Bind9 timeout from LAN, server listening on port 53

bindlinux-networkingubuntu-16.04

I have a very wierd situation with Bind9 on Ubuntu Xenial. The server is listening on port 53 (tested with portqry from windows boxen that are trying to use it as a local DNS server) but it's timing out on requests like:

> dig @192.168.1.6 YYY +search

; <<>> DiG 9.11.0-P3 <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Search-domain is set properly on windwos (ISC DHCP makes sure of that). However, as I said, portqry probing port 53 says it's listening.

> portqry -n 192.168.1.6 -o 53

Querying target system called:

192.168.1.6

Attempting to resolve IP address to a name...

Failed to resolve IP address to name

querying...

TCP port 53 (domain service): LISTENING

Oddly still, server responds to queries on local host (from the server itself):

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23454
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;YYY.mydomain.tld.      IN      A

;; ANSWER SECTION:
YYY.mydomain.tld. 3600  IN      A       192.168.1.11

;; AUTHORITY SECTION:
mydomain.tld.    3600    IN      NS      DNS-SERVER.mydomain.tld.

;; ADDITIONAL SECTION:
DNS-SERVER.mydomain.tld. 3600  IN      A       192.168.1.6

;; Query time: 0 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Thu Feb 23 03:59:37 CST 2017
;; MSG SIZE  rcvd: 104

Netstat claims named is listening on all the usual ports/adresses:

~# netstat -tanpl | grep named
tcp        0      0 10.8.0.1:53             0.0.0.0:*               LISTEN      4074/named
tcp        0      0 192.168.1.6:53          0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4074/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      4074/named

Any ideas?

Edit: by popular request here is the /etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below.  Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    // query-source address * port 53;

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };
    query-source address * port 53;
    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { none; };
    forwarders {
            8.8.8.8;
            8.8.4.4;
            };
    forward first;
};

Best Answer

Ok, so thanks to jscott and stoned, for posterity, if anyone else needs to troubleshoot situation like this here are proposed steps:

Make sure you've opened port 53 on both TCP and UDP. Port scanning UDP ports is tricky so make doubleplus sure that UDP 53 shall, indeed, pass.
You should have allow-query { any; }; in global section of your named configuration file (/etc/bind/named.conf.options on Debian/Ubuntu)
Check your config syntax, on systemd machines you can use systemctl status bind9 and, depending on how logging of bind is setup, journalctl -xe -u bind9 to see if the daemnon started.
Test resolving from both the bind host and multiple machines.

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

BIND – How to Set Up Wildcard DNS

Your origin for the zone is . per your configuration. You are creating records for ns1. and ns2. instead of ns1.example.com. and ns2.example.com. Since ns1.example.com and ns2.example.com aren't defined, they are matched by the wildcard.

EDIT: here's an edit of your config and zone:

zone "example.com." {
        type master;
        file "ext.zone";
};

ext.zone:

$TTL    3600
@       IN      SOA     ns1 root (
                              1         ; Serial
                         3600         ; Refresh
                          300         ; Retry
                         3600         ; Expire
                         300 )        ; Negative Cache TTL


        IN      NS      ns1
        IN      NS      ns2
        IN      A       192.0.2.6


ns1     IN      A       192.0.2.4
ns2     IN      A       192.0.2.5

*      IN      A       192.0.2.6

Everything in the zone is relative to the zone name in the named configuration, so adding a second zone just points to the same file:

zone "example.net." {
    type master;
    file "ext.zone";
};

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

BIND – How to Set Up Wildcard DNS

Related Topic