Bind not resolving domain name
Solution 1
Set
acl recurseallow { 127.0.0.1; 38.130.218.68; 192.168.0.0/24; }; //local network maybe?
allow-query { any; };
recursion { recurseallow; };
About the zone file, try this :
$ttl 60 //for testing purpose. After that set it above 3600
@ IN SOA ns1.euphorics.net. root.euphorics.net. (
2016101901 ; serial
10800 ; refresh (3 hours)
60 ; retry (30 minutes) // after finishing testing, set it above 3600
604800 ; expire (1 week )
38400 ; minimum (1 day)
)
NS ns1.euphorics.net.
NS ns2.euphorics.net.
A 38.130.218.68
IN A 38.130.218.68
ns1 IN A 38.130.218.68
ns2 IN A 38.130.218.68
www IN A 38.130.218.68
Solution 2
You have only allowed certain IP addresses in acl list
acl "trusted" { 127.0.0.1; # ns1 - can be set to localhost 38.130.218.68; # ns2 };
And in allow-query tag, you have called 'trusted' acl, where only local ips are allowed to query.
allow-query { trusted; };
Ideally, for a authoritative server, whole internet should be allowed to query for your domain otherwise, people will not be able to resolve your domain.
In dig query, i am getting Query, status: REFUSED while querying from your server.
Solution 3
@sly1x.... Your server is now acting as open resolver as shown below --
*Kansals-MacBook:~ Kansal$ dig nkn.in @38.130.218.68 +short
180.149.57.82
Kansals-MacBook:~ Kansal$*
Your server may be used to generate DDoS attack on others.
As best practice, it is not advisable to run open resolver, unless and until you have the expertise to do the same.
Either do the following settings in options portion of bind configuration
recursion no;
OR use acl for selectively allowing recursion.
Related videos on Youtube
sly1x
Updated on September 18, 2022Comments
-
sly1x almost 2 years
I have a dedicated server that I can't seem to get my domain name to resolve correctly with bind. I tried many internet searches and compared different config files, but I can't seem to figure it out. I only have one ip address and gateway address.
dig @localhost www.euphorics.net
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @localhost www.euphorics.net ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58762 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.euphorics.net. IN A ;; ANSWER SECTION: www.euphorics.net. 3600 IN A 38.130.218.68 ;; AUTHORITY SECTION: euphorics.net. 3600 IN NS ns2.euphorics.net. euphorics.net. 3600 IN NS ns1.euphorics.net. ;; ADDITIONAL SECTION: ns1.euphorics.net. 3600 IN A 38.130.218.68 ns2.euphorics.net. 3600 IN A 38.130.218.68 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Oct 19 08:24:26 EDT 2016 ;; MSG SIZE rcvd: 130
/etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 38.130.218.68; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-transfer { 38.130.218.68; }; # disable zone transfers by default allow-query { trusted; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; acl "trusted" { 127.0.0.1; # ns1 - can be set to localhost 38.130.218.68; # ns2 }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named/named.conf.local";
/etc/named/named.conf.local
zone "euphorics.net" { type master; file "/etc/named/zones/db.euphorics.net"; # zone file path }; zone "130.38.in-addr.arpa" { type master; file "/etc/named/zones/db.38.130"; # 10.128.0.0/16 subnet };
/etc/named/zones/db.euphorics.net
$TTL 3600 @ IN SOA ns1.euphorics.net. admin.euphorics.net. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; name servers - NS records euphorics.net. IN NS ns1.euphorics.net. euphorics.net. IN NS ns2.euphorics.net. ; name servers - A records @ A 38.130.218.68 www A 38.130.218.68 ns1.euphorics.net. IN A 38.130.218.68 ns2.euphorics.net. IN A 38.130.218.68
Also I added port 53 tcp/udp to firewalld and also to iptables. I even turned off my firewall to see if that would help, but it didn't. Rebooted bind / server, still no go.
-
Håkan Lindqvist over 7 yearsThis is not good advice from a security point of view! The default value for
recursion
isyes
, so commenting outrecursion yes
; leaves it atyes
. This in combination with overridingallow-query
toany
(do look at the manual for how theallow-*
settings interact when you start overriding one but not the others!) means that you're now running a wide-open recursor! -
Gaurav Kansal over 7 years@Lindqvist... Exactly and an open resolver may be used for generating DDoS attack.
-
sly1x over 7 yearsYeah, I enabled recursion and set acl back to trusted. Never really messed up with bind before since digital ocean / linode already had these things configured....
-
sly1x over 7 yearsI'm sorry I set recursion to no, rebooted server. Thanks for the advice, I can't however connect to the domain name unless the allow-query is set to any. Is this ok or do I need to find an alternative to this solution?
-
Gaurav Kansal over 7 yearsallow-query set to any is required on authoritative servers.
-
Håkan Lindqvist over 7 yearsIt's worth noting that leaving out
allow-query
entirely allows queries to authoritative zones without also having the side-effect of changing what is allowed when it comes to recursion. Do see theallow-*
settings in the manual (specifically how these interact when you start overriding some of them): ftp.isc.org/isc/bind9/cur/9.10/doc/arm/… -
Str82DHeaD over 7 years@Lindqvist you're about right! I missed to point that recursion must be done to certain acl list. Edited : added missing point. Not good if you haven't slept in 24 hours guys...