Solved

Bind9 not resolving external domains

Posted on 2012-04-08
27
1,706 Views
Last Modified: 2012-04-08
Hello EE,

I have just fired up what will be one of my two nameservers, and it seems to be resolving my domain name inside and outside of my network...Perfect!! Just as i want.

But it cannot seem to resolve external domain names, i havent adjusted anything in the ROOT zone, apart from asking it to re-download the Root Nameservers.

I was hoping to use root-hints to resolve external DNS rather than just setting up forwarders.
0
Comment
Question by:nammit-man
  • 13
  • 13
27 Comments
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821215
All you should need is the following in named.conf, but pointing to where named.ca actually lives on your system.  The file could be named anything really, just look for zone "."
zone "." IN {
        type hint;
        file "named.ca";
};

Open in new window


That being said, there are a few things that could be causing this aside from that.  Please post your named.conf and any includes.
0
 

Author Comment

by:nammit-man
ID: 37821233
named.conf
// prime the server with knowledge of the root servers
zone "."  {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window


named.conf.options
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	auth-nxdomain no;
	listen-on-v6 { any; };
	recursion yes;
	forwarders {
		0.0.0.0;
		};
	forward first;
};

Open in new window



named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "mydomain.net" {
	type master;
	file "/var/lib/bind/mydomain.net.hosts";
	};

Open in new window


named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

Open in new window

0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821240
First remove the following
forwarders {
		0.0.0.0;
		};
	forward first;

Open in new window


Secondly make sure that /etc/bind/db.root exists and is readable by whatever user is running named.
0
 

Author Comment

by:nammit-man
ID: 37821265
That code has been removed.

The db.root file exists and it is poulated with the Rootname servers from the Internic FTP server.

Still no joy though. If its any help im using webmin to administrate this server.
0
 
LVL 1

Expert Comment

by:mateojaime07
ID: 37821277
not sure if it helps but i used the forwarders to pass any unresolved DNS requests to my ISP DNS servers if there was no A record for the request. so instead of 0.0.0.0 i would use the IP of my ISP name server. i will try to look back at my records and see if i can find an example. Hope this helps

Thanks,
Matthew
http://mjddesign.wordpress.com
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821288
Did you reload the config or restart named after the change?

What does the following show
dig @localhost google.com +trace
dig . ns 
named-checkconf

Open in new window

0
 

Author Comment

by:nammit-man
ID: 37821582
uh oh, bind failed to start after saving config and trying to restart service!!
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821599
That's ok, probably just missed a semi-colon or something.  Run named-checkconf and see what errors it gives, also check your logs for any messages of why it didn't start.  If your named.conf is not in /etc then you will need to tell named-checkconf where to look, e.g. named-checkconf /var/named.conf.  Paste the output here.
0
 

Author Comment

by:nammit-man
ID: 37821616
Ok i figured that out, i just needed to close the statement with a };

When i run the dig commands to google, it looks like the server is able to resolve google.com.

But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821618
Paste the dig results from the commands I asked you to run earlier please.  Also run named-checkconf again now that your config is fixed and make sure there is no output, and paste if there is.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821623
But when i enter the address of my dns server in my xp machine, i am unable to resolve host names.

I thought you said you were able to resolve properly internally?  Do you mean local hostnames that you have DNS records for or internet hostnames? Please explain what is working and what is not because we could be barking up the wrong tree here.  I've never seen a problem with root hints before so I've been suspicious of that being the problem since the start.  Posting command outputs and config files are always helpful.
0
 

Author Comment

by:nammit-man
ID: 37821629
> dig @localhost google.com +trace

; <<>> DiG 9.7.3 <<>> @localhost google.com +trace
; (1 server found)
;; global options: +cmd
.			518027	IN	NS	j.root-servers.net.
.			518027	IN	NS	l.root-servers.net.
.			518027	IN	NS	m.root-servers.net.
.			518027	IN	NS	h.root-servers.net.
.			518027	IN	NS	f.root-servers.net.
.			518027	IN	NS	e.root-servers.net.
.			518027	IN	NS	a.root-servers.net.
.			518027	IN	NS	b.root-servers.net.
.			518027	IN	NS	k.root-servers.net.
.			518027	IN	NS	c.root-servers.net.
.			518027	IN	NS	i.root-servers.net.
.			518027	IN	NS	d.root-servers.net.
.			518027	IN	NS	g.root-servers.net.
;; Received 316 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 488 bytes from 199.7.83.42#53(l.root-servers.net) in 73 ms

google.com.		172800	IN	NS	ns2.google.com.
google.com.		172800	IN	NS	ns1.google.com.
google.com.		172800	IN	NS	ns3.google.com.
google.com.		172800	IN	NS	ns4.google.com.
;; Received 164 bytes from 192.12.94.30#53(e.gtld-servers.net) in 22 ms

google.com.		300	IN	A	173.194.34.104
google.com.		300	IN	A	173.194.34.97
google.com.		300	IN	A	173.194.34.100
google.com.		300	IN	A	173.194.34.99
google.com.		300	IN	A	173.194.34.110
google.com.		300	IN	A	173.194.34.96
google.com.		300	IN	A	173.194.34.103
google.com.		300	IN	A	173.194.34.102
google.com.		300	IN	A	173.194.34.101
google.com.		300	IN	A	173.194.34.105
google.com.		300	IN	A	173.194.34.98
;; Received 204 bytes from 216.239.34.10#53(ns2.google.com) in 24 ms 

Open in new window


Module Config
 Command Shell  

> dig . ns 

; <<>> DiG 9.7.3 <<>> . ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39898
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 6

;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			517973	IN	NS	k.root-servers.net.
.			517973	IN	NS	i.root-servers.net.
.			517973	IN	NS	h.root-servers.net.
.			517973	IN	NS	e.root-servers.net.
.			517973	IN	NS	f.root-servers.net.
.			517973	IN	NS	c.root-servers.net.
.			517973	IN	NS	a.root-servers.net.
.			517973	IN	NS	b.root-servers.net.
.			517973	IN	NS	d.root-servers.net.
.			517973	IN	NS	m.root-servers.net.
.			517973	IN	NS	j.root-servers.net.
.			517973	IN	NS	l.root-servers.net.
.			517973	IN	NS	g.root-servers.net.

;; ADDITIONAL SECTION:
i.root-servers.net.	604373	IN	A	192.36.148.17
i.root-servers.net.	604373	IN	AAAA	2001:7fe::53
j.root-servers.net.	604373	IN	A	192.58.128.30
j.root-servers.net.	604373	IN	AAAA	2001:503:c27::2:30
l.root-servers.net.	604746	IN	A	199.7.83.42
l.root-servers.net.	604746	IN	AAAA	2001:500:3::42

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Apr  8 19:54:21 2012
;; MSG SIZE  rcvd: 360

Open in new window


having a little trouble with the check conf command, but when i run the check conf command in webmin it reports that the config files are OK
0
 

Author Comment

by:nammit-man
ID: 37821632
When i set my XP test machine up to use my bind server, it resolved mydomain.net and www.mydomain.net etc...

But it will not resolve anything outside of my network say google.com
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 21

Expert Comment

by:Papertrip
ID: 37821633
updating.
0
 

Author Comment

by:nammit-man
ID: 37821636
updating?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821640
Yeah I wrote something but then saw your 2nd reply and wanted to edit it.  Speaking of that, I just edited it and hit submit but you already posted a new comment so it said denied :p  Time to write it again (in a separate reply)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821645
External resolution appears from the nameserver appears to be fine so that is good.

What does 'nslookup yahoo.com' show from your XP machine?  Were any other dns servers listed in the hosts network config?  Have you tried using your nameserver on any other client machine?

Since you have a vanilla named.conf (and insecure if it's listening on the internet but that's a different question/answer) all hosts should be able to query your server since the default is allow all and you have not modified that value from what I've seen.
0
 

Author Comment

by:nammit-man
ID: 37821648
From the XP machine nslookup yahoo.com says ...

unknown. query refused.

Same response from a windows 7 machine.
0
 
LVL 21

Accepted Solution

by:
Papertrip earned 500 total points
ID: 37821655
Ah yes I think I know what it is now.  Let's fix that along with adding a bit of security.

Here are some of the security related options I have for my servers.  The important parts here are allow-query-cache and allow-recursion and this goes into the global options section of named.conf.  Having just localhost and localnets like I do might not be suited for your environment, instead using CIDR masks of your internal networks might be best.  Refer to the links below for the different options.

     
   version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; localnets; };
        recursion yes;
        allow-recursion { localhost; localnets; };
        allow-transfer { none; };

Open in new window


http://www.zytrax.com/books/dns/ch7/queries.html#allow-query
http://www.zytrax.com/books/dns/ch7/queries.html#allow-query-cache
http://www.zytrax.com/books/dns/ch7/queries.html#allow-recursion

Let me know if anything is unclear.
0
 

Author Comment

by:nammit-man
ID: 37821661
Where abouts do i put this statements?
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821662
Sorry this editing feature doesn't work well when we are replying so quickly.  I added to my last reply that these go into the global options section of named.conf where you removed that code from earlier.
0
 

Author Comment

by:nammit-man
ID: 37821683
Bind won't start again, so i guess i have messed this up somewhere

        auth-nxdomain no;
        listen-on-v6 { any; };
        recursion yes;
        version "6.6.6";
        allow-query     { any; };
        allow-query-cache { localhost; 213.121/16; };
        recursion yes;
        allow-recursion { localhost; 213.121/16; };
        allow-transfer { none; };
                                    

Open in new window

0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821686
Whenever named fails to start after making config changes just run named-checkconf and check your logs.  9/10 times the reason for named not starting back up after editing the config is a missing curly brace and/or semi-colon.
0
 

Author Comment

by:nammit-man
ID: 37821696
Looking back that makes perfect sense. Check config says...

/etc/bind/named.conf.options:23: 'recursion' redefined near 'recursion'

 
On looking at the conf file i could see that recursion was defined twice, having removed one. It looks to be working  perfectly now :)

You sir are a star!!
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37821709
Happy to help.  Everything working as expected now?
0
 

Author Comment

by:nammit-man
ID: 37821739
It is indeed! Just setting up the secondary now, which im hoping shouldnt be so tricky.

Bind has been a little bit of a learning curve as has linux itself. But i believe its the way i need to be going!
0
 

Author Closing Comment

by:nammit-man
ID: 37821747
This guy knows his stuff!!! And couldnt have been anymore helpful considering i am fairly new to the Linux world!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now