Bind forwarder not working as expected

bindcentos7domain-name-system

I want to setup a local DNS Server which hosts fld.example.com with a forwarder based on a zone.
Bind is running on CentOS7 with BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Versiion). When I set up the resolvers within the options {} block it works fine and I get responses.

named.conf

options {
   listen-on port 53 { 192.0.2.2; };
   forwarders      { 198.51.100.2; };
   ...
};

# dig api.example.com

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4730
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net.   IN      A

;; ANSWER SECTION:
api.example.net. 300 IN     CNAME   internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com.
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.3
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.4
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.5

;; AUTHORITY SECTION:
.                       34329   IN      NS      m.root-servers.net.
.                       34329   IN      NS      c.root-servers.net.
.                       34329   IN      NS      b.root-servers.net.
.                       34329   IN      NS      j.root-servers.net.
.                       34329   IN      NS      h.root-servers.net.
.                       34329   IN      NS      g.root-servers.net.
.                       34329   IN      NS      d.root-servers.net.
.                       34329   IN      NS      k.root-servers.net.
.                       34329   IN      NS      e.root-servers.net.
.                       34329   IN      NS      l.root-servers.net.
.                       34329   IN      NS      i.root-servers.net.
.                       34329   IN      NS      f.root-servers.net.
.                       34329   IN      NS      a.root-servers.net.

;; Query time: 91 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:32:53 CDT 2020
;; MSG SIZE  rcvd: 397

As soon as I move the forwarder to a zone it doesn't work as expected. It returns SERVFAIL.

named.conf.local

zone "example.net" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

# dig api.example.net

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net.   IN      A

;; Query time: 4001 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:37:00 CDT 2020
;; MSG SIZE  rcvd: 56

A tcpdump -I ens192 host 198.51.100.2 doesn't show any traffic at all.

Trying a dns record which doesn't exist I get an immediate NXDOMAIN answer from the server being forwarded to:

# dig nonexistingdnsrecord.example.net

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> nonexistingdnsrecord.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34093
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
; nonexistingdnsrecord.example.net.   IN      A

;; AUTHORITY SECTION:
example.net. 891     IN      SOA     ns-0000.awsdns-53.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 102 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 23:45:04 CDT 2020
;; MSG SIZE  rcvd: 138

I have spent the whole night trying to figure this out and went through a couple of tutorials but I don't get it working.
Please help me solving this issue.

Please see configs below:

named.conf:

    options {
        listen-on port 53 { 192.0.2.2; };
        forwarders      { 198.51.100.2; }
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";

        allow-transfer  { 192.0.2.3; };
        allow-query     { any; };

        filter-aaaa-on-v4 yes;
        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

include "/etc/named/named.conf.local";

named.conf.local

zone "fld.example.com" {
    type master;
    file "/etc/named/zones/db.fld.example.com"; # zone file path
};


zone "2.0.192.in-addr.arpa" {
    type master;
    file "/etc/named/zones/db.192.0.2";  # 192.0.2.0/24 subnet
    };

zone "example.net" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

zone "100.51.198.in-addr.arpa" {
    type forward;
    forward only;
    forwarders { 198.51.100.2; };
};

Best Answer

Using forwarders only makes sense in main config. A zone section is supposed to have "masters {}" block only. Try that:

Update:

zone ... {
    type forward;
    forward only;
    masters {
       198.51.100.2;
    };
};
Related Topic