DiG 9.9.5-3ubuntu0.5-Ubuntu status refused

Question

Just upgraded my Ubuntu 12.04 LTS system to 14.04 LTS and now the bind9 / DNS system does not work properly anymore.

dig google.de

; <<>> DiG 9.9.5-3ubuntu0.5-Ubuntu <<>> google.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24964
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.de.         IN  A

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Sat Oct 17 16:51:06 CEST 2015
;; MSG SIZE  rcvd: 27

I found the following links for the issue:

• https://unix.stackexchange.com/questions/220256/how-to-enable-nameserver-recursion
• https://askubuntu.com/questions/464163/ubuntu-dns-server-working-but-getting-errors-in-syslog
• Dig returns "status: REFUSED" for external queries?

• https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04

  • https://help.ubuntu.com/community/BIND9ServerHowto
  • http://ubuntuforums.org/showthread.php?t=1687164
  • https://askubuntu.com/questions/81797/nslookup-finds-ip-but-ping-doesnt

Then I tried to change my named.conf.options by e.g.

1. uncommenting the dnssec entries
2. adding recursion yes; allow-query { any; };
3. adding allow-recursion
4. modifying /etc/nsswitch.conf
5. fixing permissions in /etc/bind

git diff named.conf.options:

+  #dnssec-validation auto;
+  allow-query { any; };
+  listen-on   { any; };
+  allow-recursion { any; };
+  allow-recursion-on { any; };

after

 service bind 9 restart

the problem persists.

None of this works. I'd like to debug this and find out what's happening and why the upgrade leads to this situation where I have an unusable system now.

To debug I setup the logging with

// http://www.zytrax.com/books/dns/ch7/logging.html
logging{
  channel simple_log {
    file "/var/log/named/bind.log" versions 3 size 5m;
    //severity warning;
    severity debug 10;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};

and there are now entries in the log file e.g. with

request is not signed

all this happens if /etc/resolv.conf has

nameserver 127.0.1.1

if I change it to the actual IP address of the server the problem goes away ... So it looks like https://askubuntu.com/questions/627899/nameserver-127-0-1-1-in-resolv-conf-wont-go-away

might have the answer ...

Answer 1

1. Check if the recursion is turned on : recursion yes;

2. Check the listening IP, it might be the case that your DNS (TCP53) is not listening on 127.0.0.1: e.g. listen-on port 53 { any; };

3. Check your dnssec settings, it might look similar to the following:

   dnssec-enable yes;
   dnssec-validation yes;
   
   /* Path to ISC DLV key */
   bindkeys-file "/etc/named.iscdlv.key";
   
   managed-keys-directory "/var/named/dynamic";
   
   pid-file "/run/named/named.pid";
   session-keyfile "/run/named/session.key";