Bind Forward Zone not Working
Thanks to @LienhartWoitok, I removed the ACL and added this line to for.myhome.lan
@ IN A 10.0.1.90
This was needed as I was searching for myhome.lan only, and that was not specified anywhere. Adding that allowed me to search the domain itself.
by adding @10.0.1.90 to my dig commands, I forced searching to my domain. I now have a fully functional DNS server for my home lab!!!
Thanks @LienthartWoitok
Related videos on Youtube
DrSeussFreak
"Adults are nothing but obolsete children, and the hell with them" - Theodor Seuss Geisel
Updated on September 18, 2022Comments
-
DrSeussFreak over 1 year
Running Ubuntu 18.04 LTS, and I am trying to configure Bind as a DNS server, for my home lab, as some of the software (VMware) requires DNS to run.
I have the reverse lookup working with issue, but forward lookup returns 0 answers. nslookup also fails to find the domain, and if I change this server to use itself for DNS in "/etc/resolv.conf", it has no network connectivity.
the contents of my bind configs are
named.conf
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
named.conf.options
acl "trusted" { 10.0.1.90; 10.0.1.55; 10.0.1.57; 10.0.1.58; 10.0.1.100; }; options { directory "/var/cache/bind"; recursion yes; # enables resursive queries allow-recursion { trusted; }; # allows recursive queries from "trusted" clients listen-on { 10.0.1.90; }; # ns1 private IP address - listen on private network only allow-transfer { none; }; # disable zone transfers by default forwarders { 10.0.1.1; 8.8.8.8; 8.8.8.4; }; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
named.conf.local
zone "myhome.lan" { type master; file "/etc/bind/for.myhome.lan"; }; zone "1.0.10.in-addr.arpa" { type master; file "/etc/bind/rev.myhome.lan"; };
for.myhome.lan
$TTL 86400 @ IN SOA dns-01.myhome.lan. admin.myhome.lan. ( 2018052102 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) ; Name Servers - NS records @ IN NS dns-01.myhome.lan. ; Name Servers - A Records dns-01 IN A 10.0.1.90 ; VMware vcsa-01 IN A 10.0.1.100 esxi-01 IN A 10.0.1.55 esxi-02 IN A 10.0.1.57 esxi-03 IN A 10.0.1.58
rev.myhome.lan
$TTL 86400 @ IN SOA myhome.lan. admin.myhome.lan. ( 2018052101 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) ; Name Servers - NS records @ IN NS dns-01.myhome.lan. ; Name Servers - A Records dns-01 IN A 10.0.1.90 ; PTR Records 90 IN PTR dns-01.myhome.lan. 100 IN PTR vcsa-01.myhome.lan. 55 IN PTR esxi-01.myhome.lan. 57 IN PTR esxi-02.myhome.lan. 58 IN PTR esxi-03.myhome.lan.
checking everything looks good
root@dns-01:/etc/bind# named-checkconf root@dns-01:/etc/bind# named-checkzone myhome.lan for.myhome.lan zone myhome.lan/IN: loaded serial 2018052102 OK root@dns-01:/etc/bind# named-checkzone myhome.lan rev.myhome.lan zone myhome.lan/IN: loaded serial 2018052101 OK
but dig and nslookup do not work
root@dns-01:/etc/bind# dig -x 10.0.1.90 ; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> -x 10.0.1.90 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10718 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;90.1.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 90.1.0.10.in-addr.arpa. 0 IN PTR dns-01. 90.1.0.10.in-addr.arpa. 0 IN PTR dns-01.local. ;; Query time: 14 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Mon May 21 17:14:41 UTC 2018 ;; MSG SIZE rcvd: 97 root@dns-01:/etc/bind# dig myhome.lan ; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> myhome.lan ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51346 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;myhome.lan. IN A ;; Query time: 1 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Mon May 21 17:14:48 UTC 2018 ;; MSG SIZE rcvd: 41 root@dns-01:/etc/bind# nslookup myhome.lan Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find myhome.lan: NXDOMAIN
I am banging my head against a wall, any help in identifying the problem would be greatly appreciated!
-
Lienhart Woitok almost 6 yearsFirst thing I would do is commenting the ACL until the server works and only then add the ACL back. That way you can determine if the ACL is the problem somehow or something else isn't working.
-
Lienhart Woitok almost 6 yearsSecond, I realized that you are probably not asking your bind with these dig statements. Can you do them against bind directly? You have to add
@10.0.1.90
to the command. -
DrSeussFreak almost 6 yearsI commented the ACL out, and modified allow-recursion { trusted; }; to allow-recursion { any; };, everything passed config testing, but no change in dig results.
-
DrSeussFreak almost 6 yearsbecause it is too long for a comment, see the screenshot below i.imgur.com/3aO7sMs.png
-
DrSeussFreak almost 6 yearsI ran dig against dns-01.myhome.lan and got an answer, it looks right, but nslookup still fails. Also, if I make itself the primary DNS server for itself, it fails to have external connectivity.
-
DrSeussFreak almost 6 yearssorry, I take that back, I now have external connectivity, but nslookup returns a new message root@dns-01:/etc/bind# nslookup myhome.lan Server: 10.0.1.90 Address: 10.0.1.90#53 *** Can't find myhome.lan: No answer
-
Lienhart Woitok almost 6 yearsWell, in your zone there is no entry for "myhome.lan", try what
nslookup dns-01.myhome.lan
does -
DrSeussFreak almost 6 yearsthat worked!! How would I add an entry for myhome.lan into there? OR, do I not need to? With it as it is now, am I ok having DNS set to 10.0.1.90 AND dns-01.myhome.lan?
-
Lienhart Woitok almost 6 years
@ IN A 10.0.1.IP
in the forward zone. Now that we sorted out that your config is actually working you can add back the ACL and test if it still works. If not I would try to add127.0.0.1
to the ACL. -
DrSeussFreak almost 6 yearsI actually don't need the ACL, I had toyed with it, but as this is internal only, I don't see a need for the extra overhead of management
-
-
Doug Smythies almost 6 yearsYou don't actually need the "@". See the Ubuntu Serverguide.
-
DrSeussFreak almost 6 yearsdoesn't hurt by being there though. Correct?
-
Doug Smythies almost 6 yearsyes, i was just saying is all. The serverguide has both, but in my system I don't have both.
-
DrSeussFreak almost 6 yearsAppreciate the heads-up, it is good to know it wasn't needed. I saw both in the examples I was following during setup.