Bind - Forwarding to external DNS not working

Discussion in 'Server Operation' started by luthing, Apr 11, 2020.

Tags:
  1. luthing

    luthing New Member

    I am a newbie in configuring DNS servers, I need your help...

    I have one debian 10 with webmin + bind 9.11 installed. I got a local domain which is working fine.

    From one host on my LAN, I can resolve internal hostnames :
    Code:
    dig @myinternalDNS host1[dot]local[dot]lan +show
    <@IP-host1>
    but when I try to resolve Internet names, I got no response :

    Code:
        dig @myinternalDNS www[dot]google[dot]com
      
        ; <<>> DiG 9.11.5-P4 <<>> @<@IP-myinternalDNS> www[dot]google[dot]com
        ; (1 server found)
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16965
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 4096
        ; COOKIE: 2c052e0915fc346f652fbf325e8c51c9a65c4fbb5204c698 (good)
        ;; QUESTION SECTION:
        ;www[dot]google[dot]com.                        IN      A
      
        ;; Query time: 13 msec
        ;; SERVER: <@IP-myinternalDNS>#53(<@IP-myinternalDNS>)
        ;; WHEN: mar. avr. 07 12:11:22     2020
        ;; MSG SIZE  rcvd: 71
    
    My configuration is pretty simple :

    Code:
        acl allowed {
                X[dot]Y[dot]Z[dot]0/24;
                };
      
        options {
                directory "/var/cache/bind";
      
                recursion yes;
                allow-recursion { localhost; allowed; };
                listen-on port 53 { localhost; <@IP-myinternalDNS>; };
                allow-query {
                        localhost;
                        allowed;
                        };
                allow-transfer {
                        localhost;
                        allowed;
                        };
      
                forwarders {
                        8[dot]8[dot]8[dot]8;
                };
                dnssec-enable no;
                dnssec-validation no;
                dnssec-lookaside auto;
                auth-nxdomain no;
                listen-on-v6 { none; };
        };
      
        zone "local[dot]lan" {
                type master;
                file "/var/lib/bind/local[dot]lan[dot]hosts";
                };
        zone "Z.Y.X[dot]in-addr[dot]arpa" {
                type master;
                file "/var/lib/bind/Z[dot]Y[dot]X[dot]rev";
                };
    
    NB: I replaced my real IP network with X[dot]Y[dot]Z

    And from my DNS, I can resolve Internet names.


    I captured packets on my outgoing router, and the DNS requests are going to public DNS servers and are responding.

    There is no network difference between a dig @8[dot]8[dot]8[dot]8 and requesting my server. When my server requests the public DNS, the packet is gone and comes back but the DNS answer is empty, whereas with a dig @8[dot]8[dot]8[dot]8 directly from my server, I have a successfully DNS answer.

    Very strange, I don't understand what is going on.



    Why this is not working ? Could you help me please ?
     
    Last edited: Apr 13, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    The output you got is what it should be. Your name server, when queried with dig about www.google.com answers everything it knows about google, which is nothing. You need to query google nameservers if you want to have some data returned.
    It may be working as it should, your testing method is perhaps not best way to test.
    As for the forwarders, you can leave it out and you name server works still. Forwarders directive is a way to tell name server closest upstream name server, since it may answer faster than querying authoritative name servers always. Usually you put your ISP name servers as forwarders. Google name server may not be a good choice.
    There is a book: http://shop.oreilly.com/product/9780596100575.do
     
  3. luthing

    luthing New Member

    Hey Taleman, thanks for your answer.

    I would like to have a DNS server on my lab which resolve names for all my hosts.
    Is this should work as I expect ? Or my thoughts are wrong ?
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I do not know what you expect.
    This is doable. I read the Albitz, Liu book and make Bind configurations following that. With Debian 10 it should just work, unless configuration gets messed up. Debian way is to have local configuration files separate from the basic files provided by debian, so do not edit those, only edit the local files.
    But you already wrote
    so I assumed your local net name server is OK?
    You can use my Tutorial to test your name server is working. The tutorial sets name service up with ISPConfig, but you can ignore that bit and only read the testing parts:
    https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/#nbsptesting
     
  5. luthing

    luthing New Member

    I really don't understand what is going on. I am running out of ideas.

    Yes I have my local domain which is succesfully resolved. Then I assume my bind DNS server is working fine.
    I just cannot resolve external domain names, wheareas with pointing directly to public DNS from a host, I can resolve them.

    I also tried with your 'host' command instead of 'dig' and the result is the same :
    host <host1.local.lan> <ipDNS>
    >>> the answer is correct
    host www[dot]google[dot]com <ipDNS>
    >> ;; connection timed out; no servers could be reached

    Ununderstandable
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My experience is that installing bind9 on debian it resolves external names with no configuration. So my guess is some configuration change on your host prevents this from happening.
     
  7. luthing

    luthing New Member

    My configuration should work, shouldn't it ?


    I captured a request which is displayed below :
    The packets are going through my gateway and coming back with no response.

    The packets have been captured on both interfaces (internal and external). The DNS packets are the same, only the <IP_internal_DNS> changes (internal IP on internal interface and external WAN IP on external interface).

    My firewall doesn't seem to alter packets.

    What are your thoughts?
    Many thanks

    Frame 43: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
    Internet Protocol Version 4, Src: <IP_internal_DNS>, Dst: 202.12.27.33
    User Datagram Protocol, Src Port: 55380, Dst Port: 53
    Domain Name System (query)
    Transaction ID: 0x3995
    Flags: 0x0000 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    <Root>: type NS, class IN
    Name: <Root>
    [Name Length: 6]
    [Label Count: 1]
    Type: NS (authoritative Name Server) (2)
    Class: IN (0x0001)
    Additional records
    <Root>: type OPT
    Name: <Root>
    Type: OPT (41)
    UDP payload size: 512
    Higher bits in extended RCODE: 0x00
    EDNS0 version: 0
    Z: 0x8000
    1... .... .... .... = DO bit: Accepts DNSSEC security RRs
    .000 0000 0000 0000 = Reserved: 0x0000
    Data length: 0
    [Response In: 45]

    No. Time Source Destination Protocol Length Info
    44 6.837609 <IP_internal_DNS> 202.12.27.33 DNS 85 Standard query 0x3dc5 A www.google.com OPT

    Frame 44: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
    Internet Protocol Version 4, Src: <IP_internal_DNS>, Dst: 202.12.27.33
    User Datagram Protocol, Src Port: 45964, Dst Port: 53
    Domain Name System (query)
    Transaction ID: 0x3dc5
    Flags: 0x0010 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    www.google.com: type A, class IN
    Name: www.google.com
    [Name Length: 14]
    [Label Count: 3]
    Type: A (Host Address) (1)
    Class: IN (0x0001)
    Additional records
    <Root>: type OPT
    Name: <Root>
    Type: OPT (41)
    UDP payload size: 512
    Higher bits in extended RCODE: 0x00
    EDNS0 version: 0
    Z: 0x8000
    1... .... .... .... = DO bit: Accepts DNSSEC security RRs
    .000 0000 0000 0000 = Reserved: 0x0000
    Data length: 0
    [Response In: 46]

    No. Time Source Destination Protocol Length Info
    45 6.838711 202.12.27.33 <IP_internal_DNS> DNS 70 Standard query response 0x3995 NS <Root> OPT

    Frame 45: 70 bytes on wire (560 bits), 70 bytes captured (560 bits)
    Internet Protocol Version 4, Src: 202.12.27.33, Dst: <IP_internal_DNS>
    User Datagram Protocol, Src Port: 53, Dst Port: 55380
    Domain Name System (response)
    Transaction ID: 0x3995
    Flags: 0x8600 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    <Root>: type NS, class IN
    Name: <Root>
    [Name Length: 6]
    [Label Count: 1]
    Type: NS (authoritative Name Server) (2)
    Class: IN (0x0001)
    Additional records
    <Root>: type OPT
    Name: <Root>
    Type: OPT (41)
    UDP payload size: 4096
    Higher bits in extended RCODE: 0x00
    EDNS0 version: 0
    Z: 0x8000
    1... .... .... .... = DO bit: Accepts DNSSEC security RRs
    .000 0000 0000 0000 = Reserved: 0x0000
    Data length: 0
    [Request In: 43]
    [Time: 0.001193000 seconds]

    No. Time Source Destination Protocol Length Info
    46 6.838864 202.12.27.33 <IP_internal_DNS> DNS 85 Standard query response 0x3dc5 A www.google.com OPT

    Frame 46: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
    Internet Protocol Version 4, Src: 202.12.27.33, Dst: <IP_internal_DNS>
    User Datagram Protocol, Src Port: 53, Dst Port: 45964
    Domain Name System (response)
    Transaction ID: 0x3dc5
    Flags: 0x8210 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
    www.google.com: type A, class IN
    Name: www.google.com
    [Name Length: 14]
    [Label Count: 3]
    Type: A (Host Address) (1)
    Class: IN (0x0001)
    Additional records
    <Root>: type OPT
    Name: <Root>
    Type: OPT (41)
    UDP payload size: 4096
    Higher bits in extended RCODE: 0x00
    EDNS0 version: 0
    Z: 0x8000
    1... .... .... .... = DO bit: Accepts DNSSEC security RRs
    .000 0000 0000 0000 = Reserved: 0x0000
    Data length: 0
    [Request In: 44]
    [Time: 0.001255000 seconds]
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Seems it is not working. Plus you do not show what configuration file it was in #1.
    What I would do, is purge away the current bind installation and configuration. Then install it again, and test it works, including answering about external domains. And I write again like I wrote in #2, that if you find forwarders is not working, remove that directive.
    Only then add your configurations following the instructions in /usr/share/doc/bind9/README.Debian.gz.
     

Share This Page