Internal DNS for internet access

Question

I have configured a internal DNS for my office network using BIND on CentOS6 ... The problem I am having that when I use that DNS server as a primary DNS my entire network loses internet connectivity but the internal websites (eg: app.mydomain.com) I have configured on that DNS server are working fine ... I can't seem to figure out the issue ... I would really appreciate if you guys can direct me to the right direction and point out what is it I need to do to make it work. Thanks

Here is ny named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1; 192.168.2.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.2.0/24; };
        allow-transfer  { localhost; 192.168.2.2; };
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        forwarders {
                192.168.1.1;
        };

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "b29devserver.com" IN {
        type master;
        file "b29devserver.com.zone";
        allow-update { none; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Answer 1

Well, quite obviously your DNS thinks it knows the world.

You have neither configured a forwarder for unknown domains, or forgotten to set up / activate the root dns servers. Both would allow the DNS to forward requests it does not know how to handle to another party.

Right direction? Documentation - look up forwarder (in this case you can point the DNS to google's public DNS service) or root name servers.

I am not using bind, so I can not be more specific. But that is the gist.

Answer 2

As I can see from your named.conf, your server is configured to redirect all unknown queries to server 192.168.1.1. You should check:

1. Is server 192.168.1.1 accessible from your DNS?
2. Is DNS server running on 192.168.1.1?
3. Has this server set forwarders or recursion option?
4. Allows this server queries from your DNS?

How it is behave when you use 192.168.1.1 as your primary DNS?

Answer 3

You don't need to have forwarders in /etc/named.conf. For checking purpose put a tempoary Widnows server on 192.168.2.0 network (say IP 192.168.2.3).

Add nameserver 192.168.2.3 on /etc/resolv.conf on Linux DNS server along with its own.

In clients, put router IP as gateway,Primary as Linux DNS server & Secondary as Windows DNS server and check internet connectivity. Keep A record for internal website servers in both DNS.

Now swapping primary and secondary DNS entries in clients do nslookup of internal website servers and internet servers. This will give an idea where the issue occurs. Update your finding.

Answer 4

Your problem is here:

forwarders {
            192.168.1.1;
    };

Your bind server tries to forward unknown domains to itself, therefore they cannot be resolved. Add (for example) google DNS there and try again

forwarders {
            8.8.8.8;
            8.8.4.4;
    };