhost and localnets like I do might not be suited for your environment, instead using CIDR masks of your internal networks might be best.  Refer to the links below for the different options.

     
   version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; localnets; };
        recursion yes;
        allow-recursion { localhost; localnets; };
        allow-transfer { none; };

Open in new window


http://www.zytrax.com/books/dns/ch7/queries.html#allow-query
http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache
http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion

Let me know if anything is unclear.
0
 
nammit-manAuthor Commented:
Where abouts do i put this statements?
0
 
PapertripCommented:
Sorry this editing feature doesn't work well when we are replying so quickly.  I added to my last reply that these go into the global options section of named.conf where you removed that code from earlier.
0
 
nammit-manAuthor Commented:
Bind won't start again, so i guess i have messed this up somewhere

        auth-nxdomain no;
        listen-on-v6 { any; };
        recursion yes;
        version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; 213.121/16; };
        recursion yes;
        allow-recursion { localhost; 213.121/16; };
        allow-transfer { none; };
                                    

Open in new window

0
 
PapertripCommented:
Whenever named fails to start after making config changes just run named-checkconf and check your logs.  9/10 times the reason for named not starting back up after editing the config is a missing curly brace and/or semi-colon.
0
 
nammit-manAuthor Commented:
Looking back that makes perfect sense. Check config says...

/etc/bind/named.conf.options:23: 'recursion' redefined near 'recursion'

 
On looking at the conf file i could see that recursion was defined twice, having removed one. It looks to be working  perfectly now :)

You sir are a star!!
0
 
PapertripCommented:
Happy to help.  Everything working as expected now?
0
 
nammit-manAuthor Commented:
It is indeed! Just setting up the secondary now, which im hoping shouldnt be so tricky.

Bind has been a little bit of a learning curve as has linux itself. But i believe its the way i need to be going!
0
 
nammit-manAuthor Commented:
This guy knows his stuff!!! And couldnt have been anymore helpful considering i am fairly new to the Linux world!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 13
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now