I am a newbie in configuring DNS servers, I need your help... I have one debian 10 with webmin + bind 9.11 installed. I got a local domain which is working fine. From one host on my LAN, I can resolve internal hostnames : Code: dig @myinternalDNS host1[dot]local[dot]lan +show <@IP-host1> but when I try to resolve Internet names, I got no response : Code: dig @myinternalDNS www[dot]google[dot]com ; <<>> DiG 9.11.5-P4 <<>> @<@IP-myinternalDNS> www[dot]google[dot]com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16965 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2c052e0915fc346f652fbf325e8c51c9a65c4fbb5204c698 (good) ;; QUESTION SECTION: ;www[dot]google[dot]com. IN A ;; Query time: 13 msec ;; SERVER: <@IP-myinternalDNS>#53(<@IP-myinternalDNS>) ;; WHEN: mar. avr. 07 12:11:22 2020 ;; MSG SIZE rcvd: 71 My configuration is pretty simple : Code: acl allowed { X[dot]Y[dot]Z[dot]0/24; }; options { directory "/var/cache/bind"; recursion yes; allow-recursion { localhost; allowed; }; listen-on port 53 { localhost; <@IP-myinternalDNS>; }; allow-query { localhost; allowed; }; allow-transfer { localhost; allowed; }; forwarders { 8[dot]8[dot]8[dot]8; }; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; auth-nxdomain no; listen-on-v6 { none; }; }; zone "local[dot]lan" { type master; file "/var/lib/bind/local[dot]lan[dot]hosts"; }; zone "Z.Y.X[dot]in-addr[dot]arpa" { type master; file "/var/lib/bind/Z[dot]Y[dot]X[dot]rev"; }; NB: I replaced my real IP network with X[dot]Y[dot]Z And from my DNS, I can resolve Internet names. I captured packets on my outgoing router, and the DNS requests are going to public DNS servers and are responding. There is no network difference between a dig @8[dot]8[dot]8[dot]8 and requesting my server. When my server requests the public DNS, the packet is gone and comes back but the DNS answer is empty, whereas with a dig @8[dot]8[dot]8[dot]8 directly from my server, I have a successfully DNS answer. Very strange, I don't understand what is going on. Why this is not working ? Could you help me please ?
The output you got is what it should be. Your name server, when queried with dig about www.google.com answers everything it knows about google, which is nothing. You need to query google nameservers if you want to have some data returned. It may be working as it should, your testing method is perhaps not best way to test. As for the forwarders, you can leave it out and you name server works still. Forwarders directive is a way to tell name server closest upstream name server, since it may answer faster than querying authoritative name servers always. Usually you put your ISP name servers as forwarders. Google name server may not be a good choice. There is a book: http://shop.oreilly.com/product/9780596100575.do
Hey Taleman, thanks for your answer. I would like to have a DNS server on my lab which resolve names for all my hosts. Is this should work as I expect ? Or my thoughts are wrong ?
I do not know what you expect. This is doable. I read the Albitz, Liu book and make Bind configurations following that. With Debian 10 it should just work, unless configuration gets messed up. Debian way is to have local configuration files separate from the basic files provided by debian, so do not edit those, only edit the local files. But you already wrote so I assumed your local net name server is OK? You can use my Tutorial to test your name server is working. The tutorial sets name service up with ISPConfig, but you can ignore that bit and only read the testing parts: https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/#nbsptesting
I really don't understand what is going on. I am running out of ideas. Yes I have my local domain which is succesfully resolved. Then I assume my bind DNS server is working fine. I just cannot resolve external domain names, wheareas with pointing directly to public DNS from a host, I can resolve them. I also tried with your 'host' command instead of 'dig' and the result is the same : host <host1.local.lan> <ipDNS> >>> the answer is correct host www[dot]google[dot]com <ipDNS> >> ;; connection timed out; no servers could be reached Ununderstandable
My experience is that installing bind9 on debian it resolves external names with no configuration. So my guess is some configuration change on your host prevents this from happening.
My configuration should work, shouldn't it ? I captured a request which is displayed below : The packets are going through my gateway and coming back with no response. The packets have been captured on both interfaces (internal and external). The DNS packets are the same, only the <IP_internal_DNS> changes (internal IP on internal interface and external WAN IP on external interface). My firewall doesn't seem to alter packets. What are your thoughts? Many thanks Expand: Packets captured Frame 43: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Internet Protocol Version 4, Src: <IP_internal_DNS>, Dst: 202.12.27.33 User Datagram Protocol, Src Port: 55380, Dst Port: 53 Domain Name System (query) Transaction ID: 0x3995 Flags: 0x0000 Standard query Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries <Root>: type NS, class IN Name: <Root> [Name Length: 6] [Label Count: 1] Type: NS (authoritative Name Server) (2) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 512 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 0 [Response In: 45] No. Time Source Destination Protocol Length Info 44 6.837609 <IP_internal_DNS> 202.12.27.33 DNS 85 Standard query 0x3dc5 A www.google.com OPT Frame 44: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) Internet Protocol Version 4, Src: <IP_internal_DNS>, Dst: 202.12.27.33 User Datagram Protocol, Src Port: 45964, Dst Port: 53 Domain Name System (query) Transaction ID: 0x3dc5 Flags: 0x0010 Standard query Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 512 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 0 [Response In: 46] No. Time Source Destination Protocol Length Info 45 6.838711 202.12.27.33 <IP_internal_DNS> DNS 70 Standard query response 0x3995 NS <Root> OPT Frame 45: 70 bytes on wire (560 bits), 70 bytes captured (560 bits) Internet Protocol Version 4, Src: 202.12.27.33, Dst: <IP_internal_DNS> User Datagram Protocol, Src Port: 53, Dst Port: 55380 Domain Name System (response) Transaction ID: 0x3995 Flags: 0x8600 Standard query response, No error Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries <Root>: type NS, class IN Name: <Root> [Name Length: 6] [Label Count: 1] Type: NS (authoritative Name Server) (2) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 0 [Request In: 43] [Time: 0.001193000 seconds] No. Time Source Destination Protocol Length Info 46 6.838864 202.12.27.33 <IP_internal_DNS> DNS 85 Standard query response 0x3dc5 A www.google.com OPT Frame 46: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) Internet Protocol Version 4, Src: 202.12.27.33, Dst: <IP_internal_DNS> User Datagram Protocol, Src Port: 53, Dst Port: 45964 Domain Name System (response) Transaction ID: 0x3dc5 Flags: 0x8210 Standard query response, No error Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries www.google.com: type A, class IN Name: www.google.com [Name Length: 14] [Label Count: 3] Type: A (Host Address) (1) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (41) UDP payload size: 4096 Higher bits in extended RCODE: 0x00 EDNS0 version: 0 Z: 0x8000 1... .... .... .... = DO bit: Accepts DNSSEC security RRs .000 0000 0000 0000 = Reserved: 0x0000 Data length: 0 [Request In: 44] [Time: 0.001255000 seconds]
Seems it is not working. Plus you do not show what configuration file it was in #1. What I would do, is purge away the current bind installation and configuration. Then install it again, and test it works, including answering about external domains. And I write again like I wrote in #2, that if you find forwarders is not working, remove that directive. Only then add your configurations following the instructions in /usr/share/doc/bind9/README.Debian.gz.
