BIND named... unknown host

linux dns centos centos-6 bind
6,706 
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };

These are going to cause you problems because you are only listening on your loopback interfaces; your server will be unavailable to machines other than itself because it is not listening to any external interfaces. Unless you want to block responses on a certain interface, just leave these lines out and BIND will listen on all interfaces by default.

    allow-query     { localhost; };
    recursion yes;

Why are you limiting queries to only localhost if you want this server to serve your local area network? BIND has a built-in ACL "localnets" which matches the immediate local network of each ethernet interface on the server (e.g. if you are have an address of 192.168.1.202 and a netmask of 0xffffff00, "localnets" will include 192.168.1.0/24)

I suggest you instead use:

    allow-query     { localnets; };
    allow-recursion { localnets; };

Start with those changes and if they don't do the trick, do a little debugging using dig. Ping is a fine tool for checking simple connectivity issues, but it's distinctly sub-par for untangling anything complex and DNS-related, which is exactly what dig is meant for. Among other things, if your queries continue to be unsuccessful, dig will tell you (via the return code) in what way they were unsuccessful -- i.e. the server accepted your query but says no such domain name exists (NXDOMAIN), or maybe the server didn't answer you at all (SERVFAIL) Those are two different categories of problem.

Last, but not least, it might help, while debugging, to set up query logging and turn it on and watch what gets logged when you attempt to query the server. BIND's default logging is not meant to drown you in information but if you kick up the logging a bit it will really tell you just about everything that's running through its head (so to speak.) In a large production environment this can have unfortunate performance consequences because of the huge volume of log traffic but in your own home network serving just a few hosts? Go for it!

Share:
6,706

Related videos on Youtube

Jake Wilson
Author by

Jake Wilson

Updated on September 18, 2022

Comments

  • Jake Wilson
    Jake Wilson over 1 year

    I have a very basic home network: A CentOS 6.3 server (storage, DNS, httpd, etc), a desktop, several laptops. I was running an old version of CentOS on the server for a long time (5.4 or something) and just recently upgraded it to 6.3 with a clean wipe and fresh install. I'm trying to get BIND/named setup again, but I cannot seem to ping anything. The DNS is only for the local network, so I can access network computers and the server using specific names and CNAMEs for web development.

    Server has a static IP: 192.168.1.202

    Router (DD-WRT) is the gateway with IP of 192.168.1.1

    The server host name is 'augusta' (cat /etc/hostname). The domain I've chosen is mylocal. So the server full hostname would be augusta.mylocal. This is how I had it setup with my previous CentOS setup and it worked perfectly.

    I've been using Webmin to setup BIND. Here are the relevant files:

    # cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
        forwarders {
                192.168.1.1;
                };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

zone "mylocal" {
        type master;
        file "/var/named/mylocal.hosts";
        };

# cat /var/named/mylocal.hosts
$ttl 38400
mylocal.       IN      SOA     augusta. admin.augusta.mylocal. (
                        1360910107
                        10800
                        3600
                        604800
                        38400 )
mylocal.       IN      NS      augusta.
augusta.mylocal.       IN      A       192.168.1.202
test.mylocal.  IN      CNAME   augusta

    You can see it's a very basic setup. I have augusta as the nameserver and a test CNAME that points to augusta.

    When I apply the BIND configuration in Webmin, the following happens in /var/log/messages:

    Feb 14 23:35:59 augusta named[18602]: received control channel command 'stop'
Feb 14 23:35:59 augusta named[18602]: shutting down: flushing changes
Feb 14 23:35:59 augusta named[18602]: stopping command channel on 127.0.0.1#953
Feb 14 23:35:59 augusta named[18602]: stopping command channel on ::1#953
Feb 14 23:35:59 augusta named[18602]: no longer listening on 127.0.0.1#53
Feb 14 23:35:59 augusta named[18602]: no longer listening on ::1#53
Feb 14 23:35:59 augusta named[18602]: exiting
Feb 14 23:36:02 augusta named[19172]: starting BIND 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 -u named -t /var/named/chroot
Feb 14 23:36:02 augusta named[19172]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
Feb 14 23:36:02 augusta named[19172]: ----------------------------------------------------
Feb 14 23:36:02 augusta named[19172]: BIND 9 is maintained by Internet Systems Consortium,
Feb 14 23:36:02 augusta named[19172]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Feb 14 23:36:02 augusta named[19172]: corporation.  Support and training for BIND 9 are
Feb 14 23:36:02 augusta named[19172]: available at https://www.isc.org/support
Feb 14 23:36:02 augusta named[19172]: ----------------------------------------------------
Feb 14 23:36:02 augusta named[19172]: adjusted limit on open files from 4096 to 1048576
Feb 14 23:36:02 augusta named[19172]: found 4 CPUs, using 4 worker threads
Feb 14 23:36:02 augusta named[19172]: using up to 4096 sockets
Feb 14 23:36:02 augusta named[19172]: loading configuration from '/etc/named.conf'
Feb 14 23:36:02 augusta named[19172]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Feb 14 23:36:02 augusta named[19172]: using default UDP/IPv4 port range: [1024, 65535]
Feb 14 23:36:02 augusta named[19172]: using default UDP/IPv6 port range: [1024, 65535]
Feb 14 23:36:02 augusta named[19172]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 14 23:36:02 augusta named[19172]: listening on IPv6 interface lo, ::1#53
Feb 14 23:36:02 augusta named[19172]: generating session key for dynamic DNS
Feb 14 23:36:02 augusta named[19172]: sizing zone task pool based on 1 zones
Feb 14 23:36:02 augusta named[19172]: using built-in DLV key for view _default
Feb 14 23:36:02 augusta named[19172]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
Feb 14 23:36:02 augusta named[19172]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 0.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 127.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 254.169.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: D.F.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 8.E.F.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 9.E.F.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: A.E.F.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: B.E.F.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Feb 14 23:36:02 augusta named[19172]: command channel listening on 127.0.0.1#953
Feb 14 23:36:02 augusta named[19172]: command channel listening on ::1#953
Feb 14 23:36:02 augusta named[19172]: zone mylocal/IN: loaded serial 1360910107
Feb 14 23:36:02 augusta named[19172]: managed-keys-zone ./IN: loaded serial 215
Feb 14 23:36:02 augusta named[19172]: running
Feb 14 23:36:04 augusta named[19172]: received control channel command 'freeze mylocal'
Feb 14 23:36:04 augusta named[19172]: freezing zone 'mylocal/IN': success
Feb 14 23:36:04 augusta named[19172]: received control channel command 'reload mylocal'
Feb 14 23:36:04 augusta named[19172]: received control channel command 'thaw mylocal'
Feb 14 23:36:04 augusta named[19172]: thawing zone 'mylocal/IN': success

    I don't see anything out of the ordinary there...

    My host DNS settings:

    # cat /etc/resolve.conf
# Generated by NetworkManager
search mylocal
nameserver 192.168.1.202
nameserver 192.168.1.1

    My firewall has port 53 tcp and udp open. selinux is disabled.

    From the server itself:

    [root@augusta log]# ping augusta
ping: unknown host augusta

[root@augusta log]# ping augusta.mylocal
ping: unknown host augusta.mylocal

[root@augusta log]# ping test
ping: unknown host test

[root@augusta log]# ping test.mylocal
ping: unknown host test.mylocal

    From a Windows 7 computer on the network (w/ static IP of 192.168.1.201):

    C:\Windows\system32>ping augusta
Ping request could not find host augusta. Please check the name and try again.

C:\Windows\system32>ping augusta.mylocal

Pinging augusta.mylocal[192.168.1.202] with 32 bytes of data:
Reply from 192.168.1.202: bytes=32 time<1ms TTL=64
Reply from 192.168.1.202: bytes=32 time<1ms TTL=64
Reply from 192.168.1.202: bytes=32 time<1ms TTL=64
Reply from 192.168.1.202: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.1.202:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Windows\system32>ping test
Ping request could not find host test. Please check the name and try again.

C:\Windows\system32>ping test.mylocal
Ping request could not find host test.mylocal. Please check the name and try again.

    That computers ipconfig:

    C:\Windows\system32>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : windoze-PC
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 8C-XX-XX-XX-XX-97
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::xxxx:xxxx:xxxx:bfbc%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.201(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : XXXXXXXXX
   DHCPv6 Client DUID. . . . . . . . : 00-XX-XX-01-18-XX-XX-EA-XX-89-XX-1B-XX-97

   DNS Servers . . . . . . . . . . . : 192.168.1.202
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

    I'm really not sure what I'm missing. I'm far from an expert in Linux server admin, BIND or DNS, but the BIND setup seems to be very basic. I remember setting this up pretty easily in my previous server's CentOS installation (which was about a 18 months ago). Not sure why it's just not taking this time.

    If anyone has any clues as to where I should be looking for the problem I would appreciate any pointers. I can also post other relevant info that anyone needs to help troubleshoot the problem.

  • Jake Wilson
    Jake Wilson about 11 years
    Ah I did not see that listen-on and allow-query parts. That was the problem after all. What is the difference between those two options? Also, why would CentOS have those options set that way by default? Kind of pointless to make a DNS server if, by default, it only allows queries from itself....
  • Michael McNally
    Michael McNally about 11 years
    I have no idea why the CentOS defaults might be set that way unless the intention is that there be an explicit configure step that you missed. Concerning the difference between "allow-query" and "allow-recursion" - one permits authoritative queries (for locally stored authoritative zone data, such as your mylocal. zone) while the other permits recursive queries (queries for data not stored locally, that the machine will have to recurse from the DNS root to obtain.) Generally it's not recommended to mix authoritative and recursive functions on the same server but for your LAN it's OK to do both

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't start Bind open: /etc/named.conf: permission denied - Centos 7
How to setup BIND DNS to retrieve all non authoritative queries from another server
difference between eth0 and venet0 configuration on CentOS 6.3
how can I add records to the zone file without restarting the named service?
DNS query response logging
How do I debug Bind9 DNS server configuration? It is not sending requests to forwarders
CentOS installation error - No more mirrors to try
Install CentOS 6.2 on external USB portable hard drive?
while installing a patch I am getting this error: 1 out of 1 hunk FAILED --
How can I install GNOME 3 on CentOS 6.3?