bind9 - forwarders are not working

Question

I am experiencing an issue with bind. If i want to resolve any domain name that is on the zone file. It works fine. However, when I try to resolve anything that does not belong to the zone file. I know that actual DNS servers that are being forwarded are working fine. But somehow bind9 fails to use them. The content of /etc/bind/named.conf.options is:

options {
directory "/var/cache/bind";
forwarders {
    131.181.127.32;
    131.181.59.48;
};
dnssec-validation auto;
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };
};

I have also tried to use only one ip address and it still did not work. also the content of /etc/bind/named.conf is:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

So there is no problem with including options file. Any recommendations for fixing this problem?

score 29 · Accepted Answer · answered Sep 19 '12 at 08:21

29

I had this issue before with recent version of Bind (9.8.1).

The following option solved the problem for me :

dnssec-validation no;

answered Sep 19 '12 at 08:21

profy

1,146
9
20

1

That solved my problem, but do you know the reason why it does not work when it is auto? – Sarp Kaya Sep 20 '12 at 04:01
1

Maybe it's because I'm using a fake root zone like intra. or local. Are you in the same situation ? – profy Sep 20 '12 at 09:07
@profy I also had to do this with my xxxxxx.local forward zone so this may be the issue! – Allison Aug 04 '17 at 15:46
1

This worked also for me...I am very curios on the why! – Zioalex Jun 06 '20 at 15:25
1

It is because local created zone are not (and cannot be) signed with dnssec. – profy Nov 09 '20 at 10:48

score 2 · Answer 2 · answered Sep 19 '12 at 07:36

2

You need to differentiate between your bind misconfiguration and not-working forwarders.

You can verify whether the forwarders are working or not using a command like:

$ dig @131.181.127.32 www.google.com

If you received a valid response, it is a working DNS server and so on.

You may need to add an explicit allow-recursion in your bind configuration. It is recommended to restrict this to specific IPs/subnets.

answered Sep 19 '12 at 07:36

Khaled

36,533
8
72
99

DNS servers are working. My question is bind9 does not forward any requests to these forwarders. – Sarp Kaya Sep 19 '12 at 07:48
Better way is to use dig @nameserver -trace sitename, this will show where the answer is being gotten. – MealstroM Jan 15 '13 at 19:09
1

allow-recursion was the key for me. Thanks. – Diego Fernández Durán Aug 05 '14 at 15:52

bind9 - forwarders are not working

2 Answers2