Bind9 – Get Dual NIC Machine to Answer DNS Queries

binddomain-name-systemnameservernic

I have this problem:
My domain registrar are stubborn, and requires me to have 2 nameservers.
So now I have done this:
Network Diagram

ns1.sebbe.biz –> 178.174.190.175

ns2.sebbe.biz –> 178.174.189.82

Port 53 TCP & UDP is correctly forwarded in both firewalls (DD-WRT and IpCop).

My bind9 config:

options {
directory "/var/cache/bind";
version "blaah";
allow-recursion {"none";};
allow-transfer {"none";};
minimal-responses no;
};
zone "sebbe.biz" in{
type master;
file "/etc/bind/sebbe.biz";
};
include "/etc/bind/rndc.key";

My zonefile:

@  3600  IN      SOA ns1.sebbe.biz.     hostmaster.sebbe.biz. (
                          2012032801 ; serial
                          14400 ; refresh
                          3600 ; rtry
                          604800 ; expire
                          300 ; minimum
                         )
@                       IN      NS     ns1.sebbe.biz.
@                       IN      NS     ns2.sebbe.biz.
@                       IN      MX  10 www
www                     IN      A     178.174.190.175
*                       IN      A     178.174.190.175
@                       IN      A      178.174.190.175
ns1.sebbe.biz.          IN      A       178.174.190.175
ns2.sebbe.biz.          IN      A       178.174.189.82
@ IN TXT "v=spf1 ip4:178.174.190.175/32 -all"
@ IN SPF "v=spf1 ip4:178.174.190.175/32 -all"
@ IN TXT "v=spf2.0/mfrom ip4:178.174.190.175/32 -all"
@ IN SPF "v=spf2.0/mfrom ip4:178.174.190.175/32 -all"
@ IN TXT "v=spf2.0/pra ip4:178.174.190.175/32 -all"
@ IN SPF "v=spf2.0/pra ip4:178.174.190.175/32 -all"

My ifconfig:

root@kiosk-System-Product-Name:/etc/bind# ifconfig

eth0  Link encap:Ethernet  HWaddr 48:5b:39:d8:15:31
      inet addr:192.168.3.60  Bcast:192.168.3.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:64624 errors:0 dropped:0 overruns:0 frame:0
      TX packets:32776 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:96825477 (96.8 MB)  TX bytes:2310930 (2.3 MB)
      Interrupt:43 Base address:0x6000

eth1  Link encap:Ethernet  HWaddr 00:02:44:92:bf:74
      inet addr:192.168.9.25  Bcast:192.168.9.255  Mask:255.255.255.0
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:12031 errors:0 dropped:0 overruns:0 frame:0
      TX packets:11600 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:7030333 (7.0 MB)  TX bytes:906563 (906.5 KB)
      Interrupt:20 Base address:0xe800

lo    Link encap:Local Loopback
      inet addr:127.0.0.1  Mask:255.0.0.0
      UP LOOPBACK RUNNING  MTU:16436  Metric:1
      RX packets:62 errors:0 dropped:0 overruns:0 frame:0
      TX packets:62 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:5512 (5.5 KB)  TX bytes:5512 (5.5 KB)

root@kiosk-System-Product-Name:/etc/bind#

TCPDUMP of eth0 while doing requests to both IPs:

root@kiosk-System-Product-Name:/etc/bind# tcpdump -i eth0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:09:56.846168 IP 30.199.forpsi.net.58815 > kiosk-System-Product-Name.localdomain.domain: 61014+ SOA? sebbe.biz. (27)
06:09:56.846759 IP kiosk-System-Product-Name.localdomain.50877 > 192.168.3.1.domain: 39450+ PTR? 60.3.168.192.in-addr.arpa. (43)
06:09:56.846813 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.58815: 61014*- 1/2/2 SOA (142)
06:09:56.846941 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.50877: 39450* 1/0/0 PTR kiosk-System-Product-Name.localdomain. (94)
06:09:56.847097 IP kiosk-System-Product-Name.localdomain.50348 > 192.168.3.1.domain: 55190+ PTR? 30.199.2.81.in-addr.arpa. (42)
06:09:56.858596 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.50348: 55190 1/3/3 PTR 30.199.forpsi.net. (190)
06:09:56.858779 IP kiosk-System-Product-Name.localdomain.48673 > 192.168.3.1.domain: 47222+ PTR? 1.3.168.192.in-addr.arpa. (42)
06:09:56.870191 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.48673: 47222 NXDomain* 0/1/0 (109)
06:09:57.114948 IP 30.199.forpsi.net.44035 > kiosk-System-Product-Name.localdomain.domain: 61015+ NS? sebbe.biz. (27)
06:09:57.115111 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44035: 61015*- 2/0/2 NS ns2.sebbe.biz., NS ns1.sebbe.biz. (95)
06:09:57.163437 IP 30.199.forpsi.net.33961 > kiosk-System-Product-Name.localdomain.domain: 61016+ MX? sebbe.biz. (27)
06:09:57.163564 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.33961: 61016*- 1/2/3 MX www.sebbe.biz. 10 (131)
06:09:57.238351 IP 30.199.forpsi.net.47308 > kiosk-System-Product-Name.localdomain.domain: 61019+ A? sebbe.biz. (27)
06:09:57.238462 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.47308: 61019*- 1/2/2 A 178.174.190.175 (111)
06:09:57.279265 IP 30.199.forpsi.net.60151 > kiosk-System-Product-Name.localdomain.domain: 61020+ A? www.sebbe.biz. (31)
06:09:57.279363 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.60151: 61020*- 1/2/2 A 178.174.190.175 (115)
06:09:57.321858 IP 30.199.forpsi.net.59707 > kiosk-System-Product-Name.localdomain.domain: 61021+ AAAA? sebbe.biz. (27)
06:09:57.321939 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.59707: 61021*- 0/1/0 (78)
06:09:57.362895 IP 30.199.forpsi.net.60240 > kiosk-System-Product-Name.localdomain.domain: 61022+ AAAA? www.sebbe.biz. (31)
06:09:57.362974 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.60240: 61022*- 0/1/0 (82)
06:09:57.408399 IP 30.199.forpsi.net.50003 > kiosk-System-Product-Name.localdomain.domain: 61023+ SRV? _sip._udp.sebbe.biz. (37)
06:09:57.408486 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.50003: 61023*- 0/1/0 (88)
06:09:57.453534 IP 30.199.forpsi.net.46485 > kiosk-System-Product-Name.localdomain.domain: 61024+ SRV? _sip._tcp.sebbe.biz. (37)
06:09:57.453632 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.46485: 61024*- 0/1/0 (88)
06:10:07.500479 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [S], seq 3269309783, win 5840, options [mss 1460,sackOK,TS val 3223521876 ecr 0,nop,wscale 7], length 0
06:10:07.500510 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [S.], seq 3006848287, ack 3269309784, win 14480, options [mss 1460,sackOK,TS val 1001267 ecr 3223521876,nop,wscale 4], length 0
06:10:07.539613 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [.], ack 1, win 46, options [nop,nop,TS val 3223521915 ecr 1001267], length 0
06:10:07.539641 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [P.], seq 1:3, ack 1, win 46, options [nop,nop,TS val 3223521915 ecr 1001267], length 2
06:10:07.539650 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [.], ack 3, win 905, options [nop,nop,TS val 1001277 ecr 3223521915], length 0
06:10:07.578812 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [P.], seq 3:30, ack 1, win 46, options [nop,nop,TS val 3223521954 ecr 1001277], length 27256 [b2&3=0x1] [0q] [1395au] (25)
06:10:07.578826 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [.], ack 30, win 905, options [nop,nop,TS val 1001286 ecr 3223521954], length 0
06:10:07.579014 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [P.], seq 1:30, ack 30, win 905, options [nop,nop,TS val 1001286 ecr 3223521954], length 2961026 Refused- 0/0/0 (27)
06:10:07.618044 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [.], ack 30, win 46, options [nop,nop,TS val 3223521994 ecr 1001286], length 0
06:10:24.868163 IP kiosk-System-Product-Name.localdomain.35751 > 192.168.3.1.domain: 44923+ SRV? _sip._udp.sip.phonzo.com. (42)
06:10:24.879617 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.35751: 44923 1/2/1 SRV sip.phonzo.com.:5060 0 0 (142)
06:10:24.879800 IP kiosk-System-Product-Name.localdomain.47341 > 192.168.3.1.domain: 44628+ A? sip.phonzo.com. (32)
06:10:24.891270 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.47341: 44628 1/2/0 A 80.232.37.178 (98)
06:10:24.914381 IP kiosk-System-Product-Name.localdomain.57410 > 192.168.3.1.domain: 46929+ SRV? _sip._udp.sip.phonzo.com. (42)
06:10:24.925884 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.57410: 46929 1/2/1 SRV sip.phonzo.com.:5060 0 0 (142)
06:10:24.926063 IP kiosk-System-Product-Name.localdomain.42803 > 192.168.3.1.domain: 47340+ A? sip.phonzo.com. (32)
06:10:24.926170 IP 192.168.3.1.domain > kiosk-System-Product-Name.localdomain.42803: 47340 1/0/0 A 80.232.37.178 (48)
06:10:27.849179 IP 30.199.forpsi.net.33595 > kiosk-System-Product-Name.localdomain.domain: 61033 SPF? sebbe.biz. (27)
06:10:27.849381 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.33595: 61033*- 3/2/2 SPF, SPF, SPF (250)
06:10:27.896226 IP 30.199.forpsi.net.57884 > kiosk-System-Product-Name.localdomain.domain: 61034 TXT? sebbe.biz. (27)
06:10:27.896366 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.57884: 61034*- 3/2/2 TXT "v=spf2.0/mfrom ip4:178.174.190.175/32 -all", TXT "v=spf1 ip4:178.174.190.175/32 -all", TXT "v=spf2.0/pra ip4:178.174.190.175/32 -all" (250)
06:10:37.579182 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [F.], seq 30, ack 30, win 905, options [nop,nop,TS val 1008786 ecr 3223521994], length 0
06:10:37.658311 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [.], ack 31, win 46, options [nop,nop,TS val 3223552033 ecr 1008786], length 0
06:11:28.166651 IP 30.199.forpsi.net.44886 > kiosk-System-Product-Name.localdomain.domain: 61071 DNSKEY? sebbe.biz. (27)
06:11:28.166853 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44886: 61071*- 0/1/0 (78)
06:11:28.319953 IP 30.199.forpsi.net.44453 > kiosk-System-Product-Name.localdomain.domain: Flags [F.], seq 30, ack 31, win 46, options [nop,nop,TS val 3223602694 ecr 1008786], length 0
06:11:28.319970 IP kiosk-System-Product-Name.localdomain.domain > 30.199.forpsi.net.44453: Flags [.], ack 31, win 905, options [nop,nop,TS val 1021472 ecr 3223602694], length 0
^C
51 packets captured
51 packets received by filter
0 packets dropped by kernel
root@kiosk-System-Product-Name:/etc/bind#

TCPDUMP of eth1 while doing requests to both IPs:

root@kiosk-System-Product-Name:/etc/bind# tcpdump -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
06:04:59.839835 IP 30.199.forpsi.net.56611 > kiosk-System-Product-Name.local.domain: 57322+ SOA? sebbe.biz. (27)
06:05:02.840023 IP 30.199.forpsi.net.56611 > kiosk-System-Product-Name.local.domain: 57322+ SOA? sebbe.biz. (27)
06:05:08.840484 IP 30.199.forpsi.net.56611 > kiosk-System-Product-Name.local.domain: 57322+ SOA? sebbe.biz. (27)
06:05:21.377663 IP 30.199.forpsi.net.42103 > kiosk-System-Product-Name.local.domain: Flags [S], seq 2971973000, win 5840, options [mss 1460,sackOK,TS val 3223235757 ecr 0,nop,wscale 7], length 0
06:05:24.378549 IP 30.199.forpsi.net.42103 > kiosk-System-Product-Name.local.domain: Flags [S], seq 2971973000, win 5840, options [mss 1460,sackOK,TS val 3223238758 ecr 0,nop,wscale 7], length 0
06:05:30.378241 IP 30.199.forpsi.net.42103 > kiosk-System-Product-Name.local.domain: Flags [S], seq 2971973000, win 5840, options [mss 1460,sackOK,TS val 3223244758 ecr 0,nop,wscale 7], length 0
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
root@kiosk-System-Product-Name:/etc/bind#

Guess it should bind on both the 192.168.9.25 interface AND 192.168.3.60 interface?

The problem is that the 178.174.189.82 IP is not responding on DNS queries.
So why are not 178.174.189.82 IP not responding to any queries over port 53 on neither TCP or UDP?

Best Answer

I assume that eth0 is the default route for the machine, in which case I would expect that the responses for requests coming in eth1 to go out eth0. If that is the case, you need to configure source routing so that the responses go out eth1:

# Label a new routing table
echo "10 eth1" >> /etc/iproute1/rt_table
# Add a default route to the eth1 routing table
ip route add default via 192.168.9.1 dev eth1 table eth1
# Send packets with a source IP of .25 to the eth1 routing table
ip rule add from 192.168.9.25 table eth1

This assumes that bind actually sets the source IP in the response packets. If it doesn't, try specifying both IPs in named.conf with the listen-on option. If that still doesn't work, I think your only option is to run two instances of bind, one for each IP.

Related Topic