• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1668
  • Last Modified:

Ubuntu Server: BIND9 unable to resolve any ".org" or ".info" domain names

Greetings Experts,

I am currently experiencing a DNS resolution issue with my Ubuntu 12.04 LTS server with BIND9 installed. This is the first Ubuntu server I've ever set up, so I'm quite a novice when it comes to using and configuring BIND and other DNS-related tools. Previously I was running Windows Server 2008 R2 and not having any DNS issues. After setting up my new Ubuntu server, I've configured BIND9 by following several guides out there on the Internet. Here's my scenario:

BIND9 on this server is configured as "master" for my domain "arhoff.net"
Forwarders to OpenDNS and Comcast name servers are set up in "named.conf.options"
Local Addresses (anything in arhoff.net zone) resolve fine with nslookup and with dig
".com", ".net", and ".edu" TLD addresses resolve fine with nslookup and dig
".org" addresses (such as ibiblio.org and ubuntuforums.org) return the following error from dig:

dig: couldn't get address for 'a0.org.afilias-nst.info': not found

When I change my "nameserver" lines in resolv.conf to use OpenDNS (208.67.222.222) instead of the local server address (192.168.1.2), everything resolves perfectly fine and ".org" addresses load without issue.

System: Ubuntu Server 12.04 LTS 64-bit
Local IP: 192.168.1.2
Gateway IP: 192.168.1.1
Preferred forwarder addresses:
208.67.222.222
208.67.220.220
75.75.75.75
75.75.76.76

Again, the above settings worked without any issue for more than a year with Windows Server 2008 R2, so I know that I must have done something wrong when configuring Ubuntu.

For reference I'm attaching a TXT file with the output of DIG and NSLOOKUP to both ibiblio.org and google.com from the server so you can see the different output. Also included in the text is my db.root, named.conf, named.conf.local, and named.conf.default-zones file.

Thanks in advance,
Anthony



dns-bind-sshoutput.txt
0
ayohoff
Asked:
ayohoff
  • 2
  • 2
1 Solution
 
arnoldCommented:
The issue based on your data is with dig: couldn't get address for 'a0.org.afilias-nst.info': not found

dig +trace @b0.org.afilias-nst.info .org. NS

By now the issue might be resolved. Try removing/commenting out the forwarding and see if your server can function as a cache server without relying on forwarders.
0
 
ayohoffAuthor Commented:
Thanks Arnold. I tried commenting out my forwarders and restarting BIND9. I also cleared out the DNS cache using "rndc flush". I still am experiencing the same issue. Tried rebooting the server completely, but still having the same issue. When I do "dig +trace @b0.org.afilias-nst.info .org. NS" here is what I get:

# dig +trace @b0.org.afilias-nst.info .org. NS
dig: couldn't get address for 'b0.org.afilias-nst.info': not found


I PLAYED WITH THE OPTIONS AND FOUND THE FOLLOWING:

If I turn off "dnssec-validation" (by setting to "no" instead of "auto"), it WORKS!

So -- what is DNSSEC Validation, and why won't this work when it's turned on?

-Anthony
0
 
arnoldCommented:
Dnssec outlined http://www.eweek.com/c/a/Security/DNSSEC-Adoption-Needs-to-Grow-to-Secure-Core-Internet-Protocols-586467/

You had defined forwarders, but you do not set the forward ( once|only); in the named.conf options section.
With this your named process will not be performing the sequential request to locate the name servers for each ., .org, and ibiblio.org in the hierarchy before querying the name servers from which to ask the IP record.
0
 
ayohoffAuthor Commented:
This answer is exactly what I needed to get my DNS server up and running securely. I really appreciate the help and explanation.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now