Is there any way to understand what my Bind9 server is doing step-by-step?
Currently I am struggling with a problem that requests are refused and dig tells that recursion requested but not available. However the recursion should not be involved at all as this should be the authorative server.
What should I do to understand where it all goes wrong?
Here is the response for dig @127.0.0.1 client.example.com:
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 client.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 55821
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;client.example.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 31 01:09:08 EET 2017
;; MSG SIZE rcvd: 54
I tried debugging with a verbose mode (this is a request issued from another machine) and here is what I got:
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: UDP request
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: request is not signed
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: recursion not available
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921: query
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query (cache) 'client.example.com/A/IN' denied
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): query failed (REFUSED) for client.example.com/IN/A at ../../../bin/named/query.c:6475
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): error
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): send
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): sendto
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): senddone
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): next
31-Oct-2017 00:48:04.363 client 198.51.100.2#54921 (client.example.com): endrequest
31-Oct-2017 00:48:04.363 client @0x123456789abcdef: udprecv
Unfourtunately, I couldn't understand how it got to needing recursion in this case.
If anyone can help me with manual debugging, here is how my server is set up.
named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
named.conf.options:
options {
directory "/var/cache/bind";
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on port 53 { any; };
recursion no;
allow-transfer { localhost; };
allow-query-cache { none; };
allow-query { any; };
};
named.conf.local:
zone "example.com" {
type master;
file "/etc/bind/zones/example.com";
};
zones/example.com:
$TTL 300
@ IN SOA ns.example.com. admin.example.com (
4 ; Serial
300 ; Refresh
300 ; Retry
2419200 ; Expire
300 ) ; Negative Cache TTL
@ IN NS ns.example.com.
ns IN A 192.0.2.1
@ IN A 192.0.2.1
www IN A 192.0.2.1
client IN A 192.0.2.1
@ IN MX 50 mx.example.net.
@ IN MX 100 mx2.example.net.
The file named.conf.default-zones was left as installed by default as well as the files of the default zones.
I am using BIND 9.10.3-P4-Ubuntu.
Best Answer
Starting BIND with
-d 1will enable debugging. Depending on your OS/Distro you may need to look for how to set startup command line arguments. You can increase the value if you need more information.If you want more guidance you should probably post your config files in your question, redacting secrets and replacing your names with examples. It is likely something that could be identified here by others looking at your setup.
Update 1:
I think the error might be that named cannot read the zone file, so it is ignoring the zone entirely, leaving it thinking that it should ask elsewhere but cannot because recursion is disabled. Look at the log file back to when named started and see if that has any hint as to what is happening.