bind think my dns server isn't working correctly.

[SirEvan]

I'm working on setting up a home lab to try and replicate parts of our network at home to practice things I use on a daily basis in the office.   One of these things, is heavy use of bind as an internal DNS server in our datacenter.  I've set up bind in a debian 8 vm, and think I have everything working correctly, but I'm not entirely sure.

 

Bind Server: dns-p1 (192.168.1.3)

 

The problem I am having is three fold... first, in /var/log/syslog, I see the following:

Jul 31 22:42:52 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.203.230.10#53
Jul 31 22:42:52 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 199.7.91.13#53
Jul 31 22:42:52 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 198.41.0.4#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 199.7.83.42#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.36.148.17#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 128.63.2.53#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.228.79.201#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 202.12.27.33#53
Jul 31 22:42:53 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.112.36.4#53
Jul 31 22:42:54 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.33.4.12#53
Jul 31 22:42:54 dns-p1 named[446]: error (unexpected RCODE REFUSED) resolving './NS/IN': 192.58.128.30#53

 

Second, The way I believe this to work, is the first time a site is queried, it's checked against the dns servers cache.  if It doesn't exist there, then by way of forwarders, it's queried up the chain until a result is found.   This result is cached so subsequent queries return from the cache.    This appears to both work, and not work.

First, If I query from the dns server itself, say to homedepot.com:

root@dns-p1:~# dig homedepot.com

; <<>> DiG 9.9.5-9+deb8u2-Debian <<>> homedepot.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63704
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;homedepot.com.                 IN      A

;; ANSWER SECTION:
homedepot.com.          469     IN      A       207.11.34.219

;; AUTHORITY SECTION:
.                       36702   IN      NS      f.root-servers.net.
.                       36702   IN      NS      c.root-servers.net.
.                       36702   IN      NS      e.root-servers.net.
.                       36702   IN      NS      h.root-servers.net.
.                       36702   IN      NS      l.root-servers.net.
.                       36702   IN      NS      g.root-servers.net.
.                       36702   IN      NS      k.root-servers.net.
.                       36702   IN      NS      m.root-servers.net.
.                       36702   IN      NS      d.root-servers.net.
.                       36702   IN      NS      j.root-servers.net.
.                       36702   IN      NS      i.root-servers.net.
.                       36702   IN      NS      b.root-servers.net.
.                       36702   IN      NS      a.root-servers.net.

;; Query time: 178 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Fri Jul 31 22:47:40 PDT 2015
;; MSG SIZE  rcvd: 269

178ms.  If I run the query again (abbreviated):

;; Query time: 4 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Fri Jul 31 22:48:28 PDT 2015
;; MSG SIZE  rcvd: 269

4ms...this seems to imply dns is working correctly.   However If i go and browse to a new site, say lowes.com, on my desktop, which has this bind server set as it's only dns, when I run dig again:

;; Query time: 41 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Fri Jul 31 22

If i immediately dig it again:

;; Query time: 4 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: Fri Jul 31 22:51:55 PDT 2015
;; MSG SIZE  rcvd: 265

This tells me then that it may not be working correctly, however this leads to the third issue, when I dump the dns cache, the db is empty:

root@dns-p1:/var/cache/bind# rndc dumpdb --cache
root@dns-p1:/var/cache/bind# ls -la
total 16
drwxrwxr-x 2 root bind 4096 Jul 31 23:18 .
drwxr-xr-x 8 root root 4096 Jul 31 20:55 ..
-rw-r--r-- 1 bind bind  720 Jul 31 18:22 managed-keys.bind
-rw-r--r-- 1 bind bind   16 Jul 31 23:25 named_dump.db

 

Below are my config files

named.conf.options:

acl goodclients {
    192.168.1.0/24;
    localhost;
    localnets;
};
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on { any; };
        #allow-transfer { 192.168.1.0/24; };
        allow-recursion { 192.168.1.0/24; };
        allow-query-cache { 192.168.1.0/24; };
        #additional-from-cache no;
        allow-query { goodclients; };

        forwarders {
                8.8.8.8;
                208.67.222.222;
        };
};

rev.myhouse.local (reverse config)

; BIND reverse data file for myhouse.local
;
$TTL    604800
@       IN      SOA     dns-p1.myhouse.local. root.myhouse.local. (
4         ; Serial
604800         ; Refresh
86400         ; Retry
2419200         ; Expire
604800 )       ; Negative Cache TTL
;
@      IN      NS      dns-p1.
@      IN      A       192.168.1.3
6      IN      PTR       ilo-r510.myhouse.local.
8      IN      PTR       R510-OMV-MEDIA.myhouse.local.
162    IN      PTR       gitlab-p1.myhouse.local.
179    IN      PTR       graphana.myhouse.local.
203    IN      PTR       debian-dev.myhouse.local.
221    IN      PTR       racksw1.myhouse.local.

db.myhouse.local (forward):

$ORIGIN .
$TTL 604800     ; 1 week
myhouse.local           IN SOA  dns-p1.myhouse.local. root.myhouse.local. (
                                103        ; serial
                                604800     ; refresh (1 week)
                                86400      ; retry (1 day)
                                2419200    ; expire (4 weeks)
                                604800     ; minimum (1 week)
                                )
                        NS      dns-p1.myhouse.local.
                        A       192.168.1.3
                        AAAA    ::1
$ORIGIN myhouse.local.
$TTL 3600       ; 1 hour
02AA01AC31140200        A       192.168.1.230
                        TXT     "310ff671c9164f3105a2e00ba6e3f24444"
android-b8562fe3d4dad232 A      192.168.1.223
$TTL 300        ; 5 minutes
                        TXT     "312eb355d65243a51a1d1e6f74f3b93791"
$TTL 3600       ; 1 hour
debian-dev              A       192.168.1.203
$TTL 300        ; 5 minutes
                        TXT     "0029c2713fb9b7d69cafee45476ce1f3e8"
$TTL 604800     ; 1 week
dns-p1                  A       192.168.1.3
$TTL 3600       ; 1 hour
gitlab-p1               A       192.168.1.162
$TTL 300        ; 5 minutes
                        TXT     "3139517f11fa288e41dbb50c6c9940e6e5"
$TTL 3600       ; 1 hour
graphana                A       192.168.1.179
$TTL 300        ; 5 minutes
                        TXT     "0014b5c8a52545c823ab8ec58c9c2f5cae"
Nikon                   A       192.168.1.195
                        TXT     "31ad51ac6096094e41580b4d6c27b65458"
$TTL 3600       ; 1 hour
racksw1                 A       192.168.1.221
$TTL 300        ; 5 minutes
                        TXT     "31e9e0b214414c7e8dd7002ff4aa9df77c"
vimeotest               A       192.168.1.219
                        TXT     "004b5bf6485a024621312acee59022fe7d"

 

named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

key "rndc-key" {
    algorithm hmac-md5;
    secret "DQhhmE5/evTfPYyNfyFunA==";
};

zone "myhouse.local" {
        type master;
        notify yes;
        file "/etc/bind/db.myhouse.local";
        allow-update { key rndc-key; };
        allow-query { 192.168.1.0/24; };
};

zone "1.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/rev.myhouse.local";
        allow-update { key rndc-key; };
        allow-query { 192.168.1.0/24; };
};

 

[SirEvan]

one thing i forgot to mention is that if a do a rndc dumpdb -all, i do get a file back:

root@dns-p1:/var/cache/bind# rndc dumpdb -all
root@dns-p1:/var/cache/bind# ls -lart
total 104
-rw-r--r-- 1 bind bind   720 Jul 31 18:22 managed-keys.bind
drwxr-xr-x 8 root root  4096 Jul 31 20:55 ..
drwxrwxr-x 2 root bind  4096 Jul 31 23:18 .
-rw-r--r-- 1 bind bind 90453 Jul 31 23:43 named_dump.db

which doesn't make sense...does this mean the cache is empty, but the dns isnt?

[+BudMan MVC]

So those errors are telling you those servers sent back a Refused.. Checking that first one - that is a root server.. And so are the next few

;; ANSWER SECTION:
10.230.203.192.in-addr.arpa. 14400 IN   PTR     e.root-servers.net. 

 

Why are you going to roots if your wanting to setup a caching forwarder?  This is troubleshooting info that was really increased back in like 9.3 something, you can suppress them with something like category lame-servers {null;};  But curious why your going to roots?

 

I see in your conf

forwarders {
                8.8.8.8;
                208.67.222.222;
        };
};

 

So why are you talking to roots?  I still on my first cup of coffee so will have to look through your confs..  But looks like you got all the info there to make for a good post..  Give me a few minutes to get some coffee in me

 

What is odd about your homedepot query and points to maybe your problem with the RCODE errors with the root servers is why are you getting back the root servers in your authority section.

 

C:\>dig homedepot.com

; <<>> DiG 9.10.2-P3 <<>> homedepot.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55657
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;homedepot.com.                 IN      A

;; ANSWER SECTION:
homedepot.com.          3600    IN      A       207.11.34.219

;; AUTHORITY SECTION:
homedepot.com.          3600    IN      NS      nsb.homedepot.com.
homedepot.com.          3600    IN      NS      nsc.homedepot.com.
homedepot.com.          3600    IN      NS      nsa.homedepot.com.

;; ADDITIONAL SECTION:
nsa.homedepot.com.      3600    IN      A       207.11.20.200
nsb.homedepot.com.      3600    IN      A       207.11.38.4
nsc.homedepot.com.      3600    IN      A       207.11.38.5

;; Query time: 143 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Aug 01 05:42:44 Central Daylight Time 2015
;; MSG SIZE  rcvd: 160

 

You notice get back the NS for homedepot.com..  Not the root servers...  Also using bind in forwarder mode your first time queries should really not be very long for when your asking for common domains, since your forwarder like google and open should already have those cached..  I think maybe your forwarder section is not working and your doing queries to roots directly as a resolver not forwarder.  I am currently using unbound vs bind as my resolver..  But I can fire up bind quick enough to test out your configs.

Also for local, 4ms seems pretty long - are you wireless or something?  When I query something that is cached is normally 1 ms response time

 

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Sat Aug 01 05:50:56 Central Daylight Time 2015
;; MSG SIZE  rcvd: 160

 

BTW what version of bind are you running?  Did you run a named-checkconf I would assume it comes back ok since normally it won't start is something messed up, but I don't really think you doing forwarding, more that its doing resolving.  You should never really talk to roots in forwarder mode.

 

I am guessing you didn't remove

zone "." IN {
  type hint;
  file "named.ca";
};

 

From the named.conf ?  Your only showing your named.conf.option file or maybe in your default.zones you have

 

zone "." {
        type hint;
        file "/etc/bind/db.root";

Which I think is default?

 

Oh I know why your talking to roots, I don't see

 

forward only;

 

In your options..  So stuff that doesn't get an answer from forwarders your going to ask roots.  You want to put that in and that should get rid of your RCODE errors.

 

Also where is you set recursion?

 

recursion yes;

 

I see where you allow it from your netblock but don't see that you turned it on exactly?

 

Edit:  Ok just set this up on my ubuntu box real quick.. Didn't setup any local zones as of yet.. This is only thing I edited was named.conf.options

 

acl goodclients {
192.168.0.0/16;
localhost;
localnets;
};
options {
        directory "/var/cache/bind";
        recursion yes;
        allow-query { goodclients; };
        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        forward only;
        dnssec-enable yes;
        dnssec-validation yes;
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

I do a query to home depot,

C:\>dig @ubuntu.local.lan homedepot.com

; <<>> DiG 9.10.2-P3 <<>> @ubuntu.local.lan homedepot.com; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47865;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;homedepot.com.                 IN      A

;; ANSWER SECTION:homedepot.com.          817     IN      A       207.11.34.219

;; Query time: 37 msec;; SERVER: 192.168.9.7#53(192.168.9.7);; WHEN: Sat Aug 01 06:42:24 Central Daylight Time 2015;; MSG SIZE  rcvd: 58

C:\>dig @ubuntu.local.lan homedepot.com

<snipped>

;; Query time: 1 msec;; SERVER: 192.168.9.7#53(192.168.9.7);; WHEN: Sat Aug 01 06:42:33 Central Daylight Time 2015;; MSG SIZE  rcvd: 58

C:\>

And then if I look in my cache after rndc dumpdb

 

root@ubuntu:/var/cache/bind# cat named_dump.db
;
; Start view _default
;
;
; Cache dump of view '_default' (cache _default)
;
$DATE 20150801114442
; answer
homedepot.com.          679     IN A    207.11.34.219
;
; Address database dump
;
;
; Unassociated entries
;
;       8.8.4.4 [srtt 24] [flags 00000000] [ttl 1662]
;       8.8.8.8 [srtt 10567] [flags 00002000] [ttl 1662]
;
; Bad cache
;
;
; Start view _bind
;
;
; Cache dump of view '_bind' (cache _bind)
;
$DATE 20150801114442
;
; Address database dump
;
;
; Unassociated entries
;
;
; Bad cache
;
; Dump complete
root@ubuntu:/var/cache/bind#

 

 

 

 

 

 

 

 

 

Edited August 1, 2015 by BudMan