Bind DNS server respond timeout

bindcentos7domain-name-systemport

I've set up a BIND DNS server on centos 7. I've created the master zone record, it is the following:

$ttl 38400    
loool.ro. IN  SOA ns1.loool.ro. owner.yahoo.com. (    
      1421842090   
      10800
      3600
      604800
      38400 )
loool.ro. IN  NS  loool.ro.
loool.ro. IN  A   86.34.156.51
loool.ro. IN  MX  10 loool.ro.
loool.ro. IN  NS  ns1.loool.ro.
ns1.loool.ro. IN  A   86.34.156.51

The 86.34.156.51 is a public IP address, I can access the server via. The port 53 is opened, checked with free online port checker. The named.service is listening on port 53. The domain name is registered and the ns1 too. But when I check with a dnslookup tool, the ns1.loool.ro answer doesn't come, timeout after 3 sec.

The BIND server config file is the following:

options {
listen-on port 53 {
    any;
    };
#listen-on-v6 port 53 { ::1; };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer {
    none;
    };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
also-notify {
    };
allow-query {
    any;
    };
 };
 logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};
zone "." IN {
    type hint;
    file "named.ca";
 };
 zone "loool.ro" {
    type master;
    file "/var/named/loool.ro.hosts";
 };

If I check with dig from localhost the answer comes and correct, but from an other host doesn't come. If I set the allow-query from any to localhost, the messages.log file logs the denied querys and IP address, so the querys arrive.

On named.service start the messages.log shows the following:

Jan 21 14:31:35 servera named[38627]: using default UDP/IPv4 port range: [1024, 65535]
Jan 21 14:31:35 servera named[38627]: using default UDP/IPv6 port range: [1024, 65535]
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface em1, 10.10.10.100#53
Jan 21 14:31:35 servera named[38627]: listening on IPv4 interface em1, 86.34.156.51#53

With allow-query=localhost shows the following:

Jan 21 14:30:55 servera named[38403]: client 109.99.188.88#54374 (loool.ro): query 'loool.ro/A/IN' denied    
Jan 21 14:31:08 servera named[38403]: client 74.125.17.211#53668 (loool.ro): query 'loool.ro/AAAA/IN' denied

What is the problem? If the allow-query is any, there isn't any error log on messages.log. This will be a network config issue or the problem is with the linux(port or selinux) and the BIND server(misconfig)? Does BIND drops the queries?

Dig:

loool.ro. 0 IN NS ns1.loool.ro. ;;
Received 71 bytes from 192.162.16.20#53(sec-dns-a.rotld.ro) in 88 ms

loool.ro. 38400 IN A 86.34.156.51
loool.ro. 38400 IN NS ns1.loool.ro.
loool.ro. 38400 IN NS loool.ro.

;; Received 101 bytes from 10.10.10.100#53(ns1.loool.ro) in 1 ms

As Andrew B suggested, I've captured the packets on the localhost(where the dns server is located), here is the result, I hope somebody knows what is the problem or what's wrong here :

$tcpdump -i em1 -vvv -s 0 -l -n port 53     
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes    
 82.79.24.76.14761 > 10.10.10.100.domain: [udp sum ok] 3532 [1au] A? loool.ro. ar: . OPT UDPsize=4096 OK (37)
22:50:49.723204 IP (tos 0x0, ttl 64, id 63258, offset 0, flags [none], proto UDP (17), length 115)
    10.10.10.100.domain > 82.79.24.76.14761: [udp sum ok] 3532*- q: A? loool.ro. 1/1/2 loool.ro. [10h40m] A 86.34.156.51 ns: loool.ro. [10h40m] NS ns1.loool.ro. ar: ns1.loool.ro. [10h40m] A 86.34.156.51, . OPT UDPsize=4096 OK (87)
22:50:49.987990 IP (tos 0x0, ttl 64, id 35514, offset 0, flags [DF], proto UDP (17), length 72)
    10.10.10.100.52857 > 193.231.100.130.domain: [udp sum ok] 2042+ PTR? 38.124.41.103.in-addr.arpa. (44)

Best Answer

Your nameserver cannot be queried from the internet. The glue is present, but that doesn't help if replies cannot be received by your nameserver.

Here's the tail end of a +trace output similar to lVlint67's, but with the +additional flag set:

loool.ro.               86400   IN      NS      ns1.loool.ro.
ns1.loool.ro.           86400   IN      A       86.34.156.51
dig: couldn't get address for 'ns1.loool.ro': no more

The glue record is there, but something else is wrong. If I try to query that nameserver myself...

$ dig @86.34.156.51 loool.ro

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @86.34.156.51 loool.ro
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

The nameserver is unreachable, so the domain is dead to the internet. Additionally, you only have a single NS record defined. For proper resiliency, you need at least two nameservers that are located at different physical locations. The registrar's website really shouldn't have let you apply this configuration. :(

I also recommend reading Should we host our own nameservers?.

Related Solutions

BIND – How to Set Up Wildcard DNS

Your origin for the zone is . per your configuration. You are creating records for ns1. and ns2. instead of ns1.example.com. and ns2.example.com. Since ns1.example.com and ns2.example.com aren't defined, they are matched by the wildcard.

EDIT: here's an edit of your config and zone:

zone "example.com." {
        type master;
        file "ext.zone";
};

ext.zone:

$TTL    3600
@       IN      SOA     ns1 root (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry
                         3600         ; Expire
                         300 )        ; Negative Cache TTL


        IN      NS      ns1
        IN      NS      ns2
        IN      A       192.0.2.6


ns1     IN      A       192.0.2.4
ns2     IN      A       192.0.2.5

*      IN      A       192.0.2.6

Everything in the zone is relative to the zone name in the named configuration, so adding a second zone just points to the same file:

zone "example.net." {
    type master;
    file "ext.zone";
};

CentOS BIND DNS Troubleshooting

Some suggestions:

Remove the two google nameservers from your resolv.conf. Your nameserver is failing, but you're not getting much useful information because nslookup is falling through to the next nameserver.

Use dig instead if nslookup. The status response from dig is helpful in troubleshooting.

dig @192.168.100.10 mac1.max.app. a
dig @192.168.100.10 max.app. ns

Make sure you check your logs to see if your zone is actually loading.

Check netstat to make sure named is listening on port 53 of the appropriate interface.

Best Answer

Related Solutions

BIND – How to Set Up Wildcard DNS

CentOS BIND DNS Troubleshooting

Related Topic