DNS issues, trying to get dns to work on both local network and external network

Hi,
I have installed ISPConfig 3 a while ago now. Following the usual installation guide. Everything worked until I started setting up the server as a DNS server today. Before this morning, I was using another DNS server and simply pointed all records to my external Static IP. But that DNS server provider did not provide support for many types of DNS records such as DMARK and DKIM. So I started working on transfering all zones on ISPConfig. I have several issues. You see I need to access the server from a local LAN but also externally through 2 WANS.

So for example, for mydomain.com, I need it to respond with a 192.168.XX.253 address. While when receiving a connection from WAN IP, I need it to respond with the proper external IP. After a good amount of testing from the internal network, it seemed like I was going to be able to make it worked. But as soon as I got back home from work and tried to resolve mydomain.com, I was receiving both IPs (as I expected).

when testing on the internal network I get :

Code:

$ nslookup mydomain.com
;; Got recursion not available from 192.168.XX.253, trying next server
Server:        192.168.XX.254
Address:    192.168.XX.254#53

Non-authoritative answer:
Name:    mydomain.com
Address: a.b.c.d[/INDENT]
And from the external network I get :
[INDENT]$ nslookup mydomain.com
Server:        192.168.2.1
Address:    192.168.2.1#53

Non-authoritative answer:
Name:    mydomain.com
Address: 192.168.XX.253
Name:    mydomain.com
Address: a.b.c.d[/INDENT]
Here is my /etc/bind/named.conf.options
[INDENT]$ cat /etc/bind/named.conf.options
options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See ..

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

//    forwarders {
//        8.8.8.8;
//        8.8.4.4;
//    };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See ...
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;

    version "unknown";

    allow-transfer {none;};

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

//    allow-query-cache { none; };
//    recursion yes;
//    additional-from-auth no;
//    additional-from-cache no;
//    minimal-responses yes;
};

All settings are set to default. I tried with recursion set to yes, no and not set. No difference.
PS: I have replace the domain name and IPs to secure them. External IP is represented by a.b.c.d, internal IP by 192.168.XX.253 and the real public domain by mydomain.com.

Help is most welcomed, I need to get this fixed as soon as possible

 

you need to configure split dns to do this.

unfortunately, ispconfig doesn't support this directly. you would need to configure it manually.

https://www.howtoforge.com/two_in_one_dns_bind9_views

 

Simpler solution is using another hostname or domain name in the internal network. That way you can get the intranet IP when on local network.
My signature has link to DNS setup tutorial.

 

It may work on small networks with a low number of users, because this means to explain to all users they must use a different address on the local network. And configurations such as email will cause problems.

Unless I did not understand your solution. That is.

Regards

 

Working on getting this solution to work. I just notice that my config file was also including other conf files. So I need to match those too

 

Alright so after getting the bind9 service to start correctly, I tried from another system on the same network and got

Code:

;; Got recursion not available from 192.168.20.253, trying next server

 

Code:

;; Got recursion not available from 192.168.20.253, trying next server

What command was used to get that output?

 

Code:

nslookup mydomain.com

With the ispconfig server as the first dns server

 

That recursion not available warning is feature of nslookup.
Try command host on a linux or unix computer, then that message is not shown.

 

From a Debian box:

Code:

nslookup mydomain.com
;; Got recursion not available from 192.168.20.253, trying next server

From my macbook

Code:

nslookup mydomain.com
;; Got recursion not available from 192.168.20.253, trying next server

 

Wether or not it is a feature, I should be getting a reply from the server. But I am not. The only way I actually get a reply is when I specify the server. But then again, it sends out both IPs instead of one (Internal)

Code:

nslookup mydomain.com 192.168.XX.253
Server:        192.168.XX.253
Address:    192.168.XX.253#53

Name:    mydomain.com
Address: 192.168.XX.253
Name:    mydomain.com
Address: a.b.c.d

 

there's not really much info for us to help you with here.
we'd have to see what you have configured in named.conf, named.conf.local and the internal and external zone files.

 

Ok sure, I wanted to avoided publishing the info but I understand the difficulty.
Here is my named.conf

Code:

$ cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local.default-zones";
//include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";

named.conf.options

Code:

$ cat named.conf.options
options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

//    forwarders {
//        8.8.8.8;
//        8.8.4.4;
//    };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;

    version "unknown";

    allow-transfer { none; };

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };

//    allow-query-cache { none; };
//    recursion yes;
//    additional-from-auth no;
//    additional-from-cache no;
//    minimal-responses yes;
};

named.conf.local.default-zones

Code:

acl internals {
  127.0.0.0/8;
  192.168.20.0/24;
  192.168.40.0/24;
  192.168.70.0/24;
  192.168.80.0/24;
  192.168.90.0/24;
  192.168.130.0/24;
};

view "internal" {
  match-clients { internals; };
  recursion yes;
  zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
  };
  zone "localhost" {
    type master;
    file "/etc/bind/db.local";
  };
  zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
  };
  zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
  };
  zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
  };
  zone "250.65.76.in-addr.arpa" {
    type master;
    file "/etc/bind/pri.250.65.76.in-addr.arpa";
  };
  zone "20.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/pri.20.168.192.in-addr.arpa";
  };
  zone "albcie.com" {
    type master;
    file "/etc/bind/internals/pri.albcie.com";
  };
  zone "albgroupe.com" {
    type master;
    file "/etc/bind/internals/pri.albgroupe.com";
  };
  zone "albcustoms.com" {
    type master;
    file "/etc/bind/internals/pri.albcustoms.com";
  };
  zone "int.albcustoms.com" {
    type master;
    file "/etc/bind/internals/pri.int.albcustoms.com";
  };
  zone "laswitchtech.com" {
    type master;
    file "/etc/bind/internals/pri.laswitchtech.com";
  };
};

view "external" {
  match-clients { any; };
  recursion no;
  zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
  };
  zone "localhost" {
    type master;
    file "/etc/bind/db.local";
  };
  zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
  };
  zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
  };
  zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
  };
  zone "250.65.76.in-addr.arpa" {
    type master;
    file "/etc/bind/pri.250.65.76.in-addr.arpa";
  };
  zone "albcie.com" {
    type master;
    file "/etc/bind/externals/pri.albcie.com";
  };
  zone "albgroupe.com" {
    type master;
    file "/etc/bind/externals/pri.albgroupe.com";
  };
  zone "albcustoms.com" {
    type master;
    file "/etc/bind/externals/pri.albcustoms.com";
  };
  zone "int.albcustoms.com" {
    type master;
    file "/etc/bind/externals/pri.int.albcustoms.com";
  };
  zone "laswitchtech.com" {
    type master;
    file "/etc/bind/externals/pri.laswitchtech.com";
  };
};

here is /etc/bind/externals/pri.laswitchtech.com

Code:

$ cat /etc/bind/externals/pri.laswitchtech.com
$TTL        3600
@       IN      SOA     ns1.laswitchtech.com. support.laswitchtech.com. (
                        2022102410       ; serial, todays date + todays serial #
                        7200              ; refresh, seconds
                        540              ; retry, seconds
                        604800              ; expire, seconds
                        3600 )            ; minimum, seconds
;

laswitchtech.com. 3600      A          76.65.250.237
mail 3600      A          76.65.250.237
ns1 3600      A          76.65.250.237
ns2 3600      A          76.65.250.237
www 3600      A          76.65.250.237
laswitchtech.com. 3600      MX     10  mail.laswitchtech.com.
laswitchtech.com. 3600      MX     20  webman-02.albcie.com.
laswitchtech.com. 3600      NS         ns1.laswitchtech.com.
laswitchtech.com. 3600      NS         ns2.laswitchtech.com.
default._domainkey.laswitchtech.com. 3600      TXT        "v=DKIM1; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA07qJQXRgQrOkqnlugz2aUeMQ+Dsyz8hNYzuHDlqcyWTiyJJPRYnzpkLxGOqa5CfvExzbPlaqEa7EjwVynfs8ifECbUu87sDS6l+wJiTVTeOcccAs058W5cE1GXaCgKsKJRCvkNI2ZCefp9eFYmdWdJqU6GRgzsSN2wobidgBb3xcWk88E7HWXnqHuofXKOgxyBR" "d0F/X6nO9jQpatN7wkyIMw8GBbDp0/ntUvZrmasGMD+bWNr3WBQgC6eC4c5DFNtY4VM6ehIduaPG6JexvqNTexcI9oWau9/zb1Kt5aXrSlB+x0r/FGCvBnFQR+KjZTmm3UthrupbeS+RaAgDygQIDAQAB"
laswitchtech.com. 3600      TXT        "v=spf1 mx a ~all"
_dmarc.laswitchtech.com. 3600      TXT        "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]"

here is /etc/bind/internals/pri.laswitchtech.com

Code:

$ cat /etc/bind/internals/pri.laswitchtech.com
$include "/etc/bind/externals/pri.laswitchtech.com"
laswitchtech.com. 3600      A          192.168.20.253
mail 3600      A          192.168.20.253
ns1 3600      A          192.168.20.253
ns2 3600      A          192.168.20.253
www 3600      A          192.168.20.253

 

Also note that I am sending the requests from the LAB Network 192.168.70.0/24

 

are you using vlans? do all these subnets go through a central router/firewall?
just thinking one possibility might be that the request is getting routed out to the external interface of your office firewall before making it's way back in to the dns server.

maybe try putting your macbook on to the 192.168.20.* subnet and try it from there..

also, for any devices you put on the 192.168.70.* subnet, what do the network settings show they're using for their dns servers?

 

Hi,
Firstly they are VLANs and they are all routed centrally through the same pfSense router.
The 192.168.20.0/24 subnet is the DMZ VLAN. Used for the wifi access points and the web server.
The 192.168.70.0/24 subnet is the LAB VLAN. Used for testing equipment and configurations and pretty much anything else. Before being moved to their proper VLAN.
Running a nslookup from the DMZ vlan outputs the same thing. The DHCP server setup on both the LAB and DMZ networks are providing 192.168.20.253 as the first DNS Server and the router as the second DNS server.

 

I went on the router's configuration and remove the router's ip from the DNS servers.
This resulted in getting replies from the 192.168.20.253 DNS server. But on the other hand I cannot resolve any other DNS queries. So for example, I can no longer resolve google.com. Therefore, I revert back to using the 2 DNS server. Maybe configuring 192.168.20.253 (ISPConfig) with dns forwarding would fix that issue. But I don't know if bind9 supports it.

 

try configuring forwarders in named.conf.options. put your isp's nameserver ip's in there.

Code:

forwarders {
a.b.c.d;a.b.c.d;
};

 

Actually I tried adding google's DNS server as a forwarder before. You can see this in named.conf.options above. When I tested and didn't see any difference, I commented the lines.
I chose google's DNS server because I have 2 different ISPs for redundancy. Because if one connection fails, I would not be able to reach it's nameservers. I'll still try again tomorrow.

 

Ok so after some digging, I found that my router was forwarding back all DNS requests back to the DNS server which created a loop. So I fixed that part.

Now I am still having difficulties handling priority of DNS record. The internal network for example should receive 192.168.20.253 for a domain such as laswitchtech.com. But I am instead receiving this:

Code:

$ nslookup laswitchtech.com
Server:        192.168.20.253
Address:    192.168.20.253#53

Name:    laswitchtech.com
Address: 76.65.250.237
Name:    laswitchtech.com
Address: 192.168.20.253

So I am receiving the external IP first and then the internal one. Which causes massive lags accessing ressources on the web server because the client needs to wait for the no response from the first IP before testing the second one.

Externally though, I seem to be receiving only 76.65.250.237 using a tool like https://mxtoolbox.com/