I have installed bind9 in Ubuntu 14.04, it can resolve local domain but unable to resolve internet domain such google.com, facebook.com etc.
I had struggled looking for solution over 2 days, but no luck. Please help me to resolve this issue.
Configuration reference is from https://www.digitalocean.com/community/tutorials/how-to-configure-bind-as-a-caching-or-forwarding-dns-server-on-ubuntu-14-04 and as well from local book I bought but none work.
The firewall in this machine still turn off and I have port forward the port 53 to this machine.
Here the configuration of my machine.
Forward record:
$TTL 604800
@ IN SOA ns.test.id. anggra@test.id. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.test.id.
@ IN MX 10 mail
@ IN A 10.0.0.2
ns IN A 10.0.0.2
mail IN A 10.0.0.2
Reverse record:
$TTL 604800
@ IN SOA ns.test.id. anggra@test.id. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns.
10 IN PTR ns.test.id.
10 IN PTR mail.test.id.
named.conf.local:
//
// Do any local configuration here
//
zone "test.id" {
type master;
file "/etc/bind/db.test.id";
};
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.10";
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
named.conf.options:
acl trusted {
127.0.0.0/8;
10.0.0.0/24;
};
options {
//listen-on port 53 {trusted;};
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
//forwarders {
// 8.8.8.8;
// 8.8.4.4;
//};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
// Allow recursion request
recursion yes;
allow-query {trusted;};
};
Ping & dig test:
anggra@mail:/etc/bind$ dig google.co.id
; <<>> DiG 9.9.5-3ubuntu0.14-Ubuntu <<>> google.co.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27793
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.co.id. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Apr 26 08:32:15 WIB 2017
;; MSG SIZE rcvd: 41
anggra@mail:/etc/bind$ ping google.co.id
ping: unknown host google.co.id
/etc/resolv.conf:
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 127.0.0.1
search test.id
Best Answer
In order to use recursion, you must either have root hints or
forwardersconfigured.For root hints, add zone for
.(you can copy a fresh root server file from ICANN):For forwarders, place your ISP's nameservers in
named.conf:As this seems to be a small local network, you should use forwarders instead of root name servers. ISP's DNS servers are closer to you and they have probably already cached most common requests. Using forwarders also decreases the amount of queries on root and authoritative name servers, and if you are using a firewall, you can limit opening port 53 for just these IP addresses.
(Also, I don't see any
$ORIGINdirectives in your zones, but you have probably just sanitized them.)