CentOS 7 BIND DNS SERVFAIL when nslookup for internal servers

i am trying to set up an internal DNS server on Cent OS 7 (Scientific Linux 7.3) on a Vbox VM so i can install a puppet server latter on...

the issue i am running into is DNS seems to be able to resolve things like google.com, and looks like it is pulling the answers from the local DNS, but when i try to do an nslookup for the DNS server itself, i keep getting a SERVFAIL message, and it resolves to some crazy ip address that is no where to my internal ip addresses... here is some samples of nslookup and dig i am doing from the DNS server itself (automation.cylonhive.net ip 192.168.0.28)

    # nslookup and dig examples from automation.cylonhive.net

    [root@automation automation ~]# nslookup www.cnn.com
    Server:     192.168.0.28
    Address:    192.168.0.28#53

    Non-authoritative answer:
    www.cnn.com canonical name = turner-tls.map.fastly.net.
    Name:   turner-tls.map.fastly.net
    Address: 151.101.49.67

    [root@automation automation ~]# nslookup www.google.com
    Server:     192.168.0.28
    Address:    192.168.0.28#53

    Non-authoritative answer:
    Name:   www.google.com
    Address: 172.217.5.68

    # This is where is starts to give the wrong answer
    [root@automation automation ~]# nslookup automation.cylonhive.net
    ;; Got SERVFAIL reply from 192.168.0.28, trying next server
    Server:     68.105.29.11
    Address:    68.105.29.11#53

    Non-authoritative answer:
    Name:   automation.cylonhive.net
    Address: 92.242.140.2    # this is not the ip address of the server

    [root@automation automation ~]# nslookup automation
    ;; Got SERVFAIL reply from 192.168.0.28, trying next server
    Server:     68.105.29.11
    Address:    68.105.29.11#53

    Non-authoritative answer:
    Name:   automation.cylonhive.net
    Address: 92.242.140.2     # this is not the ip address of the server

    [root@automation automation ~]# dig www.cnn.com

    ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> www.cnn.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26705
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.cnn.com.           IN  A

    ;; ANSWER SECTION:
    www.cnn.com.        85  IN  CNAME   turner-tls.map.fastly.net.
    turner-tls.map.fastly.net. 11   IN  A   151.101.49.67

    ;; Query time: 23 msec
    ;; SERVER: 192.168.0.28#53(192.168.0.28)
    ;; WHEN: Fri Jul 14 11:53:02 CDT 2017
    ;; MSG SIZE  rcvd: 95

    [root@automation automation ~]# dig www.google.com

    ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> www.google.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38036
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.google.com.            IN  A

    ;; ANSWER SECTION:
    www.google.com.     270 IN  A   172.217.5.68

    ;; Query time: 17 msec
    ;; SERVER: 192.168.0.28#53(192.168.0.28)
    ;; WHEN: Fri Jul 14 11:53:09 CDT 2017
    ;; MSG SIZE  rcvd: 59

    [root@automation automation ~]# dig automation.cylonhive.net

    ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> automation.cylonhive.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40428
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;automation.cylonhive.net.  IN  A

    ;; Query time: 1 msec
    ;; SERVER: 192.168.0.28#53(192.168.0.28) # this is the ip address of the server but it is still showing a SERVFAIL message
    ;; WHEN: Fri Jul 14 11:53:20 CDT 2017
    ;; MSG SIZE  rcvd: 53

here is my /etc/named.conf file:

    [root@automation automation ~]# cat /etc/named.conf
    //
    // named.conf
    //
    // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
    // server as a caching only nameserver (as a localhost DNS resolver only).
    //
    // See /usr/share/doc/bind*/sample/ for example named configuration files.
    //
    // See the BIND Administrator's Reference Manual (ARM) for details about the
    // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

    options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory   "/var/named";
        dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation no;

        forward only;
        forwarders { 68.105.28.11; 68.105.29.11; 68.105.28.12; };   

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
    };

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };

    // put zones here:
    //-------------------------------------------------
    zone "cylonhive.net" {
    type master;
    file "cylonhive.net.zone";
    allow-update {none; };
    };

    zone "0.168.192.in-addr.arpa" {
    type master;
    file "cylonhive.net.revzone";
    allow-update {none; };
    };

    //-----------------------------------------------------

    zone "." IN {
        type hint;
        file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

here is my named zone file:

    [root@automation automation ~]# cat /var/named/cylonhive.net.zone 
    $TTL 86400
    @ IN SOA cylonhive.net. root.cylonhive.net. (
     2017071401 ; Serial
     1d ; refresh
     2h ; retry
     4w ; expire
     1h ) ; min cache
     IN NS automation.cylonhive.net.
     IN MX 10 automation.cylonhive.net.

    gateway    IN A 192.168.0.1
    dns        IN A 192.168.0.28
    automation IN A 192.168.0.28
    ns         IN CNAME automation
    mail       IN A 192.168.0.28
    client01   IN A 192.168.0.36

here is the reverse zone file:

    [root@automation automation ~]# cat /var/named/cylonhive.net.revzone 
    $TTL 86400
    @ IN SOA cylonhive.net. root.cylonhive.net. (
     2017071401 ; Serial
     1d ; refresh
     2h ; retry
     4w ; expire
     1h ) ; min cache
     IN NS automation.cylonhive.net.

    1     IN PTR gateway.cylonhive.net.
    5     IN PTR automation.cylonhive.net.
    15    IN PTR client01.cylonhive.net.

here is the /etc/resolv.conf, /etc/hosts, and /etc/hostname files:

    [root@automation automation ~]# cat /etc/resolv.conf
    # Generated by NetworkManager
    search cylonhive.net 192.168.0.28
    nameserver 192.168.0.28
    nameserver 68.105.29.11
    nameserver 68.105.28.12
    ..............................................

    [root@automation automation ~]# cat /etc/hosts
    127.0.0.1  localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

    # Puppet Master
    192.168.0.28 automation automation.cylonhive.net


    # Puppet Node
    192.168.0.36 client01 client01.cylonhive.net


    ..............................................


    [root@automation automation ~]# cat /etc/hostname 
    automation automation.cylonhive.net 192.168.0.28

i have been working on this for 3 days and i am wracking my brain trying to figure this out... its been a hair pulling experience. any help would be appreciated. knowing my luck, its probably something simple that my eyes have glazed over and missed. this is my first time setting up an internal DNS server so i know there can be kind of a learning curve. thanks all!

cat messages | grep named | tail -50

    [root@automation automation log]# cat messages | grep named |  tail -50
    Jul 14 20:25:10 automation automation named[2022]: BIND 9 is maintained by Internet Systems Consortium,
    Jul 14 20:25:10 automation automation named[2022]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
    Jul 14 20:25:10 automation automation named[2022]: corporation.  Support and training for BIND 9 are
    Jul 14 20:25:10 automation automation named[2022]: available at https://www.isc.org/support
    Jul 14 20:25:10 automation automation named[2022]: ----------------------------------------------------
    Jul 14 20:25:10 automation automation named[2022]: adjusted limit on open files from 4096 to 1048576
    Jul 14 20:25:10 automation automation named[2022]: found 1 CPU, using 1 worker thread
    Jul 14 20:25:10 automation automation named[2022]: using 1 UDP listener per interface
    Jul 14 20:25:10 automation automation named[2022]: using up to 4096 sockets
    Jul 14 20:25:10 automation automation named[2022]: loading configuration from '/etc/named.conf'
    Jul 14 20:25:10 automation automation named[2022]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
    Jul 14 20:25:10 automation automation named[2022]: initializing GeoIP Country (IPv4) (type 1) DB
    Jul 14 20:25:10 automation automation named[2022]: GEO-106FREE 20160607 Build 1 Copyright (c) 2016 MaxMind
    Jul 14 20:25:10 automation automation named[2022]: initializing GeoIP Country (IPv6) (type 12) DB
    Jul 14 20:25:10 automation automation named[2022]: GEO-106FREE 20160607 Build 1 Copy
    Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv4) (type 2) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv4) (type 6) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv6) (type 30) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP City (IPv6) (type 31) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP Region (type 3) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP Region (type 7) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP ISP (type 4) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP Org (type 5) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP AS (type 9) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP Domain (type 11) DB not available
    Jul 14 20:25:10 automation automation named[2022]: GeoIP NetSpeed (type 10) DB not available
    Jul 14 20:25:10 automation automation named[2022]: using default UDP/IPv4 port range: [1024, 65535]
    Jul 14 20:25:10 automation automation named[2022]: using default UDP/IPv6 port range: [1024, 65535]
    Jul 14 20:25:10 automation automation named[2022]: listening on IPv4 interface lo, 127.0.0.1#53
    Jul 14 20:25:10 automation automation named[2022]: listening on IPv4 interface enp0s17, 192.168.0.28#53
    Jul 14 20:25:10 automation automation named[2022]: listening on IPv6 interface lo, ::1#53
    Jul 14 20:25:10 automation automation named[2022]: generating session key for dynamic DNS
    Jul 14 20:25:10 automation automation named[2022]: sizing zone task pool based on 8 zones
    Jul 14 20:25:10 automation automation named[2022]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
    Jul 14 20:25:10 automation automation named[2022]: command channel listening on 127.0.0.1#953
    Jul 14 20:25:10 automation automation named[2022]: command channel listening on ::1#953
    Jul 14 20:25:10 automation automation named[2022]: managed-keys-zone: journal file is out of date: removing journal file
    Jul 14 20:25:10 automation automation named[2022]: managed-keys-zone: loaded serial 14
    Jul 14 20:25:10 automation automation named[2022]: zone 0.in-addr.arpa/IN: loaded serial 0
    Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: loading from master file cylonhive.net.revzone failed: permission denied
    Jul 14 20:25:10 automation automation named[2022]: zone 0.168.192.in-addr.arpa/IN: not loaded due to errors.
    Jul 14 20:25:10 automation automation named[2022]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
    Jul 14 20:25:10 automation automation named[2022]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
    Jul 14 20:25:10 automation automation named[2022]: zone localhost.localdomain/IN: loaded serial 0
    Jul 14 20:25:10 automation automation named[2022]: zone localhost/IN: loaded serial 0
    Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: loading from master file cylonhive.net.zone failed: permission denied
    Jul 14 20:25:10 automation automation named[2022]: zone cylonhive.net/IN: not loaded due to errors.
    Jul 14 20:25:10 automation automation named[2022]: all zones loaded
    Jul 14 20:25:10 automation automation named[2022]: running
    Jul 14 20:25:10 automation automation audispd: node=automationautomation.cylonhive.net192.168.0.28 type=SERVICE_START msg=audit(1500081910.057:1587): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=named comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
    [root@automation automation log]# 

awesome thanks, it seems to be working now. i did notice that the ip address 92.242.140.2 keeps popping up when i do a dig on the internal server names... kind of weird. ;; ANSWER SECTION: cylonhive. 0 IN A 92.242.140.2, ;; ANSWER SECTION: client01. 0 IN A 92.242.140.2; ;; ANSWER SECTION: automation. 0 IN A 92.242.140.2

Note that that those names end in a dot, which means they are fully qualified. dig does not automatically append your domain to the query. When your ISP tries to resolve those names without the domain, they fail, but your ISP hijacks NXDOMAIN responses and returns that IP address instead. (which doubtlessly points at a website)

Additionally, if your problem has been resolved, please mark this answer as accepted so that the question doesn't show up in searches for unanswered questions. Thanks!

ok awesome, thanks so much for your help with this. now i will be moving on to installing Puppet and Ansible. :-)