Reverse lookup SERVFAIL

Question

I just set up a DNS server and a web server using Virtualbox. The IP address of the DNS server is 192.168.56.101 and the web server 192.168.56.102.

Here are my configuration files for the DNS server:

named.conf:

[quan@localhost ~]$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    //query-source address * port 53;

    //forward first;
    forwarders { 8.8.8.8; 8.8.4.4; };

    listen-on port 53 { 127.0.0.1; 192.168.56.0/24; };
    allow-query { localhost; 192.168.56.0/24; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity debug 10;
                print-category yes;
                print-time yes;
                print-severity yes;
            };
};

zone "quantran.com" in {
    type master;
    file "named.quantran.com";
};

zone "56.168.192.in-addr.arpa" in {
    type master;
    file "named.192.168.56";
    allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

named.quantran.com:

[quan@localhost ~]$ sudo cat /var/named/named.quantran.com
$TTL 86400
quantran.com.       IN SOA  dns1.quantran.com. root.quantran.com. (
                        100     ; serial
                        3600    ; refresh
                        600     ; retry
                        604800  ; expire
                        86400 )
                    IN NS       dns1.quantran.com.
dns1.quantran.com.  IN A        192.168.56.101
www.quantran.com.   IN A        192.168.56.102

named.192.168.56:

[quan@localhost ~]$ sudo cat /var/named/named.192.168.56
$TTL 86400
$ORIGIN 56.168.192.in-addr.arpa.
@                               IN SOA  dns1.quantran.com. root.quantran.com. (
                                    100     ; serial
                                    3600    ; refresh
                                    600     ; retry
                                    604800  ; expire
                                    86400 ) ; minimum
                                IN NS   dns1.quantran.com.
101.56.168.192.in-addr.arpa.    IN PTR  dns1.quantran.com.
102                             IN PTR  www.quantran.com.

When I try a normal lookup from the host (I configured so that the only nameserver the host uses is the DNS server 192.168.56.101):

quan@quantran:~$ host www.quantran.com
www.quantran.com has address 192.168.56.102
quan@quantran:~$ host dns1.quantran.com
dns1.quantran.com has address 192.168.56.101

But when I try a reverse lookup:

quan@quantran:~$ host -v 192.168.56.101 192.168.56.101
Trying "101.56.168.192.in-addr.arpa"
Using domain server:
Name: 192.168.56.101
Address: 192.168.56.101#53
Aliases: 

Host 101.56.168.192.in-addr.arpa not found: 2(SERVFAIL)
Received 45 bytes from 192.168.56.101#53 in 0 ms

quan@quantran:~$ host -v 192.168.56.102 192.168.56.101
Trying "102.56.168.192.in-addr.arpa"
Using domain server:
Name: 192.168.56.101
Address: 192.168.56.101#53
Aliases: 

Host 102.56.168.192.in-addr.arpa not found: 2(SERVFAIL)
Received 45 bytes from 192.168.56.101#53 in 0 ms

So why can't I perform a reverse lookup? Anything wrong with the zone configuration files?

Thanks in advance :)

Oh, here is the output from the log file /var/named/data/named.run when I perform the reverse lookup:

quan@quantran:~$ host 192.168.56.102 192.168.56.101
Using domain server:
Name: 192.168.56.101
Address: 192.168.56.101#53
Aliases: 

Host 102.56.168.192.in-addr.arpa not found: 2(SERVFAIL)

/var/named/data/named.run:

02-Jun-2014 15:18:11.950 client: debug 3: client 192.168.56.1#51786: UDP request
02-Jun-2014 15:18:11.950 client: debug 5: client 192.168.56.1#51786: using view '_default'
02-Jun-2014 15:18:11.950 security: debug 3: client 192.168.56.1#51786: request is not signed
02-Jun-2014 15:18:11.950 security: debug 3: client 192.168.56.1#51786: recursion available
02-Jun-2014 15:18:11.950 client: debug 3: client 192.168.56.1#51786: query
02-Jun-2014 15:18:11.950 client: debug 10: client 192.168.56.1#51786: ns_client_attach: ref = 1
02-Jun-2014 15:18:11.950 query-errors: debug 1: client 192.168.56.1#51786: query failed (SERVFAIL) for 102.56.168.192.in-addr.arpa/IN/PTR at query.c:5428
02-Jun-2014 15:18:11.950 client: debug 3: client 192.168.56.1#51786: error
02-Jun-2014 15:18:11.950 client: debug 3: client 192.168.56.1#51786: send
02-Jun-2014 15:18:11.950 client: debug 3: client 192.168.56.1#51786: sendto
02-Jun-2014 15:18:11.951 client: debug 3: client 192.168.56.1#51786: senddone
02-Jun-2014 15:18:11.951 client: debug 3: client 192.168.56.1#51786: next
02-Jun-2014 15:18:11.951 client: debug 10: client 192.168.56.1#51786: ns_client_detach: ref = 0
02-Jun-2014 15:18:11.951 client: debug 3: client 192.168.56.1#51786: endrequest
02-Jun-2014 15:18:11.951 client: debug 3: client @0xb537e008: udprecv

Also, I made some changes to the log section in named.conf.

Host's resolv.conf:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.56.101
#nameserver 127.0.1.1

I added output from the log file when I tried to perform a reverse lookup. Also, there are some changes at the log section. — Quan Tran, Jun 02 '14 at 08:34
I just tried it on my BIND (debian wheezy package) and it worked. I had to use the full path to the zonefile, though, i.e. `/etc/bind/named.192.168.56`, or else I got a "file not found" error: `zone 56.168.192.in-addr.arpa/IN: loading from master file named.192.168.56 failed: file not found`. That doesn't seem to be your problem, because the other zonefile is working. It's worth a try, though. — Thomas, Jun 02 '14 at 10:35
Can you show to me full path & content each file: /etc/resolv.conf, named.conf, named.quantran.com? I think have some path is not correct. — , Jun 02 '14 at 14:15

score 1 · Accepted Answer · answered Jun 02 '14 at 16:50

The problem is actually the files's permission setting. Here is the content of /var/named folder:

[root@localhost quan]# ls -alZ /var/named/
drwxr-x---. root  named system_u:object_r:named_zone_t:s0 .
drwxr-xr-x. root  root  system_u:object_r:var_t:s0       ..
drwxrwx---. named named system_u:object_r:named_cache_t:s0 data
drwxrwx---. named named system_u:object_r:named_cache_t:s0 dynamic
-rw-r-----. root  root  unconfined_u:object_r:named_zone_t:s0 named.192.168.56
-rw-r-----. root  named system_u:object_r:named_conf_t:s0 named.ca
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.empty
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.localhost
-rw-r-----. root  named system_u:object_r:named_zone_t:s0 named.loopback
-rw-r--r--. root  root  unconfined_u:object_r:named_zone_t:s0 named.quantran.com
drwxrwx---. named named system_u:object_r:named_cache_t:s0 slaves

As you can see, the file named.quantran.com is chmod 644 and it can be read by user named. However, named.192.168.56 (the reverse zone configuration file) is chmod 640 and cannot be read by user named. Therefore I could not perform a reverse lookup successfully. Still, I cannot understand why it was chmod 640 while named.quantran.com was chmod 644 @@

Reverse lookup SERVFAIL

1 Answers1