I have a very wierd situation with Bind9 on Ubuntu Xenial. The server is listening on port 53 (tested with portqry
from windows boxen that are trying to use it as a local DNS server) but it's timing out on requests like:
> dig @192.168.1.6 YYY +search
; <<>> DiG 9.11.0-P3 <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Search-domain is set properly on windwos (ISC DHCP makes sure of that). However, as I said, portqry
probing port 53 says it's listening.
> portqry -n 192.168.1.6 -o 53
Querying target system called:
192.168.1.6
Attempting to resolve IP address to a name...
Failed to resolve IP address to name
querying...
TCP port 53 (domain service): LISTENING
Oddly still, server responds to queries on local host (from the server itself):
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.6 YYY +search
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23454
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;YYY.mydomain.tld. IN A
;; ANSWER SECTION:
YYY.mydomain.tld. 3600 IN A 192.168.1.11
;; AUTHORITY SECTION:
mydomain.tld. 3600 IN NS DNS-SERVER.mydomain.tld.
;; ADDITIONAL SECTION:
DNS-SERVER.mydomain.tld. 3600 IN A 192.168.1.6
;; Query time: 0 msec
;; SERVER: 192.168.1.6#53(192.168.1.6)
;; WHEN: Thu Feb 23 03:59:37 CST 2017
;; MSG SIZE rcvd: 104
Netstat claims named
is listening on all the usual ports/adresses:
~# netstat -tanpl | grep named
tcp 0 0 10.8.0.1:53 0.0.0.0:* LISTEN 4074/named
tcp 0 0 192.168.1.6:53 0.0.0.0:* LISTEN 4074/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 4074/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 4074/named
Any ideas?
Edit: by popular request here is the /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
// query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
query-source address * port 53;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward first;
};
Best Answer
Ok, so thanks to jscott and stoned, for posterity, if anyone else needs to troubleshoot situation like this here are proposed steps:
allow-query { any; };
in global section of your named configuration file (/etc/bind/named.conf.options
on Debian/Ubuntu)systemd
machines you can usesystemctl status bind9
and, depending on how logging of bind is setup,journalctl -xe -u bind9
to see if the daemnon started.