-5

I installed a simple bind server on fedora 28.

By default dns-queries for which it has no answers are sent to the root servers. However I want them to go to the openDNS servers.

I have removed the zone "." entry, removed named.ca, configured forwarders but still the queries keep going to the root servers. I simply don't understand why it keeps ignoring the settings.

I have tried with putting the forwarders in the "." zone, disabling dnssec. Nothing works.

This is the config I have:

acl "trusted" { 192.168.0.10; 192.168.0.11; 192.168.0.0/24; };


options {
    listen-on port 53 { 127.0.0.1; 192.168.0.10; };
#   listen-on-v6 port 53 { ::1; };
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
        allow-transfer { 192.168.0.11; };
    allow-query     { trusted; };
    forwarders  { 208.69.38.205; 8.8.4.4; }; 

    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
Stijn
  • 1
  • 1
  • 1

2 Answers2

1

You can't do what you're trying to do with a recursive nameserver. Recursive servers REQUIRE the use of the root server hints, otherwise they'll never be able to operate in a recursive manner. It sounds like what you are trying to do is set up a forwarding nameserver, which is a different configuration. For starters, you should probably set:

recursion no;

That way, any requests that aren't satisfied by your local zones should be sent to your forwarders. In this configuration, the root hints are irrelevant.

guzzijason
  • 1,410
  • 8
  • 18
  • I tried that but then I don't get any results: ;; Got recursion not available from 192.168.0.10, trying next server ;; connection timed out; no servers could be reached – Stijn Oct 17 '18 at 18:59
  • 1
    If I've read the information correctly, recursion just means looking for RRs the DNS server does not have itself. With forwarding configured, it does not do the recursive queries itself but forwards it to the DNS server defined. Disabling it means it won't even forward recursive queries. – Stijn Oct 17 '18 at 19:27
  • No, that's not really what recursion means. Recursion means that it's going to do a _recursive_ lookup of records it doesn't have, by first going to root servers, then going to the authoritative nameservers for the TLD, and so on until it eventually reached the authoritative nameservers that can service the original query. If a server isn't recursive, and you want it to handle requests for unknown records, then it **MUST** be set up as a forwarder, forwarding requests to upstream nameservers which are assumed to be recursive. – guzzijason Oct 17 '18 at 19:33
  • Question: from your nameserver, can you test sending queries directly to the OpenDNS servers (`208.69.38.205; 8.8.4.4;`), such as using `dig`? Example: `dig example.com. @208.69.38.205` – guzzijason Oct 17 '18 at 19:34
  • Yes that works. – Stijn Oct 17 '18 at 21:02
  • 1
    Hmm... are you sure, because `208.69.38.205` isn't even the correct address for an OpenDNS nameserver. If you want to take the discussion to a chat room, I just posted an example working (forwarder) config here: https://chat.stackexchange.com/rooms/84602 – guzzijason Oct 17 '18 at 21:41
1

I think you made the same mistake I did in your config, leaving out an option is not the same as disabling it. If I try your setup and then add "recursion no", it no longer works. If I add "recursion yes" it works and uses the forwarders. Remove "recursion yes" and it still works which leads me to believe it is one of those default values that don't actually need to be present. Can you try to explicitly add "recursion no" to your config and see what that gives?

I also figured out that my forwarders are working. I just misinterpreted the output of dig which makes you think you are using the root servers. Running a tcpdump shows it is using the forwarders (with recursion enabled).

10:47:33.510150 IP ns1.example.com.60730 > resolver1.opendns.com.domain: 61783+% [1au] A? bol.com. (48)
10:47:33.510394 IP ns1.example.com.60390 > resolver1.opendns.com.domain: 9220+ [1au] NS? . (40)
10:47:33.511347 IP ns1.example.com.40736 > resolver1.opendns.com.domain: 43411+% [1au] PTR? 222.222.67.208.in-addr.arpa. (68)
10:47:33.534959 IP resolver1.opendns.com.domain > ns1.example.com.60730: 61783 1/0/1 A 185.14.169.113 (52)

Another quirky thing I noticed was that if you have no forwarders and no zone "." pointing to the root servers in your config file, bind will still send your requests to the root servers. According to the docs, that is built right into the code. So I am really wondering how to disable those root servers. I set my forwarders to a non-existing address and still nslookup resolved. According to tcpdump it just went to another dns server, no idea where it got the address.

10:42:45.732005 IP ns1.example.com.52230 > 192.168.200.1.domain: 64083+% [1au] A? hln.be. (47)
10:42:46.933559 IP ns1.example.com.37736 > 193.108.91.125.domain: 36207% [1au] A? hln.be. (47)
10:42:46.937345 IP ns1.example.com.51521 > 192.168.200.1.domain: 29431+% [1au] PTR? 125.91.108.193.in-addr.arpa. (68)
10:42:46.963452 IP 193.108.91.125.domain > ns1.example.com.37736: 36207*- 1/0/1 A 104.104.202.130 (51)

I am still open to the fact that I am wrong about this.

Stijn
  • 11
  • 2