Why is my DNS server not forwarding?
Solution 1
You've told it what forwarders to use, but not when to use them. If you want it to use them for everything, instead of
zone "." IN {
type hint;
file "named.ca";
};
try
zone "." {
type forward;
forward first;
forwarders { 10.90.0.135;
10.90.0.174;
} ;
} ;
Edit: OK, try the above instead. I don't get what you mean by "try to resolve locally first", though; you said you wanted it to forward.
Solution 2
In my case the problem was solved by only changing dnssec-validation yes;
to dnssec-validation no;
Solution 3
Just in case it wasn't clear by the OP's comment below MadHatter's respond, "problem was dnssec", I'm posting this answer explicitly since I too found it solved my problem.
I've setup a caching, forwarding-only BIND server and it wasn't forwarding. The queries were going to the root server with a several-second-delay. Disabling the dnssec options fix this, now it is working as expected.
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
Related videos on Youtube
mbrambley
Updated on September 18, 2022Comments
-
mbrambley almost 2 years
I have setup bind like this:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; forwarders { 10.90.0.135; 10.90.0.174; }; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "appletop.local" IN { type master; file "appletop.local"; allow-update { none; }; };
But it doesn't forward?
If I just put the DNS server address into
resolv.conf
on another machine I get the correct lookups so the DNS server must be able to resolve for me but if I then point the other machine back at this one it cannot resolve the names.What's wrong?
After changes suggested by MadHatter:
Now it starts but hangs on a dig +trace and doesn't forward - why do I not see the forwarders addresses below?
[root@ns1 ~]# ping www.yahoo.com ^C [root@ns1 ~]# cd /etc/ [root@ns1 etc]# cp named.conf named.conf.last [root@ns1 etc]# vi named.conf [root@ns1 etc]# /etc/init.d/named reload Reloading named-sdb: [ OK ] [root@ns1 etc]# service named stop Stopping named: . [ OK ] [root@ns1 etc]# /etc/init.d/named start Starting named: [ OK ] [root@ns1 etc]# nslookup www.yahoo.com ;; connection timed out; trying next origin Server: 10.138.10.30 Address: 10.138.10.30#53 ** server can't find www.yahoo.com: NXDOMAIN
And a dig with +trace:
[root@ns1 etc]# dig +trace www.yahoo.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com ;; global options: +cmd . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET.
My entire file looks like this now - whats wrong?
options { listen-on port 53 { any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type forward; forward first; forwarders { 10.90.0.135; 10.90.0.174; } ; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "appletop.local" IN { type master; file "appletop.local"; allow-update { none; }; };
-
mbrambley almost 11 yearsthanks but id like it to try to resolve locally before going to the forwarder - wont 'first' stop that?
-
mbrambley almost 11 yearsOK i tried what you said but now its broken it says: Error in named configuration: /etc/named.conf:40: no matching 'forwarders' statement
-
mbrambley almost 11 yearsok now it starts but doesnt forward - why do i not see the forwarder addresses in the below:
-
mbrambley almost 11 yearsstill not working what was your edit ladadadada?
-
mbrambley almost 11 yearsproblem was dnssec
-
YumYumYum about 9 yearsThis worked for me too. 1) it looks my dns in local cache 2) if local cache fail it looks for internet