CentOS BIND DNS Troubleshooting?
Some suggestions:
Remove the two google nameservers from your resolv.conf. Your nameserver is failing, but you're not getting much useful information because nslookup is falling through to the next nameserver.
Use dig instead if nslookup. The status response from dig is helpful in troubleshooting.
dig @192.168.100.10 mac1.max.app. a
dig @192.168.100.10 max.app. ns
Make sure you check your logs to see if your zone is actually loading.
Check netstat to make sure named is listening on port 53 of the appropriate interface.
Related videos on Youtube
14 : 24
10 : 20
29 : 58
13 : 05
02 : 38
Nick Faraday
Updated on September 18, 2022Comments
-
Nick Faraday almost 2 years
I'm trying to setup my first BIND9 DNS server for a small local network and can't seem to get it working. I want to create a 'local' domain of max.app
As far as I can tell named is running, but it doesn't seem to be serving my domain records?
service named startReturns OK, and the demon is running on boot.
If I try and ping mac1 I get: unknown host mac1
If I try and ping mac1.max.app I get: unknown host mac1
When I try nslookup I get:
nslookup max.app Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: Name: max.app Address: 67.192.47.244As you can see I'm not serving records from my local bind service (192.168.100.10)
My /etc/resolv.conf file looks like this:
# Generated by NetworkManager search max.app nameserver 192.168.100.10 nameserver 8.8.8.8 nameserver 8.8.4.4My /etc/named.conf file looks like this:
acl local-network { 192.168.100.0/24; }; options { listen-on port 53 { 127.0.0.1; 192.168.100.10; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { local-network; }; recursion yes; query-source address * port 53; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "max.app" IN { type master; file "max.app.zone"; allow-update { none; }; }; zone "100.168.192.in-addr.arpa" IN { type master; file "max.app.rr.zone"; allow-update { none; }; };My /var/named/max.app.zone file looks like this:
$ORIGIN max.app. $TTL 86400 @ IN SOA dns1.max.app. email.gmail.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.max.app. dns1 IN A 192.168.100.10 CentOS1 IN A 192.168.100.15 CentOS2 IN A 192.168.100.25 mac1 IN A 192.168.100.50 mac2 IN A 192.168.100.55 mac3 IN A 192.168.100.60 www IN CNAME CentOS1My /var/named/max.app.rr.zone file looks like this:
$ORIGIN 100.168.192.in-addr.arpa. $TTL 86400 @ IN SOA dns1.max.app. email.gmail.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.max.app. 10 IN PTR dns1.max.app. 15 IN PTR CentOS1.max.app. 20 IN PTR CentOS2.max.app. 50 IN PTR mac1.max.app. 55 IN PTR mac1.max.app. 60 IN PTR mac1.max.app.Service named status returns:
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 CPUs found: 2 worker threads: 2 number of zones: 15 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running named (pid 1121) is running.This "number of zones: 15" seems a bit odd? When I only have 1 zone defined in named.conf
UPDATE 7/14 5:45PM CST
Ok I've followed the suggestions below but things still don't seem to want to work.
Added to /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 53 -j ACCEPTdig @192.168.100.10 mac1.max.app a returns:
; <<>> DiG 9.6.0-APPLE-P2 <<>> @192.168.100.10 mac1.max.app a ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48036 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;mac1.max.app. IN A ;; ANSWER SECTION: mac1.max.app. 86400 IN A 192.168.100.15 ;; AUTHORITY SECTION: max.app. 86400 IN NS dns1.max.app. ;; ADDITIONAL SECTION: dns1.max.app. 86400 IN A 192.168.100.10 ;; Query time: 8 msec ;; SERVER: 192.168.100.10#53(192.168.100.10) ;; WHEN: Thu Jul 14 17:30:53 2011 ;; MSG SIZE rcvd: 85dig @192.168.100.10 mac1.max.app ns returns
; <<>> DiG 9.6.0-APPLE-P2 <<>> @192.168.100.10 mac1.max.app ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28099 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;mac1.max.app. IN NS
;; AUTHORITY SECTION: max.app. 86400 IN SOA dns1.max.app. email.gmail.com. 2001062501 21600 3600 604800 86400
;; Query time: 8 msec ;; SERVER: 192.168.100.10#53(192.168.100.10) ;; WHEN: Thu Jul 14 17:18:23 2011 ;; MSG SIZE rcvd: 94
nslookup show that named is listing on port 53
tcp 0 0 dns1:53 *:* LISTEN 2880/named tcp 0 0 localhost.localdomain:53 *:* LISTEN 2880/named-
David W almost 13 yearsAre you doing the pinging from the nameserver, or from some other machine? I would try adding the following to your resolv.conf: nameserver localhost -
Nick Faraday almost 13 yearsYa I'm on the DNS box. I tried swapping out the IP address for localhost in the resolv.conf file... no luck.
-
womble almost 13 yearsDon't hijack other people's domains; it's causing you problems now, and it'll only cause further hassle in the future. -
Nick Faraday almost 13 years@womble how is it causing problems now? I really don't think that has anything to do with the current problem. Its on a local network that myself and one other dude use, hijacking is a bit harsh.
-
womble almost 13 yearsWell, you already can't be sure that the answers you're getting are your own; down the line, if you want to access the legitimate
max.comyou'll be SOL. There are already domains available specifically for this purpose (.local). "Hijacking" is the correct term for what you're doing. -
anastrophe almost 13 yearssorry to throw in a 'me too', but womble is correct. it's simply bad practice to use a domain for which you do not have proper authority. use max.local - or max.coom, or max.comm or max.company, or max.nickfaraday or max.x or whatever suits your fancy. there simply is no valid reason to use someone else's domain for this experiment. as has been confirmed by the courts, a domain name is tangible, fungible property. regardless of your intentions (which make no mistake, i presume to be good), you're using someone else's property without authority if you use max.com. and besides all that, as wom
-
Nick Faraday almost 13 yearsFair enough... I've changed the TDL to .app and have made the changes to the question above. So now the domain reads [max.app] same issue persists.
-
JdeBP almost 13 yearsThat is not the
digcommand thatCakemoxspecified. -
neirbowj about 8 yearsJust because .app doesn't conflict with an assigned TLD now, don't mean that it never will (en.wikipedia.org/wiki/Generic_top-level_domain). Also .local is defined for use with multicast DNS (en.wikipedia.org/wiki/.local). There is currently no TLD reserved for private use. See serverfault.com/questions/17255/… and use your own real domain.
-
-
Nick Faraday almost 13 yearsupdated the question. I added the dig results / verified that named is listening on port 53
-
Nick Faraday almost 13 yearsupdated the questions. added the listen-on IP and the Firewall settings.
