Why BIND does not use the forwarders any more?
Solution 1
but for sure bind configuration was not altered. It was upgraded though using apt.
Upgrading the core engine is enough to make things not working, even if the configuration has not been altered !
As mentioned here :
In versions of BIND prior to (and including) BIND 9.4.1, the default behavior of BIND servers was to allow recursion for all clients (unless otherwise specified.)
So you should explicitely allow recursion because it is needed to make Forwarders work :
allow-recursion { any; };
To retain the same behaviour you have previously i would suggest to add these directives into your options { ... }
block :
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
Solution 2
Forwarders only work if you have recursion enabled.
Also, you should use your ISPs DNS servers, not Google's.
Related videos on Youtube
yannisf
Updated on September 18, 2022Comments
-
yannisf almost 2 years
BIND does not use the forwarders to resolve any more. It just goes to the root servers. I do not know when this started happening since everything worked transparently, but for sure bind configuration was not altered. It was upgraded though using apt.
I am on Debian 7 and current bind version is BIND 9.8.4.
Configuration:
options { directory "/var/cache/bind"; forwarders { 8.8.8.8; 8.8.4.4; }; forward only; dnssec-validation no; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; };
Any ideas to re enable forwarding?
-
krisFR about 10 yearsCan you try adding
allow-recursion { any; };
?
-
-
yannisf about 10 yearsAdded all the options suggested, still no luck. From what I see, bind always uses the root servers to resolve. Added "recursion yes" well, still no luck.
-
krisFR about 10 years@yannisf Did you check logs to get some clues ?
-
yannisf about 10 yearsChecked the logs, no hint there. I am confident that for some reason the forwarder I used so far (Norton ConnectSafe: 199.85.126.20) does not work with the above options. When I switched to OpenDNS it worked. The strange thing is that Norton ConnectSafe works when in resolv.conf (you may check it if you want).
-
ojrask over 7 yearsAny technical reason not to use Google's DNS servers?
-
Vasili Syrakis over 7 yearsIf there's an issue with Google's DNS, you have no legs to stand on, so to speak. If it's your ISP, at least you can call somebody and notify them of the issue, and have a chance of getting it resolved.
-
ojrask over 7 yearsValid point. :)
-
WoJ over 7 years@VasiliSyrakis: I believe that if Google DNS fail, they will be fixed quicker than I would realize that something is wrong. They are "monitored" by half of Internet using them and probably maintained much better than my ISP's ones. YMMV.