Why is my DNS server not forwarding?

domain-name-system centos bind
21,931

Solution 1

You've told it what forwarders to use, but not when to use them. If you want it to use them for everything, instead of 

zone "." IN {
        type hint;
        file "named.ca";
};

try

zone "." {
        type forward;
        forward first;
        forwarders { 10.90.0.135;
                     10.90.0.174;
                   } ;
} ;

Edit: OK, try the above instead. I don't get what you mean by "try to resolve locally first", though; you said you wanted it to forward.

Solution 2

In my case the problem was solved by only changing dnssec-validation yes; to dnssec-validation no;

Solution 3

Just in case it wasn't clear by the OP's comment below MadHatter's respond, "problem was dnssec", I'm posting this answer explicitly since I too found it solved my problem.

I've setup a caching, forwarding-only BIND server and it wasn't forwarding. The queries were going to the root server with a several-second-delay. Disabling the dnssec options fix this, now it is working as expected.

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
Share:
21,931

Related videos on Youtube

mbrambley
Author by

mbrambley

Updated on September 18, 2022

Comments

  • mbrambley
    mbrambley almost 2 years

    I have setup bind like this:

    //
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        forwarders      { 10.90.0.135; 10.90.0.174; };
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";


zone "appletop.local" IN {
        type master;
        file "appletop.local";
        allow-update { none; };
};

    But it doesn't forward?

    If I just put the DNS server address into resolv.conf on another machine I get the correct lookups so the DNS server must be able to resolve for me but if I then point the other machine back at this one it cannot resolve the names.

    What's wrong?

    After changes suggested by MadHatter:

    Now it starts but hangs on a dig +trace and doesn't forward - why do I not see the forwarders addresses below?

    [root@ns1 ~]# ping www.yahoo.com
^C
[root@ns1 ~]# cd /etc/
[root@ns1 etc]# cp named.conf named.conf.last
[root@ns1 etc]# vi named.conf
[root@ns1 etc]# /etc/init.d/named reload
Reloading named-sdb:                                       [  OK  ]
[root@ns1 etc]# service named stop
Stopping named: .                                          [  OK  ]
[root@ns1 etc]# /etc/init.d/named start
Starting named:                                            [  OK  ]
[root@ns1 etc]# nslookup www.yahoo.com
;; connection timed out; trying next origin
Server:         10.138.10.30
Address:        10.138.10.30#53

** server can't find www.yahoo.com: NXDOMAIN

    And a dig with +trace:

    [root@ns1 etc]# dig +trace www.yahoo.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.0.2.el6_4.6 <<>> +trace www.yahoo.com
;; global options: +cmd
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      D.ROOT-SERVERS.NET.

    My entire file looks like this now - whats wrong?

    
 options {
         listen-on port 53 { any; };
 #       listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { any; };
         recursion yes;

         dnssec-enable yes;
         dnssec-validation yes;
         dnssec-lookaside auto;

         /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

         managed-keys-directory "/var/named/dynamic"; };

 logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         }; };

 zone "." IN {
         type forward;
         forward first;
         forwarders { 10.90.0.135;
                      10.90.0.174;
                    } ; };

 include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";


 zone "appletop.local" IN {
         type master;
         file "appletop.local";
         allow-update { none; }; };
  • mbrambley
    mbrambley almost 11 years
    thanks but id like it to try to resolve locally before going to the forwarder - wont 'first' stop that?
  • mbrambley
    mbrambley almost 11 years
    OK i tried what you said but now its broken it says: Error in named configuration: /etc/named.conf:40: no matching 'forwarders' statement
  • mbrambley
    mbrambley almost 11 years
    ok now it starts but doesnt forward - why do i not see the forwarder addresses in the below:
  • mbrambley
    mbrambley almost 11 years
    still not working what was your edit ladadadada?
  • mbrambley
    mbrambley almost 11 years
    problem was dnssec
  • YumYumYum
    YumYumYum about 9 years
    This worked for me too. 1) it looks my dns in local cache 2) if local cache fail it looks for internet

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unexpected RCODE(SERVFAIL) causing bind to crash?
Bind not forwarding on CentOS 6
WARNING: recursion requested but not available, 3 servers only one fails
BIND DNS nslookup NXDOMAIN
Named service start fails
Router as primary DNS server, Server as alternate? (or vice versa)
bind dns entries not updating from master to slave
CentOS BIND DNS Troubleshooting?
How to solve call trace produced by security_ops_task_setrlimit() with bind
CentOS 7 BIND DNS SERVFAIL when nslookup for internal servers