1

Im trying to configure DNS server on my virtual computer without internet connection.

I'm using PowerDNS with BIND backend.

Here is my configuration of zone:

$ORIGIN example.com.
$TTL 86400
@   IN  SOA example2.com. (
        2017020401   ; serial
        3600         ; refresh
        1800         ; retry
        604800       ; expire
        86400 )      ; minimum TTL
example.com.  172800  IN  NS  example1.com.
example.com.  172800  IN  NS  example2.com.
example.com.  172800  IN  NS  example3.com.

Im testing server with command dig, which looks like this :

root@osboxes:~# dig example.com @127.0.0.1 -p 5301

; <<>> DiG 9.16.1-Ubuntu <<>> example.com @127.0.0.1 -p 5301
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13819
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.           IN  A

;; AUTHORITY SECTION:
example.com.        3600    IN  SOA example2.com. 2017020401.example.com. 3600 1800 604800 86400 3600

;; Query time: 180 msec
;; SERVER: 127.0.0.1#5301(127.0.0.1)
;; WHEN: Wed Feb 03 16:45:50 EST 2021
;; MSG SIZE  rcvd: 96

I want the request to be delegated to other servers example1.com, example2.com and example3.com.

For that, I need to have my NS records in AUTHORITY SECTION of the dig output. However, its not happening, there is only the SOA record. I tried to remove the SOA record, but afterwards I have no record in AUTHORITY SECTION. Can somebody help me solving this problem please? What am I missing?

EDIT : adding configuration

recursor.conf

local-address=0.0.0.0
local-port=5301
allow-from=127.0.0.0/8, 10.0.0.0/8
forward-zones=example.com=127.0.0.1:5300

pdns.conf

launch=bind
bind-config=/etc/powerdns/named.conf
local-address=127.0.0.1
local-port=5300

named.conf

zone "example.com" IN {
        type slave;                           # type of zone
        file "/var/lib/powerdns/zone.net"; # location of forward zone file
        allow-query { any; };
};

/var/lib/powerdns/zone.net

$ORIGIN example.com.
$TTL 86400
@   IN  SOA example2.com. (
        2017020401   ; serial
        3600         ; refresh
        1800         ; retry
        604800       ; expire
        86400 )      ; minimum TTL
example.com.  172800  IN  NS  example1.com.
example.com.  172800  IN  NS  example2.com.
example.com.  172800  IN  NS  example3.com.
kamil1stcz2
  • 19
  • 2

1 Answers1

0

EDIT

I'm assuming you're using BIND9. If you are, you need to set minimal-responses to no in your options section. Most likely that's in /etc/bind/named.conf.options, if it's not there, then check /etc/bind/named.conf.

I found this on readthedocs for BIND, scroll down a bit and you'll see minimal-responses highlighted.

END EDIT

The dig query you tried is for example.com type A, which is an IPv4 address. Your zone file doesn't have any A records for example.com, so one thing you could do is add one, for example:

example.com.  172800  IN  A  1.2.3.4

Then your dig query for example.com should return 1.2.3.4 in the answer section, and the NS records in the authority section (though that may depend on your DNS server's configuration).

If you add A (or AAAA) records for example1.com, example 2.com, and example3.com and then do your dig command again, you'll probably get those A records in the additional section. (IIRC, that's known as "glue")

Just a little more background, the response you got from your dig query is often called a "No Data" response. That means there's a record for the name you looked up (example.com), but it's a different type (NS) than the one you asked for (A), so it returns a NOERROR rcode with no answer (there's no answer section). If you ask for a name that doesn't exist at all, you'll get the same thing (no answer section), but an NXDOMAIN rcode instead of NOERROR.

kimbo
  • 2,513
  • 1
  • 15
  • 24
  • Yes, after adding the line in file returns answer 1.2.3.4 as expected. However, the NS record still aren't in the authority section, but its the thing I need in my setup. I don't mind that i dont receive any answer, I just need to be delegated to the nameservers that are shown as IN NS records, that means I want them in authority section – kamil1stcz2 Feb 05 '21 at 15:33
  • Okay just edited my answer, turns out you need `minimal-responses` set to `no` in your `options` clause (assuming you're using BIND) – kimbo Feb 05 '21 at 16:38
  • Tried, but didn't help unfortunately. I'm using PowerDNS with BIND backend. (Edited Question) – kamil1stcz2 Feb 06 '21 at 15:35
  • Okay in that case I think you're out of luck. I don't think PowerDNS includes the authority section, since authority records aren't necessary. See https://mailman.powerdns.com/pipermail/pdns-users/2009-June/006124.html and https://doc.powerdns.com/authoritative/appendices/FAQ.html#powerdns-does-not-give-authoritative-answers-how-come – kimbo Feb 06 '21 at 16:34
  • PowerDNS does not allow delegation to other nameservers? Is better to use different software or? – kamil1stcz2 Feb 07 '21 at 00:00
  • No it does, actually I know of someone that has several instances of BIND behind PDNS and they return the authority records. Did you restart BIND after changing the config? – kimbo Feb 07 '21 at 01:55
  • Yes, after every change being made, I restart both recursor and nameservers. I can post rest of my setup, if it is needed. – kamil1stcz2 Feb 07 '21 at 10:29
  • Added rest of configuration to the main topic – kamil1stcz2 Feb 08 '21 at 09:30
  • You should have `options { minimal-responses: no; };` somewhere in your named.conf – kimbo Feb 08 '21 at 21:05
  • Also, idk if this matters, but your NS records are not part of the parent zone `example.com`. If you wanted them to be in the same zone, they'd need to be `ns1.example.com`, `ns2.example.com`, and so on. Again, idk if that would affect anything, just something I noticed. – kimbo Feb 08 '21 at 21:07
  • Feel free to mark the above as the accepted answer and/or upvote it if you feel it was useful. – kimbo Jul 22 '21 at 02:47