I want to setup a local DNS Server which hosts fld.example.com with a forwarder based on a zone.
Bind is running on CentOS7 with BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Versiion). When I set up the resolvers within the options {} block it works fine and I get responses.
named.conf
options {
listen-on port 53 { 192.0.2.2; };
forwarders { 198.51.100.2; };
...
};
# dig api.example.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4730
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net. IN A
;; ANSWER SECTION:
api.example.net. 300 IN CNAME internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com.
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.3
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.4
internal-dfer124543214erds32ewe3wd32erd23-1234556676.eu-west-1.elb.amazonaws.com. 60 IN A 198.51.100.5
;; AUTHORITY SECTION:
. 34329 IN NS m.root-servers.net.
. 34329 IN NS c.root-servers.net.
. 34329 IN NS b.root-servers.net.
. 34329 IN NS j.root-servers.net.
. 34329 IN NS h.root-servers.net.
. 34329 IN NS g.root-servers.net.
. 34329 IN NS d.root-servers.net.
. 34329 IN NS k.root-servers.net.
. 34329 IN NS e.root-servers.net.
. 34329 IN NS l.root-servers.net.
. 34329 IN NS i.root-servers.net.
. 34329 IN NS f.root-servers.net.
. 34329 IN NS a.root-servers.net.
;; Query time: 91 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:32:53 CDT 2020
;; MSG SIZE rcvd: 397
As soon as I move the forwarder to a zone it doesn't work as expected. It returns SERVFAIL.
named.conf.local
zone "example.net" {
type forward;
forward only;
forwarders { 198.51.100.2; };
};
# dig api.example.net
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> api.example.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17224
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;api.example.net. IN A
;; Query time: 4001 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 22:37:00 CDT 2020
;; MSG SIZE rcvd: 56
A tcpdump -I ens192 host 198.51.100.2 doesn't show any traffic at all.
Trying a dns record which doesn't exist I get an immediate NXDOMAIN answer from the server being forwarded to:
# dig nonexistingdnsrecord.example.net
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> nonexistingdnsrecord.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34093
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
; nonexistingdnsrecord.example.net. IN A
;; AUTHORITY SECTION:
example.net. 891 IN SOA ns-0000.awsdns-53.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
;; Query time: 102 msec
;; SERVER: 192.0.2.2#53(192.0.2.2)
;; WHEN: Tue Apr 28 23:45:04 CDT 2020
;; MSG SIZE rcvd: 138
I have spent the whole night trying to figure this out and went through a couple of tutorials but I don't get it working.
Please help me solving this issue.
Please see configs below:
named.conf:
options {
listen-on port 53 { 192.0.2.2; };
forwarders { 198.51.100.2; }
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer { 192.0.2.3; };
allow-query { any; };
filter-aaaa-on-v4 yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.conf.local";
named.conf.local
zone "fld.example.com" {
type master;
file "/etc/named/zones/db.fld.example.com"; # zone file path
};
zone "2.0.192.in-addr.arpa" {
type master;
file "/etc/named/zones/db.192.0.2"; # 192.0.2.0/24 subnet
};
zone "example.net" {
type forward;
forward only;
forwarders { 198.51.100.2; };
};
zone "100.51.198.in-addr.arpa" {
type forward;
forward only;
forwarders { 198.51.100.2; };
};
Best Answer
Using forwarders only makes sense in main config. A zone section is supposed to have "masters {}" block only. Try that:
Update: