On 18 Jul 2020, at 05:18, Weeltin <weeltinl@gmail.com> wrote:I get no result. I have spent days trying to figure out what is going on, but to no avail, I there for hope that someone on this list can point me in the right direction or right out tell what is wrong.
Hello all,
I’m trying to implement a DNS structure, containing a recursive and authoritative server, but in doing so, I have run into a small problem. I can make DNS queries from a client toward the net, but when I try to do the same toward my internal domain,
/Weeltin.
-----DIG troubleshoots
[weeltin@c1 ~]$ cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.14.10
[weeltin@c1 ~]$ dig google.com
; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48932
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c1bc4a11c40bd755905c8c705f11f5ffe699cc0116ed8ba5 (good)
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 300 IN A 216.58.211.142
;; Query time: 179 msec
;; SERVER: 192.168.14.10#53(192.168.14.10)
;; WHEN: Fri Jul 17 15:03:27 EDT 2020
;; MSG SIZE rcvd: 83
[weeltin@c1 ~]$ dig c1.example.home
; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62602
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: cf8876e3b35138f47040188e5f11f64a91445aa4f8310f5a (good)
;; QUESTION SECTION:
;c1.example.home. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020071701 1800 900 604800 86400
;; Query time: 263 msec
;; SERVER: 192.168.14.10#53(192.168.14.10)
;; WHEN: Fri Jul 17 15:04:42 EDT 2020
;; MSG SIZE rcvd: 147
[weeltin@c1 ~]$ dig @192.168.14.20 c1.example.home
; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> @192.168.14.20 c1.example.home ; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20704
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 747289c94876cf349034aec35f11f794a29c6747bb6a694f (good)
;; QUESTION SECTION:
;c1.example.home. IN A
;; ANSWER SECTION:
c1.example.home. 604800 IN A 192.168.14.1
;; Query time: 0 msec
;; SERVER: 192.168.14.20#53(192.168.14.20)
;; WHEN: Fri Jul 17 15:10:12 EDT 2020
;; MSG SIZE rcvd: 88
----- informations and configurations ----
OS: Alpine 3.12
Bind: bind 9.14.12
Ns1: 192.168.14.10 (recursive)
Ns2: 192.168.14.20 (authoritative)
C1: 192.168.14.1 (client)
--- recursive config (NS1)
// recursive named.conf
//
acl trusted {
192.168.14.0/24;
localhost;
};
acl rfc1918 {
10.0.0.0/8;
172.16.0.0/12;
!192.168.14.0/24;
192.168.0.0/16;
};
acl rfc5735 {
0.0.0.0/8;
169.254.0.0/16;
192.0.0.0/24;
192.0.2.0/24;
192.88.99.0/24;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/4;
};
options {
directory "/var/bind";
listen-on {
127.0.0.1;
192.168.14.10;
};
listen-on-v6 {
none;
};
allow-query {
trusted;
};
//query-source address * port 53;
allow-query-cache {
trusted;
};
blackhole {
rfc1918;
rfc5735;
};
allow-transfer {
none;
};
pid-file "/var/run/named/named.pid";
// Changing this is NOT RECOMMENDED; see the notes above and in
// named.conf.recursive.
allow-recursion {
trusted;
};
recursion yes;
};
zone "." IN {
type hint;
file "root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "example.home" {
type forward;
forwarders { 192.168.14.20; };
};
--- authoritative config (NS2)
// authoritative named.conf
//
acl trusted {
192.168.14.0/24;
localhost;
};
acl rfc1918 {
10.0.0.0/8;
172.16.0.0/12;
!192.168.14.0/24;
192.168.0.0/16;
};
acl rfc5735 {
0.0.0.0/8;
169.254.0.0/16;
192.0.0.0/24;
192.0.2.0/24;
192.88.99.0/24;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/4;
};
options {
directory "/var/bind";
// Configure the IPs to listen on here.
listen-on {
127.0.0.1;
192.168.14.20;
};
listen-on-v6 {
none;
};
allow-query {
trusted;
};
//query-source address * port 53;
allow-query-cache {
trusted;
};
blackhole {
rfc5735;
rfc1918;
};
allow-transfer {
none;
};
// Cryptographic authentication of DNS information
// ENABLE LATER
//dnssec-enable yes;
//dnssec-validation yes;
pid-file "/var/run/named/named.pid";
// Changing this is NOT RECOMMENDED for a authoritative nameserver
allow-recursion { none; };
recursion no;
};
zone "example.home" {
type master;
file "/etc/bind/db.example.home.zone";
};
zone "14.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.14.168.192.zone";
};
; ZONE file for example.home.
;
$TTL 604800
@ IN SOA ns2.example.home. hostmaster.example.home. (
2 ; Serial
604800 ; Refresh 1week
86400 ; Retry
2419200 ; Expire 28days
604800 ; Negative Cache TTL
)
;; name servers (NS)
;; only authoritative servers
@ IN NS ns2.example.home.
ns2 IN A 192.168.14.20
;; hosts (A)
ns1 IN A 192.168.14.10
c1 IN A 192.168.14.1
;; alias (CNAME)
client IN CNAME c1
; ZONE file for 14.168.192.in-addr.arpa.
;
$TTL 604800
@ IN SOA ns2.example.home. hostmaster.example.home. (
1 ; Serial
604800 ; Refresh 1week
86400 ; Retry
2419200 ; Expire 28days
604800 ; Negative Cache TTL
)
;; name servers (NS)
;; only authoritative servers
@ IN NS ns2.example.home.
20 IN PTR ns2.example.home.
;; pointer records (PTR)
1 IN PTR c1.example.home.
10 IN PTR ns1.example.home.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
When querying your internal domain, I see the query actually ends with “recursion requested but not available”, it looks like you are querying directly against your auth server, so I would check the setting to ensure
the zone file is actually loaded correctly.
What Mark answered is assuming you are querying the recursive which then returned SERVFAIL due to DNSSEC validation, but I do not see that in the information you provided.
Can you run dig on the auth server itself, dig @ 127.0.0.1 for
example.home, and see what it returns?
From what you posted, it appears when you query the recursive server NS1 (192.168.14.10), it returns no error, it gives back NXDOMAIN with the ADflag. That would indicate DNSSEC worked. That does not match the log
Hi Josh,
Thanks for your answer, it made me go trough all the config again, just to make sure that it wasnt pointing to the authoritative server anywhere but
in the configuration of the recursive server
I saw that "“recursion requested but not available" when i send the query against the authoritative. Kind a expected that, since it aint allowed to
do recursion.
as requested i made the dig on the the authoritative server i get the
correct answer, so i expect it has loaded the zonefiles correctly.
ns2:/home/weeltin# dig @127.0.0.01 example.home
; <<>> DiG 9.14.12 <<>> @127.0.0.01 example.home
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45487
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b9129ece5d9fbc3e6f01a2215f15a461388d4af048be37fa (good)
;; QUESTION SECTION:
;example.home. IN A
;; AUTHORITY SECTION:
example.home. 604800 IN SOA ns2.example.home. hostmaster.example.home. 2 604800 86400 2419200 604800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 20 14:04:17 UTC 2020
;; MSG SIZE rcvd: 120
just to be sure, i rand the dig command again on my client
[weeltin@c1 ~]$ dig c1.example.home
; <<>> DiG 9.11.11-RedHat-9.11.11-1.fc31 <<>> c1.example.home
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1787
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 862cc48a975a32a324cd14e65f15ba5e3f2c972d1f753586 (good)
;; QUESTION SECTION:
;c1.example.home. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020072000
1800 900 604800 86400
;; Query time: 1043 msec
;; SERVER: 192.168.14.10#53(192.168.14.10)
;; WHEN: Mon Jul 20 11:38:06 EDT 2020
;; MSG SIZE rcvd: 147
Log output from NS1 (recursive)
<truncate>
Jul 20 15:38:05 ns1 daemon.info named[4022]: validating
example.home/SOA: got insecure response; parent indicates it should be
secure
Jul 20 15:38:05 ns1 daemon.info named[4022]: no valid RRSIG resolving 'c1.example.home/DS/IN': 192.168.14.20#53
Jul 20 15:38:06 ns1 daemon.info named[4022]: insecurity proof failed resolving 'c1.example.home/A/IN': 192.168.14.20#53
</truncate>
and there is no log entries on the authoritative server
/Weeltin
On Sun, Jul 19, 2020 at 6:05 AM Josh Kuo <josh.kuo@gmail.com> wrote:
When querying your internal domain, I see the query actually ends with
“recursion requested but not available”, it looks like you are querying >> directly against your auth server, so I would check the setting to ensure
the zone file is actually loaded correctly.
What Mark answered is assuming you are querying the recursive which then
returned SERVFAIL due to DNSSEC validation, but I do not see that in the
information you provided.
Can you run dig on the auth server itself, dig @ 127.0.0.1 for
example.home, and see what it returns?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 46:25:56 |
Calls: | 6,648 |
Files: | 12,198 |
Messages: | 5,329,853 |