ispconfig3 and local reverse zones

Hello!
I am having quite some fun with ispconfig3, most of the things are working. One significant bit is the decision of DNS, also local DNS. I am using deployment to host all local DNS requests, I have 3 DNS servers, they are configured for resolution for the internet, they are linked for synch and all of that is working. I also configured a .lan zone, which also works properly. Now since we are using BIND as the provider for a solution, I want to use it also for the reverse zone - now there is no graphical option to set this up, right? Is there any reservation to set it up in CLI? Just comply with following the BIND guide to set up a reverse zone? Any better suggestion or option? I really do not want to have two DNS, one for reverse and .lan such as FreeIPA, and then add other DNS servers for internet resolution...
Thank you in advanced!
rgD

 

Of course you can add reverse lookup zones in ISPConfig, for example for your local network, the question is though, if you really want to do that since the whole internet would be able to reverse lookup your local network.

In case you are using ISPConfig just within your local network setup then forget what I wrote.

But if you mean the pointers for your servers on the Internet, then ISPConfig is the wrong tool, because these records have to be set up via the web interface of your datacenter provider.

 

I am actually using DNS only locally, to satisfy high DNS demands from local services - no DNS is actually available on the internet at all - only resolution from local towards the internet, and now a demand came to streamline DNS servers into one coherent system that will be used for all of it. That is why I am wondering about such a setup.
But if that is possible, and I am using ispconfig web console, how can then I add a reverse zone? I do not see any option for it?
So shortly, I am talking option to use the system to server for the company.lan that does resolution for server and service names to local IP and I want also to reverse resolution from IP to names (just to avoid any confusion

 

You can add the zone in a similar way like a forward zone in ISPConfig, you'll just have to follow the syntax for reverse lookup zones
Have a look in the Bind docs, or take a look here: https://learn.microsoft.com/en-us/azure/dns/dns-reverse-dns-overview

However, here is an example:
As the zone name, you add in ISPConfig:

Code:

1.168.192.in-addr.arpa.

You see the reversed IP range? That's the way how the name scheme has to look like.
When adding a PTR record to that reverse lookup zone, you add a PTR type record and in the name field you add the last digit of the IP address and the canonical name must be the whole FQDN of that record with a trailing dot.

As I said, even for others that want to set up such a reverse lookup zone:

DON'T DO IT, if the DNS server is available on the internet OR if you want to set up PTRs for your servers on the internet which are located in a data center, then set these records up via your data center provider! The other way with hosting your own reverse lookup zone will not work in that case!

 

Fantastic! Thank you a ton for your help!

 

So the saga continues - I have set up a reverse zone, using ispconfig3 web console, and no problems, worked just as stated in previous posts. But now I am faced with an issue, that this zone, even though I have setup a transfer/secondary zone, it is not being transferred so only 1 out of 3 DNS servers are resolving. Is this issue coming forth because of the reverse zone setup or this is an entirely different issue altogether? Thank you!

 

Some info on how you have setup the reverse zone would be helpful. Examine logs to see if zone is transferred to secondary server and what happens.

 

I have followed guide for multi server deployment. DNS servers have no special setup - just what was in the guide (particularly, I have followed this guide: https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/). At the DNS page, tutorial did not say to setup anything specific. So I have added primary zone, populated some of the entries. Then I proceed to add secondary zone. For the setup, I have done so: on the primary zone, I have selected first DNS as the primary server, added in allow transfer and also notify second and third server. On the Secondary zone, I have done the opposite - adding secondary zone, selected second DNS as main server and allowed update and transfer to first and third and same on the third....
I will try to get you some screenshots, right now, I am also checking logs to see any obvious errors...

 

no, i do not use both - i have mirroring only for email server...

 

So I have some strange things here. This is the log from the syslog on the slave server:

Code:

Apr 11 12:38:57 ns2 named[662]: resolver priming query complete
Apr 11 12:39:01 ns2 CRON[3625153]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Apr 11 12:39:01 ns2 CRON[3625154]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Apr 11 12:39:01 ns2 CRON[3625152]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Apr 11 12:39:02 ns2 systemd[1]: Starting Clean php session files...
Apr 11 12:39:02 ns2 systemd[1]: phpsessionclean.service: Succeeded.
Apr 11 12:39:02 ns2 systemd[1]: Finished Clean php session files.
Apr 11 12:39:54 ns2 kernel: [1464087.515525] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:70:a7:41:aa:ae:e4:08:00 SRC=172.21.8.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=32973 PROTO=2
Apr 11 12:40:01 ns2 CRON[3625818]: (root) CMD (/usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Apr 11 12:40:01 ns2 CRON[3625819]: (root) CMD (/usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done)
Apr 11 12:40:55 ns2 kernel: [1464148.120191] [UFW BLOCK] IN=eth0 OUT= MAC=01:00:5e:00:00:01:70:a7:41:aa:ae:e4:08:00 SRC=172.21.8.1 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=32979 PROTO=2

If I look at the folder structure on the slave server, it get even worse:

Code:

root@ns2:/etc/bind# ls
bind.keys  db.0  db.127  db.255  db.empty  db.local  named.conf  named.conf.default-zones  named.conf.local  named.conf.options  named.conf.options~  rndc.key  slave  zones.rfc1918
root@ns2:/etc/bind# cat named.conf.local

zone "sidk.email" {
        type slave;
        masters {172.21.8.36;};
        allow-transfer {172.21.8.35;172.21.8.37;};
        file "/etc/bind/slave/sec.sidk.email";
};
zone "8.21.172.in-addr.arpa" {
        type slave;
        masters {172.21.8.36;};
        allow-transfer {172.21.8.35;172.21.8.37;};
        file "/etc/bind/slave/sec.8.21.172.in-addr.arpa";
};
root@ns2:/etc/bind# ls slave
sec.  sec.sidk.email
root@ns2:/etc/bind# ls slave/sec.
root@ns2:/etc/bind#

It seems that the folder creation failed or it is in some kind of weird state... I cannot resolve reverse from secondaries, it works on primary, for instance:

Code:

root@ns1:/# cd etc/bind
root@ns1:/etc/bind# ls
bind.keys  db.127  db.empty  named.conf                named.conf.local    named.conf.options~        pri.sidk.email  pri.sidk.systems  slave
db.0       db.255  db.local  named.conf.default-zones  named.conf.options  pri.8.21.172.in-addr.arpa  pri.sidk.lab    rndc.key          zones.rfc1918
root@ns1:/etc/bind# ls slave/
root@ns1:/etc/bind#

 

What is strange in syslog?
Primary and secondary name servers have different folder structures.

 

a ok then, then there is nothing strange.. also then, at same time, nothing in the logs as well then as this is only that I can find, it repeats itself, no error recorded...
What I find strange in folder structure is, that I cannot find zone file similar as it is on the primary...

 

You need to know how bind sets up the slave to be able to verify it is set up correctly.
Have you modified manually any file in /etc/bind? If not, on the secondary the zone files are probably in /var/cache/bind/, but they are not text files.
If the zone transfer does not happen, check logs to see what happens instaed. If the zone files are there, the secondary should answer queries. Show how you are verifying it does not.

 

Restart produced this log:

Code:

Apr 11 13:09:25 ns2 systemd[1]: Started BIND Domain Name Server.
Apr 11 13:09:25 ns2 named[3627809]: starting BIND 9.16.1-Ubuntu (Stable Release) <id:d497c32>
Apr 11 13:09:25 ns2 named[3627809]: running on Linux x86_64 5.4.0-144-generic #161-Ubuntu SMP Fri Feb 3 14:49:04 UTC 2023
Apr 11 13:09:25 ns2 named[3627809]: built with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--runstatedir=/run' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-json-c' '--with-lmdb=/usr' '--with-gnu-ld' '--with-maxminddb' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' '--disable-native-pkcs11' '--disable-isc-spnego' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind9-7dLETH/bind9-9.16.1=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2'
Apr 11 13:09:25 ns2 named[3627809]: running as: named -f -u bind
Apr 11 13:09:25 ns2 named[3627809]: compiled by GCC 9.4.0
Apr 11 13:09:25 ns2 named[3627809]: compiled with OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
Apr 11 13:09:25 ns2 named[3627809]: linked to OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
Apr 11 13:09:25 ns2 named[3627809]: compiled with libxml2 version: 2.9.10
Apr 11 13:09:25 ns2 named[3627809]: linked to libxml2 version: 20910
Apr 11 13:09:25 ns2 named[3627809]: compiled with json-c version: 0.13.1
Apr 11 13:09:25 ns2 named[3627809]: linked to json-c version: 0.13.1
Apr 11 13:09:25 ns2 named[3627809]: compiled with zlib version: 1.2.11
Apr 11 13:09:25 ns2 named[3627809]: linked to zlib version: 1.2.11
Apr 11 13:09:25 ns2 named[3627809]: ----------------------------------------------------
Apr 11 13:09:25 ns2 named[3627809]: BIND 9 is maintained by Internet Systems Consortium,
Apr 11 13:09:25 ns2 named[3627809]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Apr 11 13:09:25 ns2 named[3627809]: corporation.  Support and training for BIND 9 are
Apr 11 13:09:25 ns2 named[3627809]: available at https://www.isc.org/support
Apr 11 13:09:25 ns2 named[3627809]: ----------------------------------------------------
Apr 11 13:09:25 ns2 named[3627809]: adjusted limit on open files from 524288 to 1048576
Apr 11 13:09:25 ns2 named[3627809]: found 2 CPUs, using 2 worker threads
Apr 11 13:09:25 ns2 named[3627809]: using 2 UDP listeners per interface
Apr 11 13:09:25 ns2 named[3627809]: using up to 21000 sockets
Apr 11 13:09:25 ns2 named[3627809]: loading configuration from '/etc/bind/named.conf'
Apr 11 13:09:25 ns2 named[3627809]: reading built-in trust anchors from file '/etc/bind/bind.keys'
Apr 11 13:09:25 ns2 named[3627809]: looking for GeoIP2 databases in '/usr/share/GeoIP'
Apr 11 13:09:25 ns2 named[3627809]: using default UDP/IPv4 port range: [32768, 60999]
Apr 11 13:09:25 ns2 named[3627809]: using default UDP/IPv6 port range: [32768, 60999]
Apr 11 13:09:25 ns2 named[3627809]: listening on IPv4 interface lo, 127.0.0.1#53
Apr 11 13:09:25 ns2 named[3627809]: listening on IPv4 interface eth0, 172.21.8.36#53
Apr 11 13:09:25 ns2 named[3627809]: IPv6 socket API is incomplete; explicitly binding to each IPv6 address separately
Apr 11 13:09:25 ns2 named[3627809]: listening on IPv6 interface lo, ::1#53
Apr 11 13:09:25 ns2 named[3627809]: listening on IPv6 interface eth0, fe80::f47e:f9ff:fec1:430c%2#53
Apr 11 13:09:25 ns2 named[3627809]: unable to set effective uid to 0: Operation not permitted
Apr 11 13:09:25 ns2 named[3627809]: generating session key for dynamic DNS
Apr 11 13:09:25 ns2 named[3627809]: unable to set effective uid to 0: Operation not permitted
Apr 11 13:09:25 ns2 named[3627809]: sizing zone task pool based on 7 zones
Apr 11 13:09:25 ns2 named[3627809]: none:100: 'max-cache-size 90%' - setting to 3517MB (out of 3908MB)
Apr 11 13:09:25 ns2 named[3627809]: set up managed keys zone for view _default, file 'managed-keys.bind'
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 10.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 16.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 17.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 18.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 19.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 20.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 21.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 22.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 23.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 24.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 25.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 26.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 27.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 28.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 29.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 30.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 31.172.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 168.192.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 64.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 65.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 66.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 67.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 68.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 69.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 70.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 71.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 72.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 73.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 74.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 75.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 76.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 77.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 78.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 79.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 80.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 81.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 82.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 83.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 84.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 85.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 86.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 87.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 88.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 89.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 90.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 91.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 92.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 93.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 94.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 95.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 96.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 97.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 98.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 99.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 100.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 101.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 102.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 103.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 104.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 105.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 106.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 107.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 108.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 109.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 110.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 111.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 112.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 113.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 114.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 115.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 116.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 117.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 118.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 119.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 120.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 121.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 122.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 123.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 124.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 125.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 126.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 127.100.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 254.169.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: D.F.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 8.E.F.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: A.E.F.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: B.E.F.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: EMPTY.AS112.ARPA
Apr 11 13:09:25 ns2 named[3627809]: automatic empty zone: HOME.ARPA
Apr 11 13:09:25 ns2 named[3627809]: none:100: 'max-cache-size 90%' - setting to 3517MB (out of 3908MB)
Apr 11 13:09:25 ns2 named[3627809]: configuring command channel from '/etc/bind/rndc.key'
Apr 11 13:09:25 ns2 named[3627809]: command channel listening on 127.0.0.1#953
Apr 11 13:09:25 ns2 named[3627809]: configuring command channel from '/etc/bind/rndc.key'
Apr 11 13:09:25 ns2 named[3627809]: command channel listening on ::1#953
Apr 11 13:09:25 ns2 named[3627809]: managed-keys-zone: loaded serial 5
Apr 11 13:09:25 ns2 named[3627809]: zone 0.in-addr.arpa/IN: loaded serial 1
Apr 11 13:09:25 ns2 named[3627809]: zone 127.in-addr.arpa/IN: loaded serial 1
Apr 11 13:09:25 ns2 named[3627809]: zone localhost/IN: loaded serial 2
Apr 11 13:09:25 ns2 named[3627809]: zone sidk.email/IN: loaded serial 2023031305
Apr 11 13:09:25 ns2 named[3627809]: zone 255.in-addr.arpa/IN: loaded serial 1
Apr 11 13:09:25 ns2 named[3627809]: all zones loaded
Apr 11 13:09:25 ns2 named[3627809]: running
Apr 11 13:09:25 ns2 named[3627809]: zone sidk.email/IN: sending notifies (serial 2023031305)
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:2d::d#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Apr 11 13:09:25 ns2 named[3627809]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Apr 11 13:09:26 ns2 named[3627809]: zone 8.21.172.in-addr.arpa/IN: refresh: unexpected rcode (SERVFAIL) from master 172.21.8.36#53 (source 0.0.0.0#0)
Apr 11 13:09:35 ns2 named[3627809]: resolver priming query complete

Permissions are as:

Code:

root@ns2:/etc/bind# ls -ltr
total 56
-rw-r--r-- 1 root root 1317 Dec 17  2019 zones.rfc1918
-rw-r--r-- 1 root bind  498 Dec 17  2019 named.conf.default-zones
-rw-r--r-- 1 root bind  463 Dec 17  2019 named.conf
-rw-r--r-- 1 root root  270 Dec 17  2019 db.local
-rw-r--r-- 1 root root  353 Dec 17  2019 db.empty
-rw-r--r-- 1 root root  237 Dec 17  2019 db.255
-rw-r--r-- 1 root root  271 Dec 17  2019 db.127
-rw-r--r-- 1 root root  237 Dec 17  2019 db.0
-rw-r--r-- 1 root root 1991 Jan 24 14:30 bind.keys
-rw-r----- 1 bind bind  100 Feb 28 12:04 rndc.key
-rw-r--r-- 1 root bind  846 Feb 28 12:09 named.conf.options~
-rw-r--r-- 1 root bind  959 Feb 28 13:44 named.conf.options
-rw-r--r-- 1 root bind  369 Apr 10 20:20 named.conf.local
drwxrws--- 3 root bind 4096 Apr 11 12:40 slave
root@ns2:/etc/bind# ls -ltr slave/
total 8
drwxr-s--- 2 root bind 4096 Mar  2 13:46 sec.
-rw-r--r-- 1 bind bind  607 Apr 10 19:45 sec.sidk.email
root@ns2:/etc/bind#

To check if all of the DNS servers can resolve, I used this simply:

Code:

nslookup
> server
Default server: 172.21.8.35
Address: 172.21.8.35#53
Default server: 172.21.8.36
Address: 172.21.8.36#53
Default server: 172.21.8.37
Address: 172.21.8.37#53
> 172.21.8.74
Server:        172.21.8.35
Address:    172.21.8.35#53

74.8.21.172.in-addr.arpa    name = mgmt-terminal.sidk.lab.
> server 172.21.8.35
Default server: 172.21.8.35
Address: 172.21.8.35#53
> 172.21.8.74
Server:        172.21.8.35
Address:    172.21.8.35#53

74.8.21.172.in-addr.arpa    name = mgmt-terminal.sidk.lab.
> server 172.21.8.36
Default server: 172.21.8.36
Address: 172.21.8.36#53
> 172.21.8.74
Server:        172.21.8.36
Address:    172.21.8.36#53

** server can't find 74.8.21.172.in-addr.arpa: SERVFAIL
>

I am also populating some fake entries to see what triggers, it may take me some time, will post here ASAP

 

Now there is error message:

Code:

refresh: unexpected rcode (SERVFAIL) from master

That error shows on the slave name server. What is shown on the primary name server syslog at the same time?
Then use these error messages in Internet Search Engines to find more info, and how to repair.