Bind Forward Zone not Working

networking server 18.04 dns bind

7,727

Thanks to @LienhartWoitok, I removed the ACL and added this line to for.myhome.lan

@ IN A 10.0.1.90

This was needed as I was searching for myhome.lan only, and that was not specified anywhere. Adding that allowed me to search the domain itself.

by adding @10.0.1.90 to my dig commands, I forced searching to my domain. I now have a fully functional DNS server for my home lab!!!

Thanks @LienthartWoitok

7,727

DrSeussFreak

"Adults are nothing but obolsete children, and the hell with them" - Theodor Seuss Geisel

Updated on September 18, 2022

Comments

DrSeussFreak over 1 year

Running Ubuntu 18.04 LTS, and I am trying to configure Bind as a DNS server, for my home lab, as some of the software (VMware) requires DNS to run.

I have the reverse lookup working with issue, but forward lookup returns 0 answers. nslookup also fails to find the domain, and if I change this server to use itself for DNS in "/etc/resolv.conf", it has no network connectivity.

the contents of my bind configs are

named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options

acl "trusted" {
        10.0.1.90;
        10.0.1.55;
        10.0.1.57;
        10.0.1.58;
        10.0.1.100;
};

options {
        directory "/var/cache/bind";

        recursion yes;                 # enables resursive queries
        allow-recursion { trusted; };  # allows recursive queries from "trusted" clients
        listen-on { 10.0.1.90; };   # ns1 private IP address - listen on private network only
        allow-transfer { none; };      # disable zone transfers by default

        forwarders {
                10.0.1.1;
                8.8.8.8;
                8.8.8.4;
        };

        dnssec-validation no;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

named.conf.local

zone "myhome.lan" {
        type master;
        file "/etc/bind/for.myhome.lan";
};

zone "1.0.10.in-addr.arpa" {
        type master;
        file "/etc/bind/rev.myhome.lan";
};

for.myhome.lan

$TTL 86400
@   IN  SOA    dns-01.myhome.lan. admin.myhome.lan. (
        2018052102  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

; Name Servers - NS records
@        IN      NS      dns-01.myhome.lan.

; Name Servers - A Records
dns-01  IN      A       10.0.1.90

; VMware

vcsa-01 IN      A       10.0.1.100
esxi-01 IN      A       10.0.1.55
esxi-02 IN      A       10.0.1.57
esxi-03 IN      A       10.0.1.58

rev.myhome.lan

$TTL 86400
@   IN  SOA     myhome.lan. admin.myhome.lan. (
        2018052101  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

; Name Servers - NS records
@       IN      NS      dns-01.myhome.lan.

; Name Servers - A Records
dns-01  IN      A       10.0.1.90

; PTR Records
90      IN      PTR     dns-01.myhome.lan.
100     IN      PTR     vcsa-01.myhome.lan.
55      IN      PTR     esxi-01.myhome.lan.
57      IN      PTR     esxi-02.myhome.lan.
58      IN      PTR     esxi-03.myhome.lan.

checking everything looks good

root@dns-01:/etc/bind# named-checkconf
root@dns-01:/etc/bind# named-checkzone myhome.lan for.myhome.lan 
zone myhome.lan/IN: loaded serial 2018052102
OK
root@dns-01:/etc/bind# named-checkzone myhome.lan rev.myhome.lan    
zone myhome.lan/IN: loaded serial 2018052101
OK

but dig and nslookup do not work

root@dns-01:/etc/bind# dig -x 10.0.1.90

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> -x 10.0.1.90
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10718
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;90.1.0.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
90.1.0.10.in-addr.arpa. 0       IN      PTR     dns-01.
90.1.0.10.in-addr.arpa. 0       IN      PTR     dns-01.local.

;; Query time: 14 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon May 21 17:14:41 UTC 2018
;; MSG SIZE  rcvd: 97

root@dns-01:/etc/bind# dig myhome.lan

; <<>> DiG 9.11.3-1ubuntu1-Ubuntu <<>> myhome.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51346
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;myhome.lan.                  IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon May 21 17:14:48 UTC 2018
;; MSG SIZE  rcvd: 41

root@dns-01:/etc/bind# nslookup myhome.lan
Server:         127.0.0.53
Address:        127.0.0.53#53

** server can't find myhome.lan: NXDOMAIN

I am banging my head against a wall, any help in identifying the problem would be greatly appreciated!

Lienhart Woitok almost 6 years

First thing I would do is commenting the ACL until the server works and only then add the ACL back. That way you can determine if the ACL is the problem somehow or something else isn't working.
Lienhart Woitok almost 6 years

Second, I realized that you are probably not asking your bind with these dig statements. Can you do them against bind directly? You have to add @10.0.1.90 to the command.
DrSeussFreak almost 6 years

I commented the ACL out, and modified allow-recursion { trusted; }; to allow-recursion { any; };, everything passed config testing, but no change in dig results.
DrSeussFreak almost 6 years

because it is too long for a comment, see the screenshot below i.imgur.com/3aO7sMs.png
DrSeussFreak almost 6 years

I ran dig against dns-01.myhome.lan and got an answer, it looks right, but nslookup still fails. Also, if I make itself the primary DNS server for itself, it fails to have external connectivity.
DrSeussFreak almost 6 years

sorry, I take that back, I now have external connectivity, but nslookup returns a new message root@dns-01:/etc/bind# nslookup myhome.lan Server: 10.0.1.90 Address: 10.0.1.90#53 *** Can't find myhome.lan: No answer
Lienhart Woitok almost 6 years

Well, in your zone there is no entry for "myhome.lan", try what nslookup dns-01.myhome.lan does
DrSeussFreak almost 6 years

that worked!! How would I add an entry for myhome.lan into there? OR, do I not need to? With it as it is now, am I ok having DNS set to 10.0.1.90 AND dns-01.myhome.lan?
Lienhart Woitok almost 6 years

@ IN A 10.0.1.IP in the forward zone. Now that we sorted out that your config is actually working you can add back the ACL and test if it still works. If not I would try to add 127.0.0.1 to the ACL.
DrSeussFreak almost 6 years

I actually don't need the ACL, I had toyed with it, but as this is internal only, I don't see a need for the extra overhead of management

Doug Smythies almost 6 years

You don't actually need the "@". See the Ubuntu Serverguide.
DrSeussFreak almost 6 years

doesn't hurt by being there though. Correct?
Doug Smythies almost 6 years

yes, i was just saying is all. The serverguide has both, but in my system I don't have both.
DrSeussFreak almost 6 years

Appreciate the heads-up, it is good to know it wasn't needed. I saw both in the examples I was following during setup.