1

I am trying to setup a basic DNS server that just forwards requests from other DNS servers.

I've installed bind9 and edited the /etc/bind/named.conf.options file as below.

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    forwarders {
        8.8.8.8;
    };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

So it should be forwarding requests to the Google DNS server (trivial but I intend to add more at a later date).

Next I've edited /etc/network/interfaces to add the DNS server as a loopback (127.0.0.1) for testing, I've then performed a sudo service bind9 start and a sudo ifdown ens33 && sudo ifup ens33 to bring it all up.

But this doesn't seem to have worked. I've performed a dig google.com and it's not resolving it's request from itself (127.0.0.1).

; <<>> DiG 9.10.3-P4-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63300
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     276 IN  A   216.58.220.110

;; Query time: 0 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Feb 26 16:43:05 PST 2017
;; MSG SIZE  rcvd: 55

I've also tried connecting to the DNS server externally via a Windows 7 machine but it doesn't seem to resolve anything, a nslookup query from the Windows 7 machine gives the following results.

nslookup google.com
Server:  UnKnown
Address:  192.168.0.188

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

I've performed a sudo service bind9 status which tells me the service is active but it seems with some resolving issues.

â— bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since Sun 2017-02-26 16:26:44 PST; 20min ago
     Docs: man:named(8)
  Process: 1329 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 1334 (named)
    Tasks: 7 (limit: 512)
   CGroup: /system.slice/bind9.service
           └─1334 /usr/sbin/named -f -u bind

Feb 26 16:39:24 ubuntu named[1334]: network unreachable resolving '151.in-addr.arpa/DNSKEY/IN': 2001:500:2f::f#53
Feb 26 16:39:24 ubuntu named[1334]: REFUSED unexpected RCODE resolving '151.in-addr.arpa/DNSKEY/IN': 202.12.27.33#53
Feb 26 16:39:24 ubuntu named[1334]: network unreachable resolving '151.in-addr.arpa/DNSKEY/IN': 2001:dc3::35#53
Feb 26 16:39:24 ubuntu named[1334]: REFUSED unexpected RCODE resolving '151.in-addr.arpa/DNSKEY/IN': 192.112.36.4#53
Feb 26 16:39:24 ubuntu named[1334]: REFUSED unexpected RCODE resolving '151.in-addr.arpa/DNSKEY/IN': 192.228.79.201#53
Feb 26 16:39:24 ubuntu named[1334]: network unreachable resolving '151.in-addr.arpa/DNSKEY/IN': 2001:500:84::b#53
Feb 26 16:39:24 ubuntu named[1334]: network unreachable resolving '151.in-addr.arpa/DNSKEY/IN': 2001:500:12::d0d#53
Feb 26 16:39:24 ubuntu named[1334]: REFUSED unexpected RCODE resolving '151.in-addr.arpa/DNSKEY/IN': 198.97.190.53#53
Feb 26 16:39:24 ubuntu named[1334]: network unreachable resolving '151.in-addr.arpa/DNSKEY/IN': 2001:500:1::53#53
Feb 26 16:39:24 ubuntu named[1334]: broken trust chain resolving '69.65.101.151.in-addr.arpa/PTR/IN': 8.8.8.8#53

Can anyone spot what I've done wrong or give me pointers on what I should be checking next?

Puddler
  • 111
  • 1
  • 5
  • Few issues: use `dig` for troubleshooting, and not `nslookup` and always specifically provide the ip address of the nameserver you are querying such as `@127.0.0.1` even more so since your snippet says `SERVER: 192.168.0.3` which is not in line with your preamble speaking about `127.0.0.1` ; also your configuration has a listen directive for IPv6 but nothing for IPv4. And based on your logfile you clearly have IPv6 network issues. – Patrick Mevzek Feb 27 '17 at 19:45
  • @PatrickMevzek - the `nslookup` was from a Windows 7 machine which doesn't have `dig` The DNS server I was setting up had an IP address of `192.168.0.188` which is what I configured the Windows 7 machine to use for it's DNS server. I'm not sure how the `192.168.0.3` has come into my DNS setup. It's not something I have explicitly or deliberately configured. Thanks for pointing out that I don't have a listen directive for IPv4. Which part of the logfile is telling you my IPv6 is having issues? – Puddler Feb 28 '17 at 00:19
  • when you use dig, always add `@IP` with the IP of the nameserver you query so that you are sure you are diagnosing what you need to diagnose. As for IPv6, you have: `network unreachable ... 2001:500:84::b#53` which looks like you may have IPv6 issues. Are you sure you have IPv6 connectivity? – Patrick Mevzek Feb 28 '17 at 22:39

0 Answers0